Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support an S3 bucket in a different account #245

Closed
wants to merge 2 commits into from
Closed

Support an S3 bucket in a different account #245

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7f458b2
Support an S3 bucket in a different account
DanielRussell May 9, 2024
51de526
Output the KMS Key ARN
DanielRussell May 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ No modules.
| key\_deletion\_window\_in\_days | Duration in days after which the key is deleted after destruction of the resource, must be 7-30 days. Default 30 days. | `string` | `30` | no |
| log\_retention\_days | Number of days to keep AWS logs around in specific log group. | `string` | `90` | no |
| org\_trail | Whether or not this is an organization trail. Only valid in master account. | `string` | `"false"` | no |
| s3\_bucket\_account\_id | (optional) The AWS account ID which owns the S3 bucket. Only include if the S3 bucket is in a different account than the CloudTrail. | `string` | `null` | no |
| s3\_bucket\_name | The name of the AWS S3 bucket. | `string` | n/a | yes |
| s3\_key\_prefix | S3 key prefix for CloudTrail logs | `string` | `"cloudtrail"` | no |
| sns\_topic\_arn | ARN of the SNS topic for notification of log file delivery. | `string` | `""` | no |
Expand All @@ -83,6 +84,7 @@ No modules.
| cloudtrail\_arn | CloudTrail ARN |
| cloudtrail\_home\_region | CloudTrail Home Region |
| cloudtrail\_id | CloudTrail ID |
| kms\_key\_arn | KMS Key ARN |
<!-- END_TF_DOCS -->

## Developer Setup
Expand Down
6 changes: 5 additions & 1 deletion main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ data "aws_caller_identity" "current" {}
# The AWS partition (commercial or govcloud)
data "aws_partition" "current" {}

locals {
s3_bucket_account_id = var.s3_bucket_account_id != null ? var.s3_bucket_account_id : data.aws_caller_identity.current.account_id
}

#
# CloudTrail - CloudWatch
#
Expand Down Expand Up @@ -191,7 +195,7 @@ data "aws_iam_policy_document" "cloudtrail_kms_policy_doc" {
condition {
test = "StringEquals"
variable = "kms:CallerAccount"
values = [data.aws_caller_identity.current.account_id]
values = [local.s3_bucket_account_id]
}

condition {
Expand Down
5 changes: 5 additions & 0 deletions outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,8 @@ output "cloudtrail_id" {
description = "CloudTrail ID"
value = aws_cloudtrail.main.id
}

output "kms_key_arn" {
description = "KMS Key ARN"
value = aws_kms_key.cloudtrail.arn
}
6 changes: 6 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@ variable "s3_bucket_name" {
type = string
}

variable "s3_bucket_account_id" {
description = "(optional) The AWS account ID which owns the S3 bucket. Only include if the S3 bucket is in a different account than the CloudTrail."
default = null
type = string
}

variable "org_trail" {
description = "Whether or not this is an organization trail. Only valid in master account."
default = "false"
Expand Down