wandb · shivawandb · Feb 6, 2025 · Feb 6, 2025
diff --git a/main.tf b/main.tf
@@ -43,6 +43,22 @@ locals {
   main_bucket_name  = var.bucket_name != "" ? var.bucket_name : module.file_storage.bucket_name
 }
 
+module "cloudtrail" {
+  source = "./modules/cloudtrail"
+
+  # Required Variables
+  namespace              = var.namespace
+  cloudtrail_bucket_name = var.cloudtrail_bucket_name
+  force_destroy          = var.force_destroy
+  log_lifecycle          = var.log_lifecycle
+
+  # Optional Variables with Defaults
+  include_global_service_events = var.include_global_service_events
+  multi_region_trail            = var.multi_region_trail
+  enable_log_file_validation    = var.enable_log_file_validation
+  tags                          = var.tags
+}
+
 module "networking" {
   source               = "./modules/networking"
   namespace            = var.namespace

diff --git a/modules/cloudtrail/main.tf b/modules/cloudtrail/main.tf
@@ -1,6 +1,6 @@
 # S3 Bucket for CloudTrail logs
 resource "aws_s3_bucket" "cloudtrail_logs" {
-  bucket        = "${var.namespace}-${var.cloudtrail_bucket_name}"
+  bucket        = var.cloudtrail_bucket_name
   force_destroy = var.force_destroy
 
   tags = merge(var.tags, { Name = "CloudTrailLogs" })
@@ -69,8 +69,6 @@ resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail_logs" {
     id     = "TransitionToGlacier"
     status = "Enabled"
 
-    filter {}
-
     transition {
       days          = var.log_lifecycle.transition_days
       storage_class = "GLACIER"
@@ -82,16 +80,16 @@ resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail_logs" {
   }
 }
 
-# CloudTrail Configuration
+# Single CloudTrail for the Account
 resource "aws_cloudtrail" "s3_event_logs" {
-  name                          = "${var.namespace}-s3-events-cloudtrail"
+  name                          = "deployments-cloudtrail"
   s3_bucket_name                = aws_s3_bucket.cloudtrail_logs.id
   include_global_service_events = var.include_global_service_events
   is_multi_region_trail         = var.multi_region_trail
   enable_log_file_validation    = var.enable_log_file_validation
 
   event_selector {
-    read_write_type           = "All" # Log both read and write events
+    read_write_type           = "All"
     include_management_events = true
 
     data_resource {
@@ -102,7 +100,13 @@ resource "aws_cloudtrail" "s3_event_logs" {
     }
   }
 
-  tags = merge(var.tags, { Name = "CloudTrail" })
+  tags = merge(var.tags, { Name = "SingleAccountCloudTrail" })
 
   depends_on = [aws_s3_bucket_policy.cloudtrail_logs]
 }
+
+# Log Separation by Namespace using S3 Prefixes
+resource "aws_s3_object" "namespace_prefix" {
+  bucket = aws_s3_bucket.cloudtrail_logs.id
+  key    = "${var.namespace}/"
+}
diff --git a/modules/cloudtrail/outputs.tf b/modules/cloudtrail/outputs.tf
@@ -1,19 +1,24 @@
-output "cloudtrail_bucket_name" {
-  description = "Name of the S3 bucket storing CloudTrail logs specific to S3 events"
-  value       = aws_s3_bucket.cloudtrail_logs.bucket
+output "s3_bucket_name" {
+  description = "The name of the S3 bucket used for CloudTrail logs"
+  value       = aws_s3_bucket.cloudtrail_logs.id
 }
 
-output "cloudtrail_bucket_arn" {
-  description = "ARN of the S3 bucket storing CloudTrail logs specific to S3 events"
+output "cloudtrail_name" {
+  description = "The name of the CloudTrail"
+  value       = aws_cloudtrail.single_trail.name
+}
+
+output "s3_bucket_arn" {
+  description = "The ARN of the S3 bucket storing CloudTrail logs"
   value       = aws_s3_bucket.cloudtrail_logs.arn
 }
 
-output "cloudtrail_name" {
-  description = "Name of the CloudTrail instance"
-  value       = aws_cloudtrail.s3_event_logs.name
+output "s3_bucket_policy" {
+  description = "The policy attached to the CloudTrail S3 bucket"
+  value       = aws_s3_bucket_policy.cloudtrail_logs.id
 }
 
-output "cloudtrail_arn" {
-  description = "ARN of the CloudTrail instance"
-  value       = aws_cloudtrail.s3_event_logs.arn
-}
+output "namespace_folder" {
+  description = "The namespace prefix created in the S3 bucket for this deployment"
+  value       = "s3://${aws_s3_bucket.cloudtrail_logs.id}/${var.namespace}/"
+}
diff --git a/modules/cloudtrail/variables.tf b/modules/cloudtrail/variables.tf
@@ -1,54 +1,47 @@
 variable "cloudtrail_bucket_name" {
-  description = "Name of the S3 bucket for storing CloudTrail logs specific to S3 events"
+  description = "The name of the S3 bucket for CloudTrail logs"
   type        = string
-  default     = "cloudtrail-s3-events-logs-bucket"
 }
 
-variable "multi_region_trail" {
-  description = "Enable multi-region CloudTrail logging"
-  type        = bool
-  default     = true
-}
-
-variable "include_global_service_events" {
-  description = "Include global service events in CloudTrail logs"
-  type        = bool
-  default     = true
-}
-
-variable "enable_log_file_validation" {
-  description = "Enable CloudTrail log file validation"
+variable "force_destroy" {
+  description = "Flag to determine if the bucket should be forcefully deleted"
   type        = bool
-  default     = true
+  default     = false
 }
 
 variable "log_lifecycle" {
-  description = "Configuration for lifecycle policies on the CloudTrail logs bucket"
+  description = "Lifecycle configuration for CloudTrail logs"
   type = object({
     transition_days = number
     expiration_days = number
   })
-  default = {
-    transition_days = 90
-    expiration_days = 730
-  }
 }
 
-variable "force_destroy" {
-  description = "Whether to allow a force destroy of the S3 bucket and its contents. You must set this to true and apply the change before destroying the module."
+variable "include_global_service_events" {
+  description = "Whether to include global service events in the CloudTrail"
   type        = bool
   default     = false
 }
 
-variable "tags" {
-  description = "Tags to apply to all resources"
-  type        = map(string)
-  default = {
-    Environment = "production"
-  }
+variable "multi_region_trail" {
+  description = "Whether to enable CloudTrail across multiple regions"
+  type        = bool
+  default     = true
+}
+
+variable "enable_log_file_validation" {
+  description = "Whether to enable log file validation in CloudTrail"
+  type        = bool
+  default     = true
 }
 
 variable "namespace" {
+  description = "The namespace for this specific deployment"
   type        = string
-  description = "(Required) The name prefix for all resources created."
+}
+
+variable "tags" {
+  description = "A map of tags to be applied to resources"
+  type        = map(string)
+  default     = {}
 }
diff --git a/variables.tf b/variables.tf
@@ -578,3 +578,50 @@ variable "kubernetes_cluster_oidc_issuer_url" {
   description = "OIDC issuer URL for the Kubernetes cluster. Can be determined using `kubectl get --raw /.well-known/openid-configuration`"
   default     = ""
 }
+
+##########################################
+# Cloudtrail                             #
+##########################################
+
+variable "cloudtrail_bucket_name" {
+  description = "Name of the S3 bucket storing CloudTrail logs"
+  type        = string
+}
+
+variable "force_destroy" {
+  description = "Determines if the bucket should be forcefully deleted"
+  type        = bool
+  default     = false
+}
+
+variable "log_lifecycle" {
+  description = "Object containing transition and expiration days for logs"
+  type = object({
+    transition_days = number
+    expiration_days = number
+  })
+}
+
+variable "include_global_service_events" {
+  description = "Enable logging of global AWS service events"
+  type        = bool
+  default     = true
+}
+
+variable "multi_region_trail" {
+  description = "Enable CloudTrail across multiple regions"
+  type        = bool
+  default     = true
+}
+
+variable "enable_log_file_validation" {
+  description = "Enable CloudTrail log file validation"
+  type        = bool
+  default     = true
+}
+
+variable "tags" {
+  description = "Tags for CloudTrail resources"
+  type        = map(string)
+  default     = {}
+}