Skip to content

Latest commit



148 lines (111 loc) · 6.15 KB

File metadata and controls

148 lines (111 loc) · 6.15 KB


CircleCI GitHub tag License

Terraform module which creates CloudTrail resources on AWS.


Provision CloudTrail. This module provides recommended settings.

  • Enable for all AWS regions
  • Logging for global services such as IAM, STS and CloudFront
  • Enable log file integrity validation



module "cloudtrail" {
  source         = "git::"
  name           = "default-trail"
  s3_bucket_name = "cloudtrail-bucket"


module "cloudtrail" {
  source         = "git::"
  name           = "default-trail"
  s3_bucket_name = "cloudtrail-bucket"

  enable_logging                = false
  is_multi_region_trail         = false
  include_global_service_events = false
  enable_log_file_validation    = false

  cloud_watch_logs_role_arn  = "${module.iam_role.iam_role_arn}"
  cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.complete.arn}"

  tags = {
    Environment = "prod"
    Name        = "default-trail"

resource "aws_cloudwatch_log_group" "complete" {
  name = "CloudTrail/logs"

module "iam_role" {
  source             = "git::"
  name               = "sending-cloudwatch-logs-for-cloudtrail"
  assume_role_policy = "${data.aws_iam_policy_document.assume_role_policy.json}"
  policy             = "${data.aws_iam_policy_document.policy.json}"
  description        = "Send log events to CloudWatch Logs from CloudTrail"

# Omitted below.



Name Description Type Default Required
name Specifies the name of the trail. string - yes
s3_bucket_name Specifies the name of the S3 bucket designated for publishing log files. string - yes
cloud_watch_logs_group_arn Specifies a log group name using an Amazon Resource Name (ARN). string `` no
cloud_watch_logs_role_arn Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group. string `` no
enable_log_file_validation Specifies whether log file integrity validation is enabled. string true no
enable_logging Enables logging for the trail. string true no
include_global_service_events Specifies whether the trail is publishing events from global services such as IAM to the log files. string true no
is_multi_region_trail Specifies whether the trail is created in the current region or in all regions. string true no
is_organization_trail Whether the trail is an AWS Organizations trail. bool false no
tags A mapping of tags to assign to the bucket. map {} no


Name Description
cloudtrail_arn The Amazon Resource Name of the trail.
cloudtrail_home_region The region in which the trail was created.
cloudtrail_name The name of the trail.



Configure environment variables

export AWS_DEFAULT_REGION=ap-northeast-1


git clone [email protected]:tmknom/terraform-aws-cloudtrail.git
cd terraform-aws-cloudtrail
make install

Makefile targets

check-format                   Check format code
cibuild                        Execute CI build
clean                          Clean .terraform
docs                           Generate docs
format                         Format code
help                           Show help
install                        Install requirements
lint                           Lint code
release                        Release GitHub and Terraform Module Registry
terraform-apply-complete       Run terraform apply examples/complete
terraform-apply-minimal        Run terraform apply examples/minimal
terraform-destroy-complete     Run terraform destroy examples/complete
terraform-destroy-minimal      Run terraform destroy examples/minimal
terraform-plan-complete        Run terraform plan examples/complete
terraform-plan-minimal         Run terraform plan examples/minimal
upgrade                        Upgrade makefile

Releasing new versions

Bump VERSION file, and run make release.

Terraform Module Registry


Apache 2 Licensed. See LICENSE for full details.