Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- locals {
- head_cloudtrail_s3_bucket_name = "com.example.head.cloudtrail"
- }
- data "aws_caller_identity" "current" {}
- resource "aws_cloudtrail" "head_cloudtrail" {
- name = "tf-head-cloudtrail"
- s3_key_prefix = ""
- s3_bucket_name = aws_s3_bucket.head_cloudtrail_s3.id
- is_multi_region_trail = true
- is_organization_trail = true
- include_global_service_events = true
- enable_logging = true
- depends_on = [
- aws_s3_bucket.head_cloudtrail_s3
- ]
- }
- resource "aws_s3_bucket" "head_cloudtrail_s3" {
- bucket = local.head_cloudtrail_s3_bucket_name
- acl = "private"
- versioning {
- enabled = false
- }
- force_destroy = false
- }
- resource "aws_s3_bucket_public_access_block" "head_cloudtrail_s3_access" {
- bucket = aws_s3_bucket.head_cloudtrail_s3.id
- block_public_acls = true
- block_public_policy = true
- ignore_public_acls = true
- restrict_public_buckets = true
- }
- resource "aws_s3_bucket_policy" "head_cloudtrail_s3_policy" {
- bucket = aws_s3_bucket.head_cloudtrail_s3.id
- policy = <<POLICY
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "AWSCloudTrailAclCheck20150319",
- "Effect": "Allow",
- "Principal": {
- "Service": "cloudtrail.amazonaws.com"
- },
- "Action": "s3:GetBucketAcl",
- "Resource": "arn:aws:s3:::${local.head_cloudtrail_s3_bucket_name}"
- },
- {
- "Sid": "AWSCloudTrailWrite20150319",
- "Effect": "Allow",
- "Principal": {
- "Service": "cloudtrail.amazonaws.com"
- },
- "Action": [
- "s3:PutObject"
- ],
- "Resource": [
- "arn:aws:s3:::${local.head_cloudtrail_s3_bucket_name}/head/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
- "arn:aws:s3:::${local.head_cloudtrail_s3_bucket_name}/prod/AWSLogs/1234556788976/*"
- ],
- "Condition": {
- "StringEquals": {
- "s3:x-amz-acl": "bucket-owner-full-control"
- }
- }
- }
- ]
- }
- POLICY
- depends_on = [
- aws_s3_bucket.head_cloudtrail_s3
- ]
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
