From 3fcae77bc3231baab7017eee00d81e743f8c8374 Mon Sep 17 00:00:00 2001 From: Rob White Date: Sat, 23 Sep 2023 23:31:48 +1000 Subject: [PATCH 1/2] feat: Allow CloudTrail logs to be SSE-S3 encrypted --- modules/cloudtrail-baseline/main.tf | 3 ++- modules/cloudtrail-baseline/variables.tf | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/cloudtrail-baseline/main.tf b/modules/cloudtrail-baseline/main.tf index 67c83d7..0d81a32 100644 --- a/modules/cloudtrail-baseline/main.tf +++ b/modules/cloudtrail-baseline/main.tf @@ -184,6 +184,7 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" { } resource "aws_kms_key" "cloudtrail" { + count = var.cloudtrail_kms_customer_managed || var.cloudtrail_sns_topic_enabled ? 1 : 0 description = "A KMS key to encrypt CloudTrail events." deletion_window_in_days = var.key_deletion_window_in_days enable_key_rotation = "true" @@ -237,7 +238,7 @@ resource "aws_cloudtrail" "global" { include_global_service_events = true is_multi_region_trail = true is_organization_trail = var.is_organization_trail - kms_key_id = aws_kms_key.cloudtrail.arn + kms_key_id = var.cloudtrail_kms_customer_managed ? aws_kms_key.cloudtrail.arn : null s3_bucket_name = var.s3_bucket_name s3_key_prefix = var.s3_key_prefix sns_topic_name = var.cloudtrail_sns_topic_enabled ? aws_sns_topic.cloudtrail-sns-topic[0].arn : null diff --git a/modules/cloudtrail-baseline/variables.tf b/modules/cloudtrail-baseline/variables.tf index 062143a..2016b45 100644 --- a/modules/cloudtrail-baseline/variables.tf +++ b/modules/cloudtrail-baseline/variables.tf @@ -57,6 +57,12 @@ variable "permissions_boundary_arn" { default = "" } +variable "cloudtrail_kms_customer_managed" { + description = "Whether to use SSE-KMS encryption for CloudTrail logs KMS encryption type. With this variable set false, CloudTrail logs are encrypted with SSE-S3SSE-KMS creates a customer managed key. SSE-S3 is AWS managed but incurs no cost. Note that if SNS is enabled, a KMS key will be created for that topic regardless of this variable option." + type = bool + default = true +} + variable "key_deletion_window_in_days" { description = "Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days." type = number From 428776856d2b014e12f692b4615c15ba4e4f9005 Mon Sep 17 00:00:00 2001 From: Rob White Date: Sat, 30 Sep 2023 11:04:34 +1000 Subject: [PATCH 2/2] Update doc string --- modules/cloudtrail-baseline/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/cloudtrail-baseline/variables.tf b/modules/cloudtrail-baseline/variables.tf index 2016b45..eb54cca 100644 --- a/modules/cloudtrail-baseline/variables.tf +++ b/modules/cloudtrail-baseline/variables.tf @@ -58,7 +58,7 @@ variable "permissions_boundary_arn" { } variable "cloudtrail_kms_customer_managed" { - description = "Whether to use SSE-KMS encryption for CloudTrail logs KMS encryption type. With this variable set false, CloudTrail logs are encrypted with SSE-S3SSE-KMS creates a customer managed key. SSE-S3 is AWS managed but incurs no cost. Note that if SNS is enabled, a KMS key will be created for that topic regardless of this variable option." + description = "Whether to use SSE-KMS encryption for CloudTrail logs KMS encryption type. With this variable set false, CloudTrail logs are encrypted with SSE-S3. SSE-S3 is AWS managed and incurs no cost. Note that if SNS is enabled, a customer managed KMS key will be created for that topic regardless of this variable option." type = bool default = true }