{"id":19508799,"url":"https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket","last_synced_at":"2025-07-18T12:43:10.680Z","repository":{"id":43336716,"uuid":"189877703","full_name":"rhythmictech/terraform-aws-cloudtrail-bucket","owner":"rhythmictech","description":"Create and manage a bucket suitable for encrypted CloudTrail logging. Supports inbound logging from multiple accounts","archived":false,"fork":false,"pushed_at":"2024-06-14T22:26:34.000Z","size":50,"stargazers_count":4,"open_issues_count":4,"forks_count":4,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-04T07:11:14.029Z","etag":null,"topics":["aws","cloudtrail","terraform","terraform-module","terraform-modules"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/rhythmictech/cloudtrail-bucket/aws","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rhythmictech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-06-02T17:51:30.000Z","updated_at":"2024-06-14T22:26:10.000Z","dependencies_parsed_at":"2024-06-14T23:40:21.328Z","dependency_job_id":"a01b2050-02d6-409d-a739-1833708789d0","html_url":"https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-cloudtrail-bucket","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-cloudtrail-bucket/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-cloudtrail-bucket/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-cloudtrail-bucket/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rhythmictech","download_url":"https://codeload.github.com/rhythmictech/terraform-aws-cloudtrail-bucket/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250926812,"owners_count":21509041,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloudtrail","terraform","terraform-module","terraform-modules"],"created_at":"2024-11-10T23:09:56.182Z","updated_at":"2025-04-26T03:31:45.709Z","avatar_url":"https://github.com/rhythmictech.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# terraform-aws-cloudtrail-bucket\n\n[![tflint](https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket/actions/workflows/tflint.yaml/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster)\n[![tfsec](https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket/actions/workflows/tfsec.yaml/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket/actions?query=workflow%3Atfsec+event%3Apush+branch%3Amaster)\n[![yamllint](https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket/actions/workflows/yamllint.yaml/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster)\n[![misspell](https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket/actions/workflows/misspell.yaml/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster)\n[![pre-commit-check](https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket/actions/workflows/pre-commit.yaml/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster)\n![X (formerly Twitter) Follow](https://img.shields.io/twitter/follow/RhythmicTech)\n\nCreate and manage a bucket suitable for encrypted CloudTrail logging. Supports inbound logging from multiple accounts through the `allowed_account_ids` var.\n\n## Usage\nTo create a bucket in this account that can be logged to from acct 12345678 and the current account\n```\nmodule \"s3logging-bucket\" {\n  source = \"rhythmictech/s3logging-bucket/aws\"\n  version = \"v4.0.1\"\n}\n\n# in acct 23456789\nmodule \"cloudtrail-bucket\" {\n  source         = \"git::https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket\"\n\n  allowed_account_ids = [12345678, 123456781, 123456782, 123456783]\n  logging_bucket      = module.s3logging-bucket.s3logging_bucket_name\n  region              = var.region\n}\n\nmodule \"cloudtrail-logging\" {\n  source            = \"git::https://github.com/rhythmictech/terraform-aws-cloudtrail-logging\"\n  cloudtrail_bucket = module.cloudtrail-bucket.s3_bucket_name\n  kms_key_id        = module.cloudtrail-bucket.kms_key_id\n  region            = var.region\n}\n```\n\nThen in acct 12345678 and the other child accounts you can log back to the bucket like this \n```\n# in acct 12345678\nmodule \"cloudtrail-logging\" {\n  source            = \"git::https://github.com/rhythmictech/terraform-aws-cloudtrail-logging\"\n  cloudtrail_bucket = \"23456789-us-east-1-cloudtrail\"\n  kms_key_id        = \"arn:aws:kms:us-east-1:23456789:key/a53f476a-e691-4d19-9003-202e6fb9c5b4\"\n  region            = var.region\n}\n```\n\nIn this diagram Central Account is `12345678` from the example and Account A is `12345678`. Accounts B, C, and D would be other child accounts (`123456781, 123456782, 123456783`)\n```mermaid\ngraph TD\n    subgraph Central Account\n        S3((S3 Bucket))\n    end\n    \n    subgraph Account A\n        A[CloudTrail] --\u003e S3\n    end\n    \n    subgraph Account B  \n        B[CloudTrail] --\u003e S3\n    end\n    \n    subgraph Account C\n        C[CloudTrail] --\u003e S3\n    end\n    \n    subgraph Account D\n        D[CloudTrail] --\u003e S3\n    end\n```\n\n\u003c!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.3 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 5 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | 4.48.0 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |\n| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |\n| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |\n| [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |\n| [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |\n| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |\n| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |\n| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |\n| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.key_empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.key_merged_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.key_roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_allowed_account_ids\"\u003e\u003c/a\u003e [allowed\\_account\\_ids](#input\\_allowed\\_account\\_ids) | Optional list of AWS Account IDs that are permitted to write to the bucket | `list(string)` | `[]` | no |\n| \u003ca name=\"input_bucket_name\"\u003e\u003c/a\u003e [bucket\\_name](#input\\_bucket\\_name) | Name of the S3 bucket to create. Defaults to {account\\_id}-{region}-cloudtrail. | `string` | `null` | no |\n| \u003ca name=\"input_lifecycle_rules\"\u003e\u003c/a\u003e [lifecycle\\_rules](#input\\_lifecycle\\_rules) | lifecycle rules to apply to the bucket | \u003cpre\u003elist(object(\u003cbr\u003e    {\u003cbr\u003e      id                            = string\u003cbr\u003e      enabled                       = optional(bool, true)\u003cbr\u003e      expiration                    = optional(number)\u003cbr\u003e      prefix                        = optional(number)\u003cbr\u003e      noncurrent_version_expiration = optional(number)\u003cbr\u003e      transition = optional(list(object({\u003cbr\u003e        days          = number\u003cbr\u003e        storage_class = string\u003cbr\u003e      })))\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e[\u003cbr\u003e  {\u003cbr\u003e    \"id\": \"expire-noncurrent-objects-after-ninety-days\",\u003cbr\u003e    \"noncurrent_version_expiration\": 90\u003cbr\u003e  },\u003cbr\u003e  {\u003cbr\u003e    \"id\": \"transition-to-IA-after-30-days\",\u003cbr\u003e    \"transition\": [\u003cbr\u003e      {\u003cbr\u003e        \"days\": 30,\u003cbr\u003e        \"storage_class\": \"STANDARD_IA\"\u003cbr\u003e      }\u003cbr\u003e    ]\u003cbr\u003e  },\u003cbr\u003e  {\u003cbr\u003e    \"expiration\": 2557,\u003cbr\u003e    \"id\": \"delete-after-seven-years\"\u003cbr\u003e  }\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_logging_bucket\"\u003e\u003c/a\u003e [logging\\_bucket](#input\\_logging\\_bucket) | S3 bucket with suitable access for logging requests to the cloudtrail bucket | `string` | n/a | yes |\n| \u003ca name=\"input_region\"\u003e\u003c/a\u003e [region](#input\\_region) | Region to create KMS key in | `string` | n/a | yes |\n| \u003ca name=\"input_roles_allowed_kms_decrypt\"\u003e\u003c/a\u003e [roles\\_allowed\\_kms\\_decrypt](#input\\_roles\\_allowed\\_kms\\_decrypt) | Optional list of roles that have access to KMS decrypt and are permitted to decrypt logs | `list(string)` | `[]` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | Mapping of any extra tags you want added to resources | `map(string)` | `{}` | no |\n| \u003ca name=\"input_versioning_enabled\"\u003e\u003c/a\u003e [versioning\\_enabled](#input\\_versioning\\_enabled) | Whether or not to use versioning on the bucket. This can be useful for audit purposes since objects in a logging bucket should not be updated. | `bool` | `true` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_kms_key_id\"\u003e\u003c/a\u003e [kms\\_key\\_id](#output\\_kms\\_key\\_id) | KMS key used by cloudtrail |\n| \u003ca name=\"output_s3_bucket_arn\"\u003e\u003c/a\u003e [s3\\_bucket\\_arn](#output\\_s3\\_bucket\\_arn) | The ARN of the bucket |\n| \u003ca name=\"output_s3_bucket_name\"\u003e\u003c/a\u003e [s3\\_bucket\\_name](#output\\_s3\\_bucket\\_name) | The name of the bucket |\n\u003c!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n\n## Related Projects\n* [CloudTrail Logging module](https://github.com/rhythmictech/terraform-aws-cloudtrail-logging)\n* [S3 Logging Module](https://github.com/rhythmictech/terraform-aws-s3logging-bucket)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frhythmictech%2Fterraform-aws-cloudtrail-bucket","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frhythmictech%2Fterraform-aws-cloudtrail-bucket","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frhythmictech%2Fterraform-aws-cloudtrail-bucket/lists"}