SEC-543 add Cloudwatch logging

wesleung · wesleung · commit 3b45e1334440 · 2023-01-13T12:48:47.000-08:00
diff --git a/cloudtrail.tf b/cloudtrail.tf
@@ -12,6 +12,7 @@ module "cloudtrail" {
   name                              = var.cloudtrail_name
   enable_log_file_validation        = var.cloudtrail_enable_log_file_validation
   enable_logging                    = var.cloudtrail_enable_logging
+  cloud_watch_logs                  = var.cloudtrail_enable_cloudwatch_logs
   include_global_service_events     = var.cloudtrail_include_global_service_events
   insight_selector                  = var.cloudtrail_insight_selector
   is_multi_region_trail             = var.cloudtrail_is_multi_region_trail
diff --git a/modules/cloudtrail/main.tf b/modules/cloudtrail/main.tf
@@ -26,12 +26,13 @@
 #tfsec:ignore:aws-cloudtrail-enable-at-rest-encryption
 module "cloudtrail" {
   #ts:skip=AC_AWS_0448 Multi Region is enabled. Not work with Org?
-  #source  = "appzen-oss/cloudtrail/aws"
-  source  = "../../../terraform-aws-cloudtrail"
+  source  = "appzen-oss/cloudtrail/aws"
+  #source  = "../../../terraform-aws-cloudtrail"
   #version = "0.22.0"
 
   name                              = var.name
   enable_log_file_validation        = var.enable_log_file_validation
+  cloud_watch_logs                  = var.cloud_watch_logs
   include_global_service_events     = var.include_global_service_events
   is_multi_region_trail             = var.is_multi_region_trail
   is_organization_trail             = var.is_organization_trail
diff --git a/modules/cloudtrail/variables.tf b/modules/cloudtrail/variables.tf
@@ -11,6 +11,12 @@ variable "enable_logging" {
   default     = true
 }
 
+variable "cloud_watch_logs" {
+  description = "Enable cloudwatch logging for the trail"
+  type        = bool
+  default     = true
+}
+
 variable "include_global_service_events" {
   description = "Specifies whether the trail is publishing events from global services such as IAM to the log files"
   type        = bool
diff --git a/variables.tf b/variables.tf
@@ -327,6 +327,12 @@ variable "cloudtrail_enable_logging" {
   default     = true
 }
 
+variable "cloudtrail_enable_cloudwatch_logs" {
+  description = "Enable logging for the trail"
+  type        = bool
+  default     = true
+}
+
 variable "cloudtrail_include_global_service_events" {
   description = "Specifies whether the trail is publishing events from global services such as IAM to the log files"
   type        = bool
