| aws_account_id |
The AWS Account ID number of the account. |
string |
yes |
| region |
The AWS region in which CloudTrail is set up. |
string |
yes |
| s3_bucket_name |
The name of the S3 bucket which will store configuration snapshots. |
string |
yes |
| cloudtrail_depends_on |
External resources which should be set up before CloudTrail. |
list(any) |
no |
| cloudtrail_name |
The name of the trail. |
string |
no |
| cloudtrail_sns_topic_enabled |
Specifies whether the trail is delivered to a SNS topic. |
bool |
no |
| cloudtrail_sns_topic_name |
The SNS topic linked to the CloudTrail |
string |
no |
| cloudwatch_logs_enabled |
Specifies whether the trail is delivered to CloudWatch Logs. |
bool |
no |
| cloudwatch_logs_group_name |
The name of CloudWatch Logs group to which CloudTrail events are delivered. |
string |
no |
| cloudwatch_logs_retention_in_days |
Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. |
number |
no |
| dynamodb_event_logging_tables |
The list of DynamoDB table ARNs on which to enable event logging. |
list(string) |
no |
| iam_role_name |
The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. |
string |
no |
| iam_role_policy_name |
The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. |
string |
no |
| is_organization_trail |
Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. |
bool |
no |
| key_deletion_window_in_days |
Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. |
number |
no |
| lambda_invocation_logging_lambdas |
The list of lambda ARNs on which to enable invocation logging. |
list(string) |
no |
| permissions_boundary_arn |
The permissions boundary ARN for all IAM Roles, provisioned by this module |
string |
no |
| s3_key_prefix |
The prefix for the specified S3 bucket. |
string |
no |
| s3_object_level_logging_buckets |
The list of S3 bucket ARNs on which to enable object-level logging. |
list(string) |
no |
| tags |
Specifies object tags key and value. This applies to all resources created by this module. |
map(string) |
no |