[#316] Add Cloudtrail module as an optional module#318
[#316] Add Cloudtrail module as an optional module#318tung-nimblehq wants to merge 2 commits intofeature/316-add-vpc-flows-log-modulefrom
Conversation
tung-nimblehq
requested review from
andyduong1920,
bterone,
hoangmirs,
liamstevens111,
nvminhtue and
sanG-github
as code owners
| } | ||
|
|
||
| # trivy:ignore:AVD-AWS-0089 Access logging not required for CloudTrail log bucket | ||
| resource "aws_s3_bucket" "cloudtrail_logs" { |
There was a problem hiding this comment.
We are duplicating S3 code in a few modules. Should we adjust the current S3 module, or create a new S3 module that we can use for these purposes? What do you think?
There was a problem hiding this comment.
😅 I don’t think so, since this bucket is dedicated to CloudTrail logs, it’s quite different from a general S3 bucket. Adjusting or creating a new S3 module would require adding many new variables to adapt it and easily cause confusion. I think we should keep it under CloudTrail for easier management.
|
|
||
| # trivy:ignore:AVD-AWS-0136 No encryption for CloudTrail compatibility | ||
| # trivy:ignore:AVD-AWS-0095 No encryption for CloudTrail compatibility | ||
| resource "aws_sns_topic" "cloudtrail" { |
There was a problem hiding this comment.
Same for SNS, can we create a general SNS module and reuse here?
There was a problem hiding this comment.
Same as this one
it’s dedicated to the CloudTrail configuration. I’d prefer to keep it under CloudTrail rather than introduce new modules that can’t work independently.
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
from
b55003b to
73b05d7
Compare
tung-nimblehq
force-pushed
the
feature/316-add-vpc-cloud-trail-module
branch
from
f600b45 to
5f47bab
Compare
|
@hoangmirs Can you recheck it? 🙏 |
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
from
2625247 to
220e3c5
Compare
tung-nimblehq
force-pushed
the
feature/316-add-vpc-cloud-trail-module
branch
from
a512c22 to
c3b6064
Compare
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
from
220e3c5 to
c222713
Compare
tung-nimblehq
force-pushed
the
feature/316-add-vpc-cloud-trail-module
branch
2 times, most recently
from
7421b23 to
0a89c65
Compare
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
from
c222713 to
8f894f4
Compare
tung-nimblehq
force-pushed
the
feature/316-add-vpc-cloud-trail-module
branch
from
0a89c65 to
491687b
Compare
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
from
8f894f4 to
84a9710
Compare
tung-nimblehq
force-pushed
the
feature/316-add-vpc-cloud-trail-module
branch
from
491687b to
88243e5
Compare
.github/wiki/Security.md
Outdated
| - **CloudWatch integration**: Sends logs to CloudWatch for real-time monitoring and alerting | ||
| - **S3 storage**: Stores all CloudTrail logs securely in Amazon S3 with configurable key prefix organization | ||
| - **SNS notifications**: Integrates with SNS topics for immediate alerting on critical events | ||
| - **Insight events**: Captures unusual activity patterns like API call rate and error rate anomalies |
There was a problem hiding this comment.
Is Insight events overlapping with Comprehensive event logging?
|
|
||
| - **Comprehensive event logging**: Captures management events, data events, and insight events based on configuration | ||
| - **Multi-region support**: Can be configured to log events across all AWS regions for complete visibility | ||
| - **CloudWatch integration**: Sends logs to CloudWatch for real-time monitoring and alerting |
There was a problem hiding this comment.
Preferably put CloudWatch integration together with SNS notifications
→ Group them, as they both relate to alerting/monitoring.
| s3_key_prefix = "cloudtrail" | ||
| log_retention_days = var.cloudtrail_log_retention_days | ||
| s3_ignore_data_bucket_arns = ["arn:aws:s3:::\${module.cloudtrail_s3_bucket.aws_s3_bucket_name}"] | ||
| cloud_watch_arn = module.cloudtrail_cloudwatch.aws_cloudwatch_log_group_arn |
There was a problem hiding this comment.
Should it have cloudtrail_event_type here too? Or, just rely on the default?
There was a problem hiding this comment.
I think we can just rely on cloudtrail_event_type default value for the template here. If in case the project want to change it, there is already one var for the project to adjust.
| variable "log_retention_days" { | ||
| description = "Number of days to retain CloudTrail logs in CloudWatch Logs." | ||
| type = number | ||
| default = 90 |
There was a problem hiding this comment.
Hmmmm, I see we defined 365 in the other cloudtrail.ts.
| variable "cloudtrail_log_retention_days" { | ||
| description = "The number of days to retain CloudTrail logs in CloudWatch" | ||
| type = number | ||
| default = 365 |
|
|
||
| const cloudtrailLocalesContent = dedent` | ||
| ### Begin CloudTrail ### | ||
| locals { |
There was a problem hiding this comment.
tung-nimblehq
force-pushed
the
feature/316-add-vpc-cloud-trail-module
branch
from
88243e5 to
2a604e2
Compare
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
from
0d16418 to
fe38800
Compare
…and create dedicated locals and data files
tung-nimblehq
force-pushed
the
feature/316-add-vpc-cloud-trail-module
branch
from
2a604e2 to
54e1427
Compare
3 participants
What happened 👀
Insight 📝
Proof Of Work 📹
Applied correctly
Cloudtrail
S3 bucket
Sns topic
Slack alerts
Does not create Cloudtrail in Blank template.
Screen.Recording.2025-10-05.at.22.27.44.mov
Does not create CloudTrail in the Advanced template with the flag not set.
Screen.Recording.2025-10-05.at.22.29.50.mov
Create CloudTrail in the Advanced template with the flag set.
Screen.Recording.2025-10-05.at.22.29.03.mov
Install CloudTrail into Bank template.
Screen.Recording.2025-10-05.at.22.28.16.mov