Add support for CloudTrail log deliveryΒ #331
Description
Is your request related to a new offering from AWS?
Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.
- No π: please wait to file a request until the functionality is avaialble in the AWS provider
- Yes β : please list the AWS provider version which introduced this functionality
- Not Exactly π€· : CloudTrail has [nearly] always required these statements to log to S3, and the Terraform provider has [nearly] always supported a defined bucket policy; if anything, perhaps AWS provider v4 with the
aws_s3_bucketsplit-apart?
Is your request related to a problem? Please describe.
Scenario: A new AWS Organizations organization is being configured. I would like to create the S3 bucket ahead of time to which the org will send CloudTrail logs. Unfortunately, despite several AWS log delivery options, CloudTrail log delivery is not yet supported.
Describe the solution you'd like.
CloudTrail log delivery support amounts to adding two documented statements to the bucket policy.
Describe alternatives you've considered.
I can pass the two statements in via the module's policy parameter. This accomplishes the same end result. This issue is merely a request for first class support for this essential AWS service.
Additional context
This seems to be a duplicate of this issue which just fell off the wagon, otherwise this would already be implemented.
One possible concern is whether to include the current AWS account ID in the resource path for s3:PutObject. Doing so would of course restrict logs from being delivered from CloudTrail in only the current account. Doing so would also preclude this being the central CloudTrail bucket for an entire AWS Organizations org. Whether that's the intended behavior presented by the module to consumers is a decision for the admin team. As a user, it would be nice to use this bucket for the whole org, so my personal hope is to leave the prefix component of the resource ARN path as /AWSLogs/* to allow for any account's log delivery.
I would also hope to avoid yet another module input such as a feature flag to control this behavior, although that is certainly another way to solve this.