main.tf

resource "aws_cloudwatch_log_group" "self" {
  name = "/cloudtrail/${var.name}"
}

resource "aws_iam_role" "self" {
  name = "cloudtrail-cloudwatch-${var.name}-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "self" {
  name = "cloudtrail-cloudwatch-${var.name}-policy"
  role = aws_iam_role.self.id

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailCreateLogStream20230110",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                "${aws_cloudwatch_log_group.self.arn}:*"
            ]
        },
        {
            "Sid": "AWSCloudTrailPutLogEvents20230110",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "${aws_cloudwatch_log_group.self.arn}:*"
            ]
        }
    ]
}
EOF
}

resource "aws_cloudtrail" "default" {
  count                         = module.this.enabled ? 1 : 0
  name                          = module.this.id
  enable_logging                = var.enable_logging
  s3_bucket_name                = var.s3_bucket_name
  enable_log_file_validation    = var.enable_log_file_validation
  sns_topic_name                = var.sns_topic_name
  is_multi_region_trail         = var.is_multi_region_trail
  include_global_service_events = var.include_global_service_events
  cloud_watch_logs_role_arn     = var.cloud_watch_logs ? aws_iam_role.self.arn : ""
  cloud_watch_logs_group_arn    = var.cloud_watch_logs ? "${aws_cloudwatch_log_group.self.arn}:*" : ""
  tags                          = module.this.tags
  kms_key_id                    = var.kms_key_arn
  is_organization_trail         = var.is_organization_trail
  s3_key_prefix                 = var.s3_key_prefix
  dynamic "event_selector" {
    for_each = var.event_selector
    content {
      include_management_events = lookup(event_selector.value, "include_management_events", null)
      read_write_type           = lookup(event_selector.value, "read_write_type", null)

      dynamic "data_resource" {
        for_each = lookup(event_selector.value, "data_resource", [])
        content {
          type   = data_resource.value.type
          values = data_resource.value.values
        }
      }
    }
  }

  dynamic "insight_selector" {
    for_each = var.insight_selector
    content {
      insight_type = lookup(insight_selector.value, "insight_type", null)
    }
  }
}