From b6f6ba7b3fb6b626a15fce6b63917f9dc005eebc Mon Sep 17 00:00:00 2001
From: Andrew Horner <andrew@tablexi.com>
Date: Mon, 1 Feb 2021 20:34:32 -0700
Subject: [PATCH 1/2] Create unique logging bucket for Cloudtrail module

Monitoring changes to the Cloudtrail bucket requires the logging
bucket to pre-exist, so we need to generate it here. This ensures that
the end-to-end process works properly.
---
 aws/cloudtrail/main.tf | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/aws/cloudtrail/main.tf b/aws/cloudtrail/main.tf
index 9c57b18..e214582 100644
--- a/aws/cloudtrail/main.tf
+++ b/aws/cloudtrail/main.tf
@@ -11,6 +11,13 @@ resource "aws_cloudtrail" "mod" {
   tags                          = var.tags
 }
 
+resource "aws_s3_bucket" "logs" {
+  bucket = "${var.name}-cloudtrail-logs"
+  acl    = "log-delivery-write"
+
+  tags   = var.tags
+}
+
 resource "aws_s3_bucket" "mod" {
   bucket = "${var.name}-cloudtrail"
   acl    = "private"
@@ -19,7 +26,7 @@ resource "aws_s3_bucket" "mod" {
   tags   = var.tags
 
   logging {
-    target_bucket = "cloudtrail-logs"
+    target_bucket = aws_s3_bucket.logs.id
     target_prefix = var.name
   }
 }

From 91e60f427140c89e5579000c5195960765935c0e Mon Sep 17 00:00:00 2001
From: Andrew Horner <andrew@tablexi.com>
Date: Tue, 2 Feb 2021 22:57:20 -0700
Subject: [PATCH 2/2] Use bucket_prefix to prevent naming conflicts

---
 aws/cloudtrail/main.tf | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/aws/cloudtrail/main.tf b/aws/cloudtrail/main.tf
index e214582..b4fb204 100644
--- a/aws/cloudtrail/main.tf
+++ b/aws/cloudtrail/main.tf
@@ -5,17 +5,17 @@ resource "aws_cloudtrail" "mod" {
   enable_logging                = true
   enable_log_file_validation    = true
 
-  cloud_watch_logs_group_arn    = var.cloud_watch_logs_group_arn
-  cloud_watch_logs_role_arn     = var.cloud_watch_logs_role_arn
+  cloud_watch_logs_group_arn = var.cloud_watch_logs_group_arn
+  cloud_watch_logs_role_arn  = var.cloud_watch_logs_role_arn
 
-  tags                          = var.tags
+  tags = var.tags
 }
 
 resource "aws_s3_bucket" "logs" {
-  bucket = "${var.name}-cloudtrail-logs"
-  acl    = "log-delivery-write"
+  bucket_prefix = "${var.name}-cloudtrail-logs"
+  acl           = "log-delivery-write"
 
-  tags   = var.tags
+  tags = var.tags
 }
 
 resource "aws_s3_bucket" "mod" {
@@ -23,7 +23,7 @@ resource "aws_s3_bucket" "mod" {
   acl    = "private"
   policy = data.aws_iam_policy_document.s3.json
 
-  tags   = var.tags
+  tags = var.tags
 
   logging {
     target_bucket = aws_s3_bucket.logs.id