From 52b1276316d6e98f429e01a981471e046aa23405 Mon Sep 17 00:00:00 2001
From: Shiva Ramamurthi <shiva.ramamurthi@wandb.com>
Date: Thu, 6 Feb 2025 14:30:19 -0800
Subject: [PATCH] feat: Cloudtrail logging for s3 events

---
 main.tf                         | 16 +++++++++++
 modules/cloudtrail/variables.tf |  2 +-
 variables.tf                    | 47 +++++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 98c70692b..e4b663283 100644
--- a/main.tf
+++ b/main.tf
@@ -43,6 +43,22 @@ locals {
   main_bucket_name  = var.bucket_name != "" ? var.bucket_name : module.file_storage.bucket_name
 }
 
+module "cloudtrail" {
+  source = "./modules/cloudtrail"
+
+  # Required Variables
+  namespace              = var.namespace
+  cloudtrail_bucket_name = var.cloudtrail_bucket_name
+  force_destroy          = var.force_destroy
+  log_lifecycle          = var.log_lifecycle
+
+  # Optional Variables with Defaults
+  include_global_service_events = var.include_global_service_events
+  multi_region_trail            = var.multi_region_trail
+  enable_log_file_validation    = var.enable_log_file_validation
+  tags                          = var.tags
+}
+
 module "networking" {
   source               = "./modules/networking"
   namespace            = var.namespace
diff --git a/modules/cloudtrail/variables.tf b/modules/cloudtrail/variables.tf
index 661d021ba..d13241bf3 100644
--- a/modules/cloudtrail/variables.tf
+++ b/modules/cloudtrail/variables.tf
@@ -20,7 +20,7 @@ variable "log_lifecycle" {
 variable "include_global_service_events" {
   description = "Whether to include global service events in the CloudTrail"
   type        = bool
-  default     = true
+  default     = false
 }
 
 variable "multi_region_trail" {
diff --git a/variables.tf b/variables.tf
index ef2522b87..54549371e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -578,3 +578,50 @@ variable "kubernetes_cluster_oidc_issuer_url" {
   description = "OIDC issuer URL for the Kubernetes cluster. Can be determined using `kubectl get --raw /.well-known/openid-configuration`"
   default     = ""
 }
+
+##########################################
+# Cloudtrail                             #
+##########################################
+
+variable "cloudtrail_bucket_name" {
+  description = "Name of the S3 bucket storing CloudTrail logs"
+  type        = string
+}
+
+variable "force_destroy" {
+  description = "Determines if the bucket should be forcefully deleted"
+  type        = bool
+  default     = false
+}
+
+variable "log_lifecycle" {
+  description = "Object containing transition and expiration days for logs"
+  type = object({
+    transition_days = number
+    expiration_days = number
+  })
+}
+
+variable "include_global_service_events" {
+  description = "Enable logging of global AWS service events"
+  type        = bool
+  default     = true
+}
+
+variable "multi_region_trail" {
+  description = "Enable CloudTrail across multiple regions"
+  type        = bool
+  default     = true
+}
+
+variable "enable_log_file_validation" {
+  description = "Enable CloudTrail log file validation"
+  type        = bool
+  default     = true
+}
+
+variable "tags" {
+  description = "Tags for CloudTrail resources"
+  type        = map(string)
+  default     = {}
+}