diff --git a/modules/cloudtrail/main.tf b/modules/cloudtrail/main.tf index 1451fed73..f71f3283b 100644 --- a/modules/cloudtrail/main.tf +++ b/modules/cloudtrail/main.tf @@ -8,7 +8,7 @@ resource "aws_s3_bucket" "cloudtrail_logs" { # S3 Bucket Policy for CloudTrail resource "aws_s3_bucket_policy" "cloudtrail_logs" { - bucket = aws_s3_bucket.cloudtrail_logs[0].id + bucket = aws_s3_bucket.cloudtrail_logs.id policy = jsonencode({ Version = "2012-10-17", @@ -21,7 +21,7 @@ resource "aws_s3_bucket_policy" "cloudtrail_logs" { Service = "cloudtrail.amazonaws.com" }, Action = "s3:PutObject", - Resource = "arn:aws:s3:::${aws_s3_bucket.cloudtrail_logs[0].id}/*", + Resource = "arn:aws:s3:::${aws_s3_bucket.cloudtrail_logs.id}/*", Condition = { StringEquals = { "s3:x-amz-acl" = "bucket-owner-full-control" @@ -39,7 +39,7 @@ resource "aws_s3_bucket_policy" "cloudtrail_logs" { "s3:GetBucketAcl", "s3:PutBucketAcl" ], - Resource = "arn:aws:s3:::${aws_s3_bucket.cloudtrail_logs[0].id}" + Resource = "arn:aws:s3:::${aws_s3_bucket.cloudtrail_logs.id}" }, # Deny all HTTP (insecure) access { @@ -48,8 +48,8 @@ resource "aws_s3_bucket_policy" "cloudtrail_logs" { Principal = "*", Action = "s3:*", Resource = [ - "arn:aws:s3:::${aws_s3_bucket.cloudtrail_logs[0].id}", - "arn:aws:s3:::${aws_s3_bucket.cloudtrail_logs[0].id}/*" + "arn:aws:s3:::${aws_s3_bucket.cloudtrail_logs.id}", + "arn:aws:s3:::${aws_s3_bucket.cloudtrail_logs.id}/*" ], Condition = { Bool = { @@ -63,7 +63,7 @@ resource "aws_s3_bucket_policy" "cloudtrail_logs" { # Lifecycle Rules for S3 Bucket resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail_logs" { - bucket = aws_s3_bucket.cloudtrail_logs[0].id + bucket = aws_s3_bucket.cloudtrail_logs.id rule { id = "TransitionToGlacier" @@ -85,7 +85,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail_logs" { # CloudTrail Configuration resource "aws_cloudtrail" "s3_event_logs" { name = "s3-events-cloudtrail" - s3_bucket_name = aws_s3_bucket.cloudtrail_logs[0].id + s3_bucket_name = aws_s3_bucket.cloudtrail_logs.id include_global_service_events = var.include_global_service_events is_multi_region_trail = var.multi_region_trail enable_log_file_validation = var.enable_log_file_validation @@ -97,7 +97,7 @@ resource "aws_cloudtrail" "s3_event_logs" { data_resource { type = "AWS::S3::Object" values = [ - "arn:aws:s3:::${aws_s3_bucket.cloudtrail_logs[0].id}/*" + "arn:aws:s3:::${aws_s3_bucket.cloudtrail_logs.id}/*" ] } } diff --git a/modules/cloudtrail/outputs.tf b/modules/cloudtrail/outputs.tf index a02e0ce65..7abc7d6ed 100644 --- a/modules/cloudtrail/outputs.tf +++ b/modules/cloudtrail/outputs.tf @@ -1,24 +1,19 @@ output "cloudtrail_bucket_name" { description = "Name of the S3 bucket storing CloudTrail logs specific to S3 events" - value = var.enable_cloudtrail_s3_logging ? aws_s3_bucket.cloudtrail_logs[0].bucket : null + value = aws_s3_bucket.cloudtrail_logs[0].bucket } output "cloudtrail_bucket_arn" { description = "ARN of the S3 bucket storing CloudTrail logs specific to S3 events" - value = var.enable_cloudtrail_s3_logging ? aws_s3_bucket.cloudtrail_logs[0].arn : null + value = aws_s3_bucket.cloudtrail_logs[0].arn } output "cloudtrail_name" { description = "Name of the CloudTrail instance" - value = var.enable_cloudtrail_s3_logging ? aws_cloudtrail.s3_event_logs[0].name : null + value = aws_cloudtrail.s3_event_logs[0].name } output "cloudtrail_arn" { description = "ARN of the CloudTrail instance" - value = var.enable_cloudtrail_s3_logging ? aws_cloudtrail.s3_event_logs[0].arn : null -} - -output "force_destroy_warning" { - description = "Warning message if force_destroy is enabled" - value = var.force_destroy ? "WARNING: The S3 bucket is configured to be forcefully destroyed." : null -} + value = aws_cloudtrail.s3_event_logs[0].arn +} \ No newline at end of file