| access_log_prefix |
Optional value to specify a key prefix for access log objects for logging S3 bucket |
string |
"log/" |
no |
| bucket_arn |
The S3 bucket ARN is required when setting use_existing_cloudtrail to true |
string |
"" |
no |
| bucket_enable_mfa_delete |
Set this to true to require MFA for object deletion (Requires versioning) |
bool |
false |
no |
| bucket_encryption_enabled |
Set this to true to enable encryption on a created S3 bucket |
bool |
true |
no |
| bucket_force_destroy |
Force destroy bucket (When 'false' a non-empty bucket will NOT be destroyed.) |
bool |
true |
no |
| bucket_logs_enabled |
Set this to true to enable access logging on a created S3 bucket |
bool |
true |
no |
| bucket_name |
Optional value to specify name for a newly created S3 bucket. Not required when use_existing_cloudtrail is true. |
string |
"" |
no |
| bucket_sse_algorithm |
The encryption algorithm to use for S3 bucket server-side encryption |
string |
"aws:kms" |
no |
| bucket_sse_key_arn |
The ARN of the KMS encryption key to be used for S3 (Required when bucket_sse_algorithm is aws:kms and using an existing aws_kms_key) |
string |
"" |
no |
| bucket_versioning_enabled |
Set this to true to enable access versioning on a created S3 bucket |
bool |
true |
no |
| cloudtrail_name |
The name of the CloudTrail. Required when setting use_existing_cloudtrail to true |
string |
"lacework-cloudtrail" |
no |
| consolidated_trail |
Set this to true to configure a consolidated cloudtrail |
bool |
false |
no |
| create_lacework_integration |
Set this to false if you don't want the module to automatically create a corresponding Lacework integration. |
bool |
true |
no |
| cross_account_cloudtrail_arn |
If using an existing CloudTrail in another account, provide the ARN here |
string |
null |
no |
| cross_account_policy_name |
n/a |
string |
"" |
no |
| enable_cloudtrail_s3_management_events |
Enable CloudTrail Object-level logging |
bool |
false |
no |
| enable_log_file_validation |
Specifies whether cloudtrail log file integrity validation is enabled |
bool |
true |
no |
| external_id_length |
Deprecated - Will be removed on our next major release v3.0.0 |
number |
16 |
no |
| iam_role_arn |
The IAM role ARN is required when setting use_existing_iam_role to true |
string |
"" |
no |
| iam_role_external_id |
The external ID configured inside the IAM role is required when setting use_existing_iam_role to true |
string |
"" |
no |
| iam_role_name |
The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to true |
string |
"" |
no |
| is_organization_trail |
Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account |
bool |
false |
no |
| kms_key_deletion_days |
The waiting period, specified in number of days |
number |
30 |
no |
| kms_key_multi_region |
Whether the KMS key is a multi-region or regional key |
bool |
true |
no |
| kms_key_rotation |
Enable KMS automatic key rotation |
bool |
false |
no |
| lacework_aws_account_id |
The Lacework AWS account that the IAM role will grant access |
string |
"434813966438" |
no |
| lacework_integration_name |
The name of the integration in Lacework. |
string |
"TF cloudtrail" |
no |
| log_bucket_name |
Name of the S3 bucket for access logs. Is required when setting use_existing_access_log_bucket to true |
string |
"" |
no |
| org_account_mappings |
Mapping of AWS accounts to Lacework accounts within a Lacework organization |
list(object({
default_lacework_account = string
mapping = list(object({
lacework_account = string
aws_accounts = list(string)
}))
})) |
[] |
no |
| permission_boundary_arn |
Optional - ARN of the policy that is used to set the permissions boundary for the role. |
string |
null |
no |
| prefix |
The prefix that will be use at the beginning of every generated resource |
string |
"lacework-ct" |
no |
| s3_notification_log_prefix |
The object prefix for which to create S3 notifications |
string |
"AWSLogs/" |
no |
| s3_notification_type |
The destination type that should be used for S3 notifications: SNS or SQS. Defaults to SQS |
string |
"SQS" |
no |
| sns_topic_arn |
The SNS topic ARN |
string |
"" |
no |
| sns_topic_encryption_enabled |
Set this to false to disable encryption on a sns topic. Defaults to true |
bool |
true |
no |
| sns_topic_encryption_key_arn |
The ARN of an existing KMS encryption key to be used for SNS |
string |
"" |
no |
| sns_topic_name |
The SNS topic name |
string |
"" |
no |
| sqs_encryption_enabled |
Set this to true to enable server-side encryption on SQS. |
bool |
true |
no |
| sqs_encryption_key_arn |
The ARN of the KMS encryption key to be used for SQS (Required when sqs_encryption_enabled is true) |
string |
"" |
no |
| sqs_queue_name |
The SQS queue name |
string |
"" |
no |
| sqs_queues |
List of SQS queues to configure in the Lacework cross-account policy |
list(string) |
[] |
no |
| tags |
A map/dictionary of Tags to be assigned to created resources |
map(string) |
{} |
no |
| use_existing_access_log_bucket |
Set this to true to use an existing bucket for access logging. Default behavior creates a new access log bucket if logging is enabled |
bool |
false |
no |
| use_existing_cloudtrail |
Set this to true to use an existing cloudtrail. Default behavior enables new cloudtrail |
bool |
false |
no |
| use_existing_iam_role |
Set this to true to use an existing IAM role |
bool |
false |
no |
| use_existing_iam_role_policy |
Set this to true to use an existing policy on the IAM role, rather than attaching a new one |
bool |
false |
no |
| use_existing_kms_key |
Set this to true to use an existing KMS key. |
bool |
false |
no |
| use_existing_sns_topic |
Set this to true to use an existing SNS topic. Default behavior creates a new SNS topic |
bool |
false |
no |
| use_s3_bucket_notification |
Set this to true to use S3 bucket notifications instead of CloudTrail. When set to false CloudTrail will be used. Defaults to false |
bool |
false |
no |
| wait_time |
Amount of time to wait before the next resource is provisioned. |
string |
"10s" |
no |
