diff --git a/cloudtrail/README.md b/cloudtrail/README.md
index ed9c045..99eea12 100644
--- a/cloudtrail/README.md
+++ b/cloudtrail/README.md
@@ -48,6 +48,8 @@ No requirements.
|------|---------|
| [aws](#provider\_aws) | n/a |
| [null](#provider\_null) | n/a |
+| [random](#provider\_random) | n/a |
+| [template](#provider\_template) | n/a |
## Modules
@@ -73,6 +75,8 @@ No modules.
| [aws_sqs_queue_policy.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
| [aws_sqs_queue_policy.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [random_uuid.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -85,6 +89,7 @@ No modules.
| [aws_iam_policy_document.cloudwatch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [template_file.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
## Inputs
diff --git a/cloudtrail/generate_splunk.cloudtrail.tf b/cloudtrail/generate_splunk.cloudtrail.tf
new file mode 100644
index 0000000..a052406
--- /dev/null
+++ b/cloudtrail/generate_splunk.cloudtrail.tf
@@ -0,0 +1,30 @@
+#---
+# generate splunk inputs file
+#---
+data "template_file" "splunk_cloudtrail" {
+ template = file("${path.module}/templates/inputs.cloudtrail.conf.tpl")
+ vars = {
+ account_id = local.account_id
+ account_alias = local.account_alias
+ entry_uuid = random_uuid.splunk_cloudtrail.result
+ region = local.cloudtrail_region
+ queue_url = var.enable_sqs ? aws_sqs_queue.cloudtrail[0].id : null
+ }
+}
+
+resource "random_uuid" "splunk_cloudtrail" {
+ keepers = {
+ queue_url = var.enable_sqs ? aws_sqs_queue.cloudtrail[0].id : null
+ }
+}
+
+resource "null_resource" "splunk_cloudtrail" {
+ count = var.enable_sqs ? 1 : 0
+ provisioner "local-exec" {
+ command = "test -d setup || mkdir setup"
+ }
+ provisioner "local-exec" {
+ working_dir = "setup"
+ command = "echo '${data.template_file.splunk_cloudtrail.rendered}' > inputs.cloudtrail.${local.account_id}.${local.cloudtrail_region}.conf"
+ }
+}
diff --git a/cloudtrail/templates/inputs.cloudtrail.conf.tpl b/cloudtrail/templates/inputs.cloudtrail.conf.tpl
new file mode 100644
index 0000000..78390d9
--- /dev/null
+++ b/cloudtrail/templates/inputs.cloudtrail.conf.tpl
@@ -0,0 +1,10 @@
+[aws_sqs_based_s3://${account_alias}-cloudtrail-${region}]
+account = ${account_alias}
+index = aws
+polling_interval = 300
+s3_file_decoder = CloudTrail
+sourcetype = aws:cloudtrail
+sqs_batch_size = 10
+sqs_queue_region = ${region}
+sqs_queue_url = ${queue_url}
+