From 3ff3ec5dd250c630d64daacd94a3da656ffb6f0d Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 1 Sep 2023 15:58:48 -0400 Subject: [PATCH] more change for s3 sns --- .../{ => OFF}/generate_splunk.cloudtrail.tf | 0 cloudtrail/README.md | 27 ++++- cloudtrail/additional-sqs.s3.tf | 103 ++++++++++++++++++ cloudtrail/s3.tf | 13 +++ cloudtrail/sns.s3.tf | 56 ++++++++++ cloudtrail/sqs.s3.tf | 103 ++++++++++++++++++ cloudtrail/variables.tf | 18 +++ 7 files changed, 315 insertions(+), 5 deletions(-) rename cloudtrail/{ => OFF}/generate_splunk.cloudtrail.tf (100%) create mode 100644 cloudtrail/additional-sqs.s3.tf create mode 100644 cloudtrail/sns.s3.tf create mode 100644 cloudtrail/sqs.s3.tf diff --git a/cloudtrail/generate_splunk.cloudtrail.tf b/cloudtrail/OFF/generate_splunk.cloudtrail.tf similarity index 100% rename from cloudtrail/generate_splunk.cloudtrail.tf rename to cloudtrail/OFF/generate_splunk.cloudtrail.tf diff --git a/cloudtrail/README.md b/cloudtrail/README.md index a39fa47..6d9f4cd 100644 --- a/cloudtrail/README.md +++ b/cloudtrail/README.md @@ -128,9 +128,7 @@ module "org_cloudtrail" { | Name | Version | |------|---------| | [aws](#provider\_aws) | >= 3.66.0 | -| [local](#provider\_local) | n/a | | [null](#provider\_null) | n/a | -| [template](#provider\_template) | n/a | ## Modules @@ -147,39 +145,55 @@ No modules. | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | | [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_notification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource | | [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_sns_topic.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_sns_topic.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | | [aws_sns_topic_policy.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | +| [aws_sns_topic_policy.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | +| [aws_sns_topic_subscription.additional_cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | | [aws_sns_topic_subscription.additional_cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_sns_topic_subscription.cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | | [aws_sns_topic_subscription.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | | [aws_sqs_queue.additional_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | | [aws_sqs_queue.additional_cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.additional_cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.additional_cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | | [aws_sqs_queue.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | | [aws_sqs_queue.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | | [aws_sqs_queue_policy.additional_cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.additional_cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.additional_cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | | [aws_sqs_queue_policy.additional_cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | | [aws_sqs_queue_policy.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | | [aws_sqs_queue_policy.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | -| [local_file.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | -| [null_resource.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.additional_cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.additional_cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.additional_cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.additional_cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cloudtrail_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cloudtrail_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_s3_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cloudtrail_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [template_file.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | ## Inputs @@ -189,10 +203,13 @@ No modules. | [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Server Access Log bucket prefix, to which the Object Logging bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | | [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | | [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [additional\_s3\_sqs\_names](#input\_additional\_s3\_sqs\_names) | List of additional SQS queues to create and subscribe to the S3 SNS topic (if enabled) | `list(string)` | `[]` | no | | [additional\_sqs\_names](#input\_additional\_sqs\_names) | List of additional SQS queues to create and subscribe to the SNS topic (if enabled) | `list(string)` | `[]` | no | | [cloudtrail\_bucket\_prefix](#input\_cloudtrail\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"cloudtrail"` | no | | [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | | [enable\_organization](#input\_enable\_organization) | Enable CloudTrail as an organization trail. This will only work in the organization master account | `bool` | `false` | no | +| [enable\_s3\_sns](#input\_enable\_s3\_sns) | Flag to enable or disable the creation of SNS for the Cloudtrail S3 bucket | `bool` | `false` | no | +| [enable\_s3\_sqs](#input\_enable\_s3\_sqs) | Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail S3 bucket | `bool` | `false` | no | | [enable\_sns](#input\_enable\_sns) | Flag to enable or disable the creation of SNS for Cloudtrail (TBD) | `bool` | `false` | no | | [enable\_sqs](#input\_enable\_sqs) | Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail, used for Splunk ingestion (TBD) | `bool` | `false` | no | | [kms\_key\_arn](#input\_kms\_key\_arn) | AWS CloudTrail KMS ARN to be used for encrypting the ClouldTrail, S3 Bucket, and SQS | `string` | n/a | yes | diff --git a/cloudtrail/additional-sqs.s3.tf b/cloudtrail/additional-sqs.s3.tf new file mode 100644 index 0000000..f1f3422 --- /dev/null +++ b/cloudtrail/additional-sqs.s3.tf @@ -0,0 +1,103 @@ +locals { + additional_s3_sqs_names = var.enable_s3_sqs ? toset(var.additional_s3_sqs_names) : toset([]) +} + +resource "aws_sqs_queue" "additional_cloudtrail_s3_deadletter" { + for_each = local.additional_s3_sqs_names + name = format("%v-deadletter", each.key) + delay_seconds = 0 + max_message_size = 262144 + message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 1 * 86400) + receive_wait_time_seconds = 15 + visibility_timeout_seconds = 3600 + + kms_master_key_id = data.aws_kms_key.incoming_key.id + kms_data_key_reuse_period_seconds = 300 + + tags = merge( + local.base_tags, + var.tags, + tomap({ Name = format("%v-deadletter", each.key) }), + ) +} + +resource "aws_sqs_queue_policy" "additional_cloudtrail_s3_deadletter" { + for_each = local.additional_s3_sqs_names + queue_url = var.enable_s3_sqs ? aws_sqs_queue.additional_cloudtrail_s3_deadletter[each.key].id : null + policy = data.aws_iam_policy_document.additional_cloudtrail_s3_deadletter[each.key].json +} + +data "aws_iam_policy_document" "additional_cloudtrail_s3_deadletter" { + for_each = local.additional_s3_sqs_names + statement { + sid = "AllowSNSSendMessage" + effect = "Allow" + actions = ["sqs:SendMessage"] + resources = [var.enable_s3_sqs ? aws_sqs_queue.additional_cloudtrail_s3_deadletter[each.key].arn : ""] + principals { + type = "AWS" + identifiers = ["*"] + } + condition { + test = "ArnEquals" + variable = "aws:SourceArn" + values = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""] + } + } +} + +resource "aws_sqs_queue" "additional_cloudtrail_s3" { + for_each = local.additional_s3_sqs_names + name = each.key + delay_seconds = 0 + max_message_size = 262144 + message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 7 * 86400) + receive_wait_time_seconds = 15 + visibility_timeout_seconds = 7200 + + redrive_policy = jsonencode({ + deadLetterTargetArn = var.enable_s3_sqs ? aws_sqs_queue.additional_cloudtrail_s3_deadletter[each.key].arn : null + maxReceiveCount = 100 + }) + + kms_master_key_id = data.aws_kms_key.incoming_key.id + kms_data_key_reuse_period_seconds = 300 + + tags = merge( + local.base_tags, + var.tags, + tomap({ Name = each.key }), + ) +} + +resource "aws_sqs_queue_policy" "additional_cloudtrail_s3_sqs" { + for_each = local.additional_s3_sqs_names + queue_url = var.enable_s3_sqs ? aws_sqs_queue.additional_cloudtrail_s3[each.key].id : null + policy = data.aws_iam_policy_document.additional_cloudtrail_s3_sqs[each.key].json +} + +data "aws_iam_policy_document" "additional_cloudtrail_s3_sqs" { + for_each = local.additional_s3_sqs_names + statement { + sid = "AllowSNSSendMessage" + effect = "Allow" + actions = ["sqs:SendMessage"] + resources = [var.enable_s3_sqs ? aws_sqs_queue.additional_cloudtrail_s3[each.key].arn : ""] + principals { + type = "AWS" + identifiers = ["*"] + } + condition { + test = "ArnEquals" + variable = "aws:SourceArn" + values = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""] + } + } +} + +resource "aws_sns_topic_subscription" "additional_cloudtrail_s3_sqs" { + for_each = var.enable_s3_sns ? local.additional_s3_sqs_names : toset([]) + protocol = "sqs" + topic_arn = var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : null + endpoint = var.enable_s3_sqs ? aws_sqs_queue.additional_cloudtrail_s3[each.key].arn : null +} diff --git a/cloudtrail/s3.tf b/cloudtrail/s3.tf index 0b1aa7c..026f5cd 100644 --- a/cloudtrail/s3.tf +++ b/cloudtrail/s3.tf @@ -17,6 +17,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" { kms_master_key_id = var.kms_key_arn sse_algorithm = "aws:kms" } + bucket_key_enabled = true } } @@ -103,3 +104,15 @@ resource "null_resource" "policy_delay" { } } + +resource "aws_s3_bucket_notification" "this" { + count = var.enable_s3_sns ? 1 : 0 + bucket = aws_s3_bucket.this.id + + topic { + topic_arn = var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3.arn : null + events = ["s3:ObjectCreated:*"] + # filter_suffix = ".log" + } +} + diff --git a/cloudtrail/sns.s3.tf b/cloudtrail/sns.s3.tf new file mode 100644 index 0000000..e11f316 --- /dev/null +++ b/cloudtrail/sns.s3.tf @@ -0,0 +1,56 @@ +resource "aws_sns_topic" "cloudtrail_s3" { + count = var.enable_s3_sns ? 1 : 0 + name = local.name + kms_master_key_id = data.aws_kms_key.incoming_key.id + + tags = merge( + local.base_tags, + var.tags, + tomap({ Name = local.name }), + ) +} + +resource "aws_sns_topic_policy" "cloudtrail_s3" { + count = var.enable_s3_sns ? 1 : 0 + arn = var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : null + policy = data.aws_iam_policy_document.cloudtrail_s3_topic.json +} + +data "aws_iam_policy_document" "cloudtrail_s3_topic" { + policy_id = format("%v_s3_topic", local.name) + statement { + sid = "CloudtrailS3SNSPermissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["*"] + } + actions = [ + "sns:Subscribe", + "sns:SetTopicAttributes", + "sns:RemovePermission", + "sns:Receive", + "sns:Publish", + "sns:ListSubscriptionsByTopic", + "sns:GetTopicAttributes", + "sns:DeleteTopic", + "sns:AddPermission", + ] + condition { + test = "StringEquals" + variable = "AWS:SourceOwner" + values = [local.account_id] + } + resources = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""] + } + statement { + sid = "CloudTrailSNSPolicy" + effect = "Allow" + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + actions = ["sns:Publish"] + resources = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""] + } +} diff --git a/cloudtrail/sqs.s3.tf b/cloudtrail/sqs.s3.tf new file mode 100644 index 0000000..d7241d9 --- /dev/null +++ b/cloudtrail/sqs.s3.tf @@ -0,0 +1,103 @@ +resource "aws_sqs_queue" "cloudtrail_s3_deadletter" { + count = var.enable_s3_sqs ? 1 : 0 + # delay=0 retention=4d max=256k visibility=1h + name = format("%v-deadletter", local.name) + delay_seconds = 0 + max_message_size = 262144 + message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 1 * 86400) + # message_retention_seconds = 345600 + receive_wait_time_seconds = 15 + visibility_timeout_seconds = 3600 + + kms_master_key_id = data.aws_kms_key.incoming_key.id + kms_data_key_reuse_period_seconds = 300 + + tags = merge( + local.base_tags, + var.tags, + tomap({ Name = format("%v-deadletter", local.name) }), + ) +} + +resource "aws_sqs_queue_policy" "cloudtrail_s3_deadletter" { + count = var.enable_s3_sqs ? 1 : 0 + queue_url = var.enable_s3_sqs ? aws_sqs_queue.cloudtrail_s3_deadletter[0].id : null + policy = data.aws_iam_policy_document.cloudtrail_s3_deadletter.json +} + +data "aws_iam_policy_document" "cloudtrail_s3_deadletter" { + # policy_id = "SQSDefaultPolicy" + statement { + sid = "AllowSNSSendMessage" + effect = "Allow" + actions = ["sqs:SendMessage"] + resources = [var.enable_s3_sqs ? aws_sqs_queue.cloudtrail_s3_deadletter[0].arn : ""] + principals { + type = "AWS" + identifiers = ["*"] + } + condition { + test = "ArnEquals" + variable = "aws:SourceArn" + values = [var.enable_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""] + } + } +} + +resource "aws_sqs_queue" "cloudtrail_s3" { + count = var.enable_s3_sqs ? 1 : 0 + # delay=0 retention=7d max=256k visibity=2h + name = local.name + delay_seconds = 0 + max_message_size = 262144 + message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 7 * 86400) + # message_retention_seconds = 604800 + receive_wait_time_seconds = 15 + visibility_timeout_seconds = 7200 + + redrive_policy = jsonencode({ + deadLetterTargetArn = var.enable_s3_sqs ? aws_sqs_queue.cloudtrail_s3_deadletter[0].arn : null + maxReceiveCount = 100 + }) + + kms_master_key_id = data.aws_kms_key.incoming_key.id + kms_data_key_reuse_period_seconds = 300 + + tags = merge( + local.base_tags, + var.tags, + tomap({ Name = local.name }), + ) +} + +resource "aws_sqs_queue_policy" "cloudtrail_s3_sqs" { + count = var.enable_s3_sqs ? 1 : 0 + queue_url = var.enable_s3_sqs ? aws_sqs_queue.cloudtrail_s3[0].id : null + policy = data.aws_iam_policy_document.cloudtrail_s3_sqs.json +} + +data "aws_iam_policy_document" "cloudtrail_s3_sqs" { + # policy_id = "SQSDefaultPolicy" + statement { + sid = "AllowSNSSendMessage" + effect = "Allow" + actions = ["sqs:SendMessage"] + resources = [var.enable_s3_sqs ? aws_sqs_queue.cloudtrail_s3[0].arn : ""] + principals { + type = "AWS" + identifiers = ["*"] + } + condition { + test = "ArnEquals" + variable = "aws:SourceArn" + values = [var.enable_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""] + } + } +} + +resource "aws_sns_topic_subscription" "cloudtrail_s3_sqs" { + count = var.enable_s3_sqs && var.enable_s3_sns ? 1 : 0 + protocol = "sqs" + topic_arn = var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : null + endpoint = var.enable_s3_sqs ? aws_sqs_queue.cloudtrail_s3[0].arn : null +} diff --git a/cloudtrail/variables.tf b/cloudtrail/variables.tf index d317f0a..fc558cc 100644 --- a/cloudtrail/variables.tf +++ b/cloudtrail/variables.tf @@ -89,3 +89,21 @@ variable "additional_sqs_names" { type = list(string) default = [] } + +variable "enable_s3_sns" { + description = "Flag to enable or disable the creation of SNS for the Cloudtrail S3 bucket" + type = bool + default = false +} + +variable "enable_s3_sqs" { + description = "Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail S3 bucket" + type = bool + default = false +} + +variable "additional_s3_sqs_names" { + description = "List of additional SQS queues to create and subscribe to the S3 SNS topic (if enabled)" + type = list(string) + default = [] +}