* 2.6.0 -- 2024-07-09

  - cloudtrail
    - add variable enable_organization_s3_objectlogging, when usewd with enable_organization, to do data events

CHANGELOG.md

@@ -362,3 +362,7 @@
 * 2.5.8 -- 2024-07-01
   - s3-access-logs
     - update policy to match documentation, add nlb-logs/* 
+
+* 2.6.0 -- 2024-07-09
+  - cloudtrail
+    - add variable enable_organization_s3_objectlogging, when usewd with enable_organization, to do data events

cloudtrail/README.md

@@ -445,7 +445,8 @@ No modules.
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
 | <a name="input_create_cloudtrail"></a> [create\_cloudtrail](#input\_create\_cloudtrail) | Flag to enable or disable creation of cloudtrail | `bool` | `true` | no |
 | <a name="input_enable_cloudwatch_logs"></a> [enable\_cloudwatch\_logs](#input\_enable\_cloudwatch\_logs) | Enable CloudWatch Logs for this CloudTrail | `bool` | `true` | no |
-| <a name="input_enable_organization"></a> [enable\_organization](#input\_enable\_organization) | Enable CloudTrail as an organization trail. This will only work in the organization master account | `bool` | `false` | no |
+| <a name="input_enable_organization"></a> [enable\_organization](#input\_enable\_organization) | Enable CloudTrail as an organization trail. This will only work in the organization master or delegated account | `bool` | `false` | no |
+| <a name="input_enable_organization_s3_objectlogging"></a> [enable\_organization\_s3\_objectlogging](#input\_enable\_organization\_s3\_objectlogging) | Enable CloudTrail organization trail S3 data events | `bool` | `false` | no |
 | <a name="input_enable_s3_sns"></a> [enable\_s3\_sns](#input\_enable\_s3\_sns) | Flag to enable or disable the creation of SNS for the Cloudtrail S3 bucket | `bool` | `false` | no |
 | <a name="input_enable_s3_sqs"></a> [enable\_s3\_sqs](#input\_enable\_s3\_sqs) | Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail S3 bucket | `bool` | `false` | no |
 | <a name="input_enable_sns"></a> [enable\_sns](#input\_enable\_sns) | Flag to enable or disable the creation of SNS for Cloudtrail (TBD) | `bool` | `false` | no |

cloudtrail/cloudtrail.tf

@@ -13,6 +13,21 @@ resource "aws_cloudtrail" "this" {
   cloud_watch_logs_role_arn     = var.enable_cloudwatch_logs ? aws_iam_role.cloudtrail[0].arn : null
   is_organization_trail         = var.enable_organization
 
+  dynamic "event_selector" {
+    for_each = var.enable_organization && var.enable_organization_s3_objectlogging ? toset(["s3"]) : toset([])
+    iterator = e
+
+    content {
+      read_write_type           = "All"
+      include_management_events = true
+
+      data_resource {
+        type   = "AWS::S3::Object"
+        values = [format("arn:%v:s3", data.aws_arn.current.partition)]
+      }
+    }
+  }
+
   tags = merge(
     local.base_tags,
     var.tags,

cloudtrail/variables.tf

@@ -73,7 +73,13 @@ variable "component_tags" {
 }
 
 variable "enable_organization" {
-  description = "Enable CloudTrail as an organization trail. This will only work in the organization master account"
+  description = "Enable CloudTrail as an organization trail. This will only work in the organization master or delegated account"
+  type        = bool
+  default     = false
+}
+
+variable "enable_organization_s3_objectlogging" {
+  description = "Enable CloudTrail organization trail S3 data events"
   type        = bool
   default     = false
 }

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.5.8"
+  _module_version = "2.6.0"
 }