* 2.9.1 -- 2024-12-26

- cloudtrail - move managed_policy_arns to aws_iam_role_policy_attachment due to deprecation
terraform-modules · Dec 26, 2024 · 6c82206 · 6c82206
1 parent 5ec56df
commit 6c82206
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -387,3 +387,7 @@
   - s3-flow-logs
     - add aws_s3_bucket_lifecycle_configuration (delete vpc*/ after 900 days)
     - add aws_s3_bucket_intelligent_tiering_configuration (archive 180, deep archive 365)
+
+* 2.9.1 -- 2024-12-26
+  - cloudtrail
+    - move managed_policy_arns to aws_iam_role_policy_attachment due to deprecation
diff --git a/cloudtrail/README.md b/cloudtrail/README.md
@@ -378,6 +378,7 @@ No modules.
 | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_iam_policy.cloudtrail_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
@@ -442,7 +443,7 @@ No modules.
 | <a name="input_additional_s3_sqs_names"></a> [additional\_s3\_sqs\_names](#input\_additional\_s3\_sqs\_names) | List of additional SQS queues to create and subscribe to the S3 SNS topic (if enabled) | `list(string)` | `[]` | no |
 | <a name="input_additional_sqs_names"></a> [additional\_sqs\_names](#input\_additional\_sqs\_names) | List of additional SQS queues to create and subscribe to the SNS topic (if enabled) | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_bucket_prefix"></a> [cloudtrail\_bucket\_prefix](#input\_cloudtrail\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"cloudtrail"` | no |
-| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br/>  "ddb": {},<br/>  "kms": {},<br/>  "s3": {}<br/>}</pre> | no |
 | <a name="input_create_cloudtrail"></a> [create\_cloudtrail](#input\_create\_cloudtrail) | Flag to enable or disable creation of cloudtrail | `bool` | `true` | no |
 | <a name="input_enable_cloudwatch_logs"></a> [enable\_cloudwatch\_logs](#input\_enable\_cloudwatch\_logs) | Enable CloudWatch Logs for this CloudTrail | `bool` | `true` | no |
 | <a name="input_enable_logging"></a> [enable\_logging](#input\_enable\_logging) | Enable CloudTrail logging. This is to be able to turn off a CloudTrail (like the objectlogging, which we are removing) | `bool` | `true` | no |

diff --git a/cloudtrail/cloudtrail.tf b/cloudtrail/cloudtrail.tf
@@ -43,9 +43,7 @@ resource "aws_iam_role" "cloudtrail" {
   description           = "AWS CloudTrail Role for ${local.name}"
   force_detach_policies = false
   max_session_duration  = 3600
-  # add deny billing
-  managed_policy_arns = try([aws_iam_policy.cloudtrail_policy[0].arn], null)
-  path                = "/"
+  path                  = "/"
 
   tags = merge(
     local.base_tags,
@@ -54,6 +52,12 @@ resource "aws_iam_role" "cloudtrail" {
   )
 }
 
+resource "aws_iam_role_policy_attachment" "cloudtrail" {
+  count      = var.enable_cloudwatch_logs ? 1 : 0
+  role       = try(aws_iam_role.cloudtrail[0].arn, null)
+  policy_arn = try([aws_iam_policy.cloudtrail_policy[0].arn], null)
+}
+
 data "aws_iam_policy_document" "cloudtrail_assume" {
   statement {
     sid     = "AWSCloudTrailServiceAssumeRole"
@@ -72,7 +76,6 @@ resource "aws_iam_policy" "cloudtrail_policy" {
   policy = data.aws_iam_policy_document.cloudtrail_cloudwatch.json
 }
 
-
 data "aws_iam_policy_document" "cloudtrail_cloudwatch" {
   statement {
     sid       = "AWSCloudTrailCreateLogStream"

diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.9.0"
+  _module_version = "2.9.1"
 }