diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4932876..abe0c6c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -387,3 +387,7 @@
- s3-flow-logs
- add aws_s3_bucket_lifecycle_configuration (delete vpc*/ after 900 days)
- add aws_s3_bucket_intelligent_tiering_configuration (archive 180, deep archive 365)
+
+* 2.9.1 -- 2024-12-26
+ - cloudtrail
+ - move managed_policy_arns to aws_iam_role_policy_attachment due to deprecation
diff --git a/cloudtrail/README.md b/cloudtrail/README.md
index 0128c05..2407a80 100644
--- a/cloudtrail/README.md
+++ b/cloudtrail/README.md
@@ -378,6 +378,7 @@ No modules.
| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_iam_policy.cloudtrail_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
| [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
@@ -442,7 +443,7 @@ No modules.
| [additional\_s3\_sqs\_names](#input\_additional\_s3\_sqs\_names) | List of additional SQS queues to create and subscribe to the S3 SNS topic (if enabled) | `list(string)` | `[]` | no |
| [additional\_sqs\_names](#input\_additional\_sqs\_names) | List of additional SQS queues to create and subscribe to the SNS topic (if enabled) | `list(string)` | `[]` | no |
| [cloudtrail\_bucket\_prefix](#input\_cloudtrail\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"cloudtrail"` | no |
-| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | {
"ddb": {},
"kms": {},
"s3": {}
} | no |
+| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | {
"ddb": {},
"kms": {},
"s3": {}
} | no |
| [create\_cloudtrail](#input\_create\_cloudtrail) | Flag to enable or disable creation of cloudtrail | `bool` | `true` | no |
| [enable\_cloudwatch\_logs](#input\_enable\_cloudwatch\_logs) | Enable CloudWatch Logs for this CloudTrail | `bool` | `true` | no |
| [enable\_logging](#input\_enable\_logging) | Enable CloudTrail logging. This is to be able to turn off a CloudTrail (like the objectlogging, which we are removing) | `bool` | `true` | no |
diff --git a/cloudtrail/cloudtrail.tf b/cloudtrail/cloudtrail.tf
index a4be1df..32708f2 100644
--- a/cloudtrail/cloudtrail.tf
+++ b/cloudtrail/cloudtrail.tf
@@ -43,9 +43,7 @@ resource "aws_iam_role" "cloudtrail" {
description = "AWS CloudTrail Role for ${local.name}"
force_detach_policies = false
max_session_duration = 3600
- # add deny billing
- managed_policy_arns = try([aws_iam_policy.cloudtrail_policy[0].arn], null)
- path = "/"
+ path = "/"
tags = merge(
local.base_tags,
@@ -54,6 +52,12 @@ resource "aws_iam_role" "cloudtrail" {
)
}
+resource "aws_iam_role_policy_attachment" "cloudtrail" {
+ count = var.enable_cloudwatch_logs ? 1 : 0
+ role = try(aws_iam_role.cloudtrail[0].arn, null)
+ policy_arn = try([aws_iam_policy.cloudtrail_policy[0].arn], null)
+}
+
data "aws_iam_policy_document" "cloudtrail_assume" {
statement {
sid = "AWSCloudTrailServiceAssumeRole"
@@ -72,7 +76,6 @@ resource "aws_iam_policy" "cloudtrail_policy" {
policy = data.aws_iam_policy_document.cloudtrail_cloudwatch.json
}
-
data "aws_iam_policy_document" "cloudtrail_cloudwatch" {
statement {
sid = "AWSCloudTrailCreateLogStream"
diff --git a/common/version.tf b/common/version.tf
index 345aa6e..d5903b2 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "2.9.0"
+ _module_version = "2.9.1"
}