From 82a4186e049b19310a834eef4d9131f8676916e2 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 15 Nov 2021 13:10:29 -0500
Subject: [PATCH] add files (initial)

---
 cloudtrail/README.md              |  97 ++++++++
 cloudtrail/TODO                   |  10 +
 cloudtrail/base_tags.tf           |   1 +
 cloudtrail/cloudtrail.tf.off      |  20 ++
 cloudtrail/data.policies.tf       |  31 +++
 cloudtrail/data.tf                |   1 +
 cloudtrail/defaults.tf            |   1 +
 cloudtrail/edl.cloudtrail.sns.txt | 179 +++++++++++++++
 cloudtrail/edl.cloudtrail.txt     | 342 +++++++++++++++++++++++++++++
 cloudtrail/main.tf                | 174 +++++++++++++++
 cloudtrail/prefixes.tf            |   1 +
 cloudtrail/role.tf                | 141 ++++++++++++
 cloudtrail/s3.tf2                 |  57 +++++
 cloudtrail/stuff                  | 353 ++++++++++++++++++++++++++++++
 cloudtrail/variables.common.tf    |   1 +
 cloudtrail/variables.tf           |  69 ++++++
 cloudtrail/version.tf             |   1 +
 17 files changed, 1479 insertions(+)
 create mode 100644 cloudtrail/README.md
 create mode 100644 cloudtrail/TODO
 create mode 120000 cloudtrail/base_tags.tf
 create mode 100644 cloudtrail/cloudtrail.tf.off
 create mode 100644 cloudtrail/data.policies.tf
 create mode 120000 cloudtrail/data.tf
 create mode 120000 cloudtrail/defaults.tf
 create mode 100644 cloudtrail/edl.cloudtrail.sns.txt
 create mode 100644 cloudtrail/edl.cloudtrail.txt
 create mode 100644 cloudtrail/main.tf
 create mode 120000 cloudtrail/prefixes.tf
 create mode 100644 cloudtrail/role.tf
 create mode 100644 cloudtrail/s3.tf2
 create mode 100644 cloudtrail/stuff
 create mode 120000 cloudtrail/variables.common.tf
 create mode 100644 cloudtrail/variables.tf
 create mode 120000 cloudtrail/version.tf

diff --git a/cloudtrail/README.md b/cloudtrail/README.md
new file mode 100644
index 0000000..a5f32ab
--- /dev/null
+++ b/cloudtrail/README.md
@@ -0,0 +1,97 @@
+# aws-inf-setup :: cloudtrail
+
+This set up the needed components for cloudtrail in a region: S3, KMS key, SNS, SQS, cloudtrail,
+cloudwatch log groups, and associated permissions.  It also generates a splunk configuration to be used
+for pulling cloudtrail events.
+
+* S3 bucket
+* S3 bucket policy
+
+# Usage
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "cloudtrail" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail"
+
+  # account_alias         = "do2-govcloud"
+  name = "mycloudtrail"
+  access_log_bucket = "myaccesslogbucket"
+  kms_key_management_identifiers = [ "arn:aws:iam::079788916859:role/r-inf-cloud-admin" ]
+}
+```
+
+This one can be used if you need to customize stuff, though really, the defaults are all built
+for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+variable file generation.
+
+```hcl
+module "cloudtrail_full" {
+
+  # logs is generally not needed and not recommended
+  component_tags        = {
+    "s3" = {
+      "SpecialTag1" = "something"
+      "SpecialTag2" = "somethingElse"
+    }
+  }
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudtrail.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource |
+| [aws_cloudtrail.trail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource |
+| [aws_cloudwatch_log_group.inf-cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_policy.cloudtrail_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_kms_key.cloudtrail_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_s3_bucket.trail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.cloudtrail_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudtrail_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_access_log_bucket"></a> [access\_log\_bucket](#input\_access\_log\_bucket) | Server Access Logging Bucket ID | `string` | n/a | yes |
+| <a name="input_access_log_bucket_prefix"></a> [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Server Access Log bucket prefix, to which the Object Logging bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_cloudtrail_bucket_prefix"></a> [cloudtrail\_bucket\_prefix](#input\_cloudtrail\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"cloudtrail"` | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_enable_sns"></a> [enable\_sns](#input\_enable\_sns) | Flag to enable or disable the creation of SNS for Cloudtrail (TBD) | `bool` | `false` | no |
+| <a name="input_enable_sqs"></a> [enable\_sqs](#input\_enable\_sqs) | Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail, used for Splunk ingestion (TBD) | `bool` | `false` | no |
+| <a name="input_kms_key_management_identifiers"></a> [kms\_key\_management\_identifiers](#input\_kms\_key\_management\_identifiers) | AWS IAM ARNs (roles, groups, users) for full access to the created KMS Key for this bucket | `list(string)` | `[]` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name to apply to Cloudtrail, S3, SNS and SQS | `string` | `null` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+No outputs.
diff --git a/cloudtrail/TODO b/cloudtrail/TODO
new file mode 100644
index 0000000..adc6571
--- /dev/null
+++ b/cloudtrail/TODO
@@ -0,0 +1,10 @@
+- cloudtrail
+- cloudtrail key
+- cloudwatch log stream
+- s3 bucket
+- s3 bucket policy
+- iam role
+- sqs
+- sns
+
+
diff --git a/cloudtrail/base_tags.tf b/cloudtrail/base_tags.tf
new file mode 120000
index 0000000..91c15aa
--- /dev/null
+++ b/cloudtrail/base_tags.tf
@@ -0,0 +1 @@
+../common/base_tags.tf
\ No newline at end of file
diff --git a/cloudtrail/cloudtrail.tf.off b/cloudtrail/cloudtrail.tf.off
new file mode 100644
index 0000000..2614c6e
--- /dev/null
+++ b/cloudtrail/cloudtrail.tf.off
@@ -0,0 +1,20 @@
+
+#---
+# cloudtrail, with encryption
+#---
+resource "aws_cloudtrail" "this" {
+  name                          = local.name
+  s3_bucket_name                = aws_s3_bucket.this.id
+  s3_key_prefix                 = var.cloudtrail_bucket_prefix
+  include_global_service_events = false
+  is_multi_region_trail         = false
+  kms_key_id                    = aws_kms_key.key.arn
+  enable_log_file_validation    = true
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { "Name" = local.name },
+  )
+  depends_on = [aws_s3_bucket_policy.policy]
+}
diff --git a/cloudtrail/data.policies.tf b/cloudtrail/data.policies.tf
new file mode 100644
index 0000000..e092555
--- /dev/null
+++ b/cloudtrail/data.policies.tf
@@ -0,0 +1,31 @@
+data "aws_iam_policy_document" "cloudtrail_s3" {
+  statement {
+    sid       = "AWSCloudTrailWrite"
+    effect    = "Allow"
+    resources = ["${aws_s3_bucket.cloudtrail.arn}/*"]
+    actions   = ["s3:PutObject"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+
+  statement {
+    sid       = "AWSCloudTrailAclCheck"
+    effect    = "Allow"
+    resources = [aws_s3_bucket.cloudtrail.arn]
+    actions   = ["s3:GetBucketAcl"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+}
diff --git a/cloudtrail/data.tf b/cloudtrail/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/cloudtrail/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/cloudtrail/defaults.tf b/cloudtrail/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/cloudtrail/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/cloudtrail/edl.cloudtrail.sns.txt b/cloudtrail/edl.cloudtrail.sns.txt
new file mode 100644
index 0000000..381f530
--- /dev/null
+++ b/cloudtrail/edl.cloudtrail.sns.txt
@@ -0,0 +1,179 @@
+#---
+# sns: cloudtrail, one global one (us-gov-east-1)
+#---
+resource "aws_sns_topic" "cloudtrail" {
+  name         = "inf-cloudtrail"
+  display_name = "DO3MA3GC"
+}
+
+resource "aws_sns_topic_policy" "cloudtrail" {
+  arn    = aws_sns_topic.cloudtrail.arn
+  policy = data.aws_iam_policy_document.cloudtrail_topic.json
+}
+
+data "aws_iam_policy_document" "cloudtrail_topic" {
+  policy_id = "inf-cloudtrail_topic"
+
+  statement {
+    sid    = "CloudtrailSNSPermissions"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "sns:Subscribe",
+      "sns:SetTopicAttributes",
+      "sns:RemovePermission",
+      "sns:Receive",
+      "sns:Publish",
+      "sns:ListSubscriptionsByTopic",
+      "sns:GetTopicAttributes",
+      "sns:DeleteTopic",
+      "sns:AddPermission",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceOwner"
+      values   = [var.account_id]
+    }
+
+    resources = [aws_sns_topic.cloudtrail.arn]
+  }
+
+  statement {
+    sid    = "CloudTrailSNSPolicy"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["sns:Publish"]
+    resources = [aws_sns_topic.cloudtrail.arn]
+  }
+}
+
+
+#---
+# sqs (from splunk)
+#---
+# one per region we are using
+#---
+# cloudtrail
+#---
+resource "aws_sqs_queue" "cloudtrail_deadletter" {
+  # delay=0 retention=4d max=256k visibility=1h
+  count                      = length(var.regions)
+  name                       = "inf-cloudtrail-${var.regions[count.index]}-deadletter"
+  delay_seconds              = 0
+  max_message_size           = 262144
+  message_retention_seconds  = 345600
+  receive_wait_time_seconds  = 15
+  visibility_timeout_seconds = 3600
+
+  # disable kms, doesn't seem to work with splunk
+  #  kms_master_key_id = "alias/${var.kms_inf_key}"
+  #  kms_data_key_reuse_period_seconds = 300
+
+  tags = merge(
+    local.common_tags,
+    map("Name", "inf-cloudtrail-${var.regions[count.index]}-deadletter"),
+  )
+}
+
+resource "aws_sqs_queue_policy" "cloudtrail_deadletter" {
+  count     = length(var.regions)
+  queue_url = aws_sqs_queue.cloudtrail_deadletter[count.index].id
+  policy    = data.aws_iam_policy_document.cloudtrail_deadletter[count.index].json
+}
+
+data "aws_iam_policy_document" "cloudtrail_deadletter" {
+  count     = length(var.regions)
+  policy_id = "SQSDefaultPolicy"
+
+  statement {
+    sid       = "AllowSNSSendMessage"
+    effect    = "Allow"
+    actions   = ["SQS:SendMessage"]
+    resources = [aws_sqs_queue.cloudtrail_deadletter[count.index].arn]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_sns_topic.cloudtrail.arn]
+    }
+  }
+}
+
+resource "aws_sqs_queue" "cloudtrail" {
+  # delay=0 retention=7d max=256k visibity=2h
+  count                      = length(var.regions)
+  name                       = "inf-cloudtrail-${var.regions[count.index]}"
+  delay_seconds              = 0
+  max_message_size           = 262144
+  message_retention_seconds  = 604800
+  receive_wait_time_seconds  = 15
+  visibility_timeout_seconds = 7200
+
+  redrive_policy = <<EOP
+{
+  "deadLetterTargetArn":"${aws_sqs_queue.cloudtrail_deadletter[count.index].arn}",
+  "maxReceiveCount":100
+}
+EOP
+
+  # disable kms, doesn't seem to work with splunk
+  #  kms_master_key_id = "alias/${var.kms_inf_key}"
+  #  kms_data_key_reuse_period_seconds = 300
+
+  tags = merge(
+    local.common_tags,
+    map("Name", "inf-cloudtrail-${var.regions[count.index]}"),
+  )
+}
+
+resource "aws_sqs_queue_policy" "cloudtrail_sqs" {
+  count     = length(var.regions)
+  queue_url = aws_sqs_queue.cloudtrail[count.index].id
+  policy    = data.aws_iam_policy_document.cloudtrail_sqs[count.index].json
+}
+
+data "aws_iam_policy_document" "cloudtrail_sqs" {
+  count     = length(var.regions)
+  policy_id = "SQSDefaultPolicy"
+
+  statement {
+    sid       = "AllowSNSSendMessage"
+    effect    = "Allow"
+    actions   = ["SQS:SendMessage"]
+    resources = [aws_sqs_queue.cloudtrail[count.index].arn]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_sns_topic.cloudtrail.arn]
+    }
+  }
+}
+
+resource "aws_sns_topic_subscription" "cloudtrail_sqs" {
+  count     = length(var.regions)
+  protocol  = "sqs"
+  topic_arn = aws_sns_topic.cloudtrail.arn
+  endpoint  = aws_sqs_queue.cloudtrail[count.index].arn
+}
diff --git a/cloudtrail/edl.cloudtrail.txt b/cloudtrail/edl.cloudtrail.txt
new file mode 100644
index 0000000..69dbd4a
--- /dev/null
+++ b/cloudtrail/edl.cloudtrail.txt
@@ -0,0 +1,342 @@
+#---
+# cloudtrail
+#---
+locals {
+  cloudwatch_prefix     = replace(aws_cloudwatch_log_group.inf-cloudtrail.arn, "/:\\*$/", "")
+  cloudwatch_suffix     = "${var.account_id}_CloudTrail_${var.region}*"
+  cloudwatch_resources  = join(":", list(local.cloudwatch_prefix, "log-stream", local.cloudwatch_suffix))
+  cloudtrail_policies   = list(data.terraform_remote_state.common.outputs.policy_deny_billing_arn, aws_iam_policy.inf-cloudtrail.arn)
+  cloudtrail_bucket_arn = aws_s3_bucket.cloudtrail.arn
+}
+
+resource "aws_iam_role" "inf-cloudtrail" {
+  name                  = "r-inf-cloudtrail"
+  assume_role_policy    = data.aws_iam_policy_document.cloudtrail_assume.json
+  description           = "AWS CloudTrail CloudWatch Role"
+  force_detach_policies = false
+  max_session_duration  = 3600
+  path                  = "/"
+}
+
+resource "aws_iam_policy" "inf-cloudtrail" {
+  name   = "p-inf-cloudtrail"
+  policy = data.aws_iam_policy_document.cloudtrail_cloudwatch.json
+}
+
+resource "aws_iam_role_policy_attachment" "inf-cloudtrail" {
+  count      = length(local.cloudtrail_policies)
+  role       = aws_iam_role.inf-cloudtrail.name
+  policy_arn = local.cloudtrail_policies[count.index]
+}
+
+resource "aws_kms_key" "cloudtrail_key" {
+  description         = "encrypt inf-cloudtrail objects and streams"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.cloudtrail_key.json
+
+  tags = merge(
+    local.common_tags,
+    map("Name", var.kms_cloudtrail_key)
+  )
+}
+
+resource "aws_kms_alias" "cloudtrail_key" {
+  name          = "alias/${var.kms_cloudtrail_key}"
+  target_key_id = aws_kms_key.cloudtrail_key.key_id
+}
+
+data "aws_iam_policy_document" "cloudtrail_s3" {
+  statement {
+    sid       = "AWSCloudTrailWrite"
+    effect    = "Allow"
+    resources = ["${local.cloudtrail_bucket_arn}/*"]
+    actions   = ["s3:PutObject"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+
+  statement {
+    sid       = "AWSCloudTrailAclCheck"
+    effect    = "Allow"
+    resources = [local.cloudtrail_bucket_arn]
+    actions   = ["s3:GetBucketAcl"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+}
+
+#---
+# STS: sts cloudtrail assume
+#---
+data "aws_iam_policy_document" "cloudtrail_assume" {
+  statement {
+    sid     = "AWSCloudTrailServiceAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+}
+
+# put cloud admin group(s) in this vs r-inf-cloud-admin
+data "aws_iam_policy_document" "cloudtrail_key" {
+  policy_id = "inf-cloudtrail KMS access"
+  statement {
+    sid       = "EnableIAMUserPermissions"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        data.aws_caller_identity.current.arn,
+        "arn:${data.aws_arn.current.partition}:iam::${var.account_id}:root",
+        "arn:${data.aws_arn.current.partition}:sts::${var.account_id}:assumed-role/r-inf-cloud-admin/${var.tag_creator}",
+      ]
+    }
+  }
+
+  statement {
+    sid       = "AllowCloudTrailEncryptLogs"
+    effect    = "Allow"
+    actions   = ["kms:GenerateDataKey*"]
+    resources = ["*"]
+
+    principals {
+      type = "Service"
+      #      identifiers = ["cloudtrail.amazonaws.com"]
+      identifiers = ["cloudtrail.amazonaws.com", "logs.amazonaws.com", "logs.${var.region}.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:${data.aws_arn.current.partition}:cloudtrail:*:${var.account_id}:trail/*"]
+    }
+  }
+  #   statement {
+  #     sid    = "AllowCloudWatchEncryptLogs"
+  #     effect = "Allow"
+  #     actions   = ["kms:GenerateDataKey*"]
+  #     resources = ["*"]
+  # 
+  #     principals {
+  #       type        = "Service"
+  #       identifiers = ["log.${var.region}.amazonaws.com"]
+  #     }
+  # 
+  #     condition {
+  #       test     = "StringLike"
+  #       variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+  #       values   = ["arn:${data.aws_arn.current.partition}:cloudtrail:*:${var.account_id}:trail/*"]
+  #     }
+  #   }
+
+  statement {
+    sid    = "AllowCloudTrailKeyActivities"
+    effect = "Allow"
+    actions = [
+      "kms:Describe*",
+      "log:AssociateKmsKey",
+      "log:DisassociateKmsKey"
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com", "logs.amazonaws.com", "logs.${var.region}.amazonaws.com"]
+    }
+  }
+
+  #   statement {
+  #     sid    = "AllowCloudWatchDescribeKey"
+  #     effect = "Allow"
+  #     actions   = ["kms:Describe*"]
+  #     resources = ["*"]
+  # 
+  #     principals {
+  #       type        = "Service"
+  #       identifiers = ["logs.${var.region}.amazonaws.com"]
+  #     }
+  #   }
+
+  statement {
+    sid    = "AllowPrincipalsDecryptLogFiles"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncryptFrom"
+    ]
+    resources = ["*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values   = ["${var.account_id}"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:${data.aws_arn.current.partition}:cloudtrail:*:${var.account_id}:trail/*"]
+    }
+  }
+
+  statement {
+    sid    = "EnableCrossAccountDecryptLogFiles"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncryptFrom"
+    ]
+    resources = ["*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values   = [var.account_id]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:${data.aws_arn.current.partition}:cloudtrail:*:${var.account_id}:trail/*"]
+    }
+  }
+
+  statement {
+    sid       = "AllowAliasCreationDuringSetup"
+    effect    = "Allow"
+    actions   = ["kms:CreateAlias"]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values   = [var.account_id]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:ViaService"
+      values   = ["ec2.${var.region}.amazonaws.com}"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "cloudtrail_cloudwatch" {
+  statement {
+    sid       = "AWSCloudTrailCreateLogStream"
+    effect    = "Allow"
+    actions   = ["logs:CreateLogStream"]
+    resources = [local.cloudwatch_resources]
+  }
+
+  statement {
+    sid       = "AWSCloudTrailPutLogEvents"
+    effect    = "Allow"
+    actions   = ["logs:PutLogEvents"]
+    resources = [local.cloudwatch_resources]
+  }
+}
+
+resource "aws_cloudtrail" "cloudtrail" {
+  name           = "inf-cloudtrail"
+  s3_bucket_name = aws_s3_bucket.cloudtrail.id
+
+  #  s3_key_prefix = 
+  include_global_service_events = true
+  is_multi_region_trail         = true
+  enable_log_file_validation    = true
+  enable_logging                = true
+
+  kms_key_id                 = aws_kms_key.cloudtrail_key.arn
+  sns_topic_name             = aws_sns_topic.cloudtrail.arn
+  cloud_watch_logs_group_arn = aws_cloudwatch_log_group.inf-cloudtrail.arn
+  cloud_watch_logs_role_arn  = aws_iam_role.inf-cloudtrail.arn
+
+  tags = merge(
+    local.common_tags,
+ {
+    "Project Role" = local.project_role[ "inf"]     
+ },
+    map("Name", "inf-cloudtrail-cloudwatch"),
+  )
+}
+
+resource "aws_cloudwatch_log_group" "inf-cloudtrail" {
+  name = "inf-cloudtrail"
+
+  #  kms_key_id                 = aws_kms_key.cloudtrail_key.arn
+  retention_in_days = 7
+
+  tags = merge(
+    local.common_tags,
+    map("Name", "inf-cloudtrail-cloudwatch-log"),
+  )
+}
+
+## # add this later after creating additional buckets for applications
+## # or, create an app-specific bucket for the cloudtrail logs
+## resource "aws_cloudtrail" "inf-cloudtrail-s3" {
+##   name           = "inf-cloudtrail-s3"
+##   s3_bucket_name = aws_s3_bucket.cloudtrail.id
+##   s3_key_prefix = "inf-s3"
+## 
+##   include_global_service_events = true
+##   is_multi_region_trail         = true
+##   enable_log_file_validation    = true
+##   enable_logging                = true
+## 
+##   kms_key_id                 = aws_kms_key.cloudtrail_key.arn
+## 
+##   tags = merge(
+##     local.common_tags,
+##     map("Name", "inf-cloudtrail-s3"),
+##   )
+## 
+##   event_selector { 
+##     read_write_type = "All"
+##     include_management_events = true
+## 
+##     data_resource {
+##       type = "AWS::S3::Object"
+##       values = [ "${aws_s3_bucket.edl-poc-dl-versioned.arn}/" ]
+##     }
+##   }
+## }
+## 
diff --git a/cloudtrail/main.tf b/cloudtrail/main.tf
new file mode 100644
index 0000000..1157b2a
--- /dev/null
+++ b/cloudtrail/main.tf
@@ -0,0 +1,174 @@
+/*
+* # aws-inf-setup :: cloudtrail
+* 
+* This set up the needed components for cloudtrail in a region: S3, KMS key, SNS, SQS, cloudtrail, 
+* cloudwatch log groups, and associated permissions.  It also generates a splunk configuration to be used
+* for pulling cloudtrail events.
+* 
+* * S3 bucket
+* * S3 bucket policy
+* 
+* # Usage
+* Here is a simple example, the one most commonly expected to be used.
+*
+* ```hcl
+* module "cloudtrail" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail"
+*
+*   # account_alias         = "do2-govcloud"
+*   name = "mycloudtrail"
+*   access_log_bucket = "myaccesslogbucket"
+*   kms_key_management_identifiers = [ "arn:aws:iam::079788916859:role/r-inf-cloud-admin" ]
+* }
+* ```
+*
+* This one can be used if you need to customize stuff, though really, the defaults are all built 
+* for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+* variable file generation.
+*
+* ```hcl
+* module "cloudtrail_full" {
+*
+*   # logs is generally not needed and not recommended
+*   component_tags        = {
+*     "s3" = {
+*       "SpecialTag1" = "something"
+*       "SpecialTag2" = "somethingElse"
+*     }
+*   }
+* }
+* ```
+*/
+
+#  key_name = (var.name != "" && var.name != null) ? var.name : local.name
+#  sns_name = local.name
+#  sqs_name = local.name
+#  role_name = local.name
+#  policy_name = local.name
+
+
+locals {
+  # basic details about the env
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  region              = data.aws_region.current.name
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  partition           = data.aws_arn.current.partition
+
+  name                = var.name == null ? format("%v-%v", lookup(local._defaults["cloudtrail"], "name"), local.region) : var.name
+  kms_key_arn         = var.kms_key_arn
+  kms_key_name        = format("k-%v", local.name)
+  kms_admin_root      = format("arn:%v:iam::%v:root", local.partition, local.account_id)
+  kms_admin_roles     = compact(concat([local.kms_admin_root], var.kms_admin_roles))
+  kms_policy_document = var.kms_policy_document != null ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
+
+  bucket_name = var.name == null ? format("%v-%v-%v", lookup(local._defaults["cloudtrail"], "name"), local.account_id, local.region) : var.name
+}
+
+
+resource "aws_cloudtrail" "trail" {
+  name                          = local.name
+  s3_bucket_name                = aws_s3_bucket.trail.id
+  s3_key_prefix                 = var.cloudtrail_bucket_prefix
+  include_global_service_events = rue
+  is_multi_region_trail         = false
+  kms_key_id                    = local.kms_key_arn
+  enable_log_file_validation    = true
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { "Name" = local.name },
+  )
+  depends_on = [aws_s3_bucket_policy.policy]
+}
+
+
+resource "aws_s3_bucket" "trail" {
+  bucket        = local.bucket_name
+  acl           = "private"
+  force_destroy = false
+
+  logging {
+    target_bucket = var.access_log_bucket
+    target_prefix = format("%s/%s/", var.access_log_bucket_prefix, local.name)
+  }
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { "Name" = local.name },
+  )
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = local.kms_key_arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
+
+#---
+# bucket policy (apply also encryption key usage here?)
+# deny unencrypted uploads policy statement removed for default encryption
+#---
+data "aws_iam_policy_document" "policy" {
+  statement {
+    sid     = "AWSCloudTrailAclCheck"
+    effect  = "Allow"
+    actions = ["s3:GetBucketAcl"]
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+    resources = [aws_s3_bucket.this.arn]
+  }
+  statement {
+    sid     = "AWSCloudTrailWrite"
+    effect  = "Allow"
+    actions = ["s3:PutObject"]
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+    resources = ["${aws_s3_bucket.this.arn}/${var.cloudtrail_bucket_prefix}/*"]
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+}
+
+#---
+# apply policy to bucket and public access block policy to bucket
+#---
+resource "aws_s3_bucket_policy" "policy" {
+  bucket     = aws_s3_bucket.this.bucket
+  policy     = data.aws_iam_policy_document.policy.json
+  depends_on = [null_resource.policy_delay]
+}
+
+resource "aws_s3_bucket_public_access_block" "this" {
+  bucket                  = aws_s3_bucket.this.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+#---
+# 180s delay needed for bucket to create and policy to apply, before
+# creating a cloudtrail to point to it
+#---
+resource "null_resource" "policy_delay" {
+  triggers = {
+    bucket = aws_s3_bucket.this.id
+    #    policy = aws_s3_bucket_policy.policy.id
+  }
+  provisioner "local-exec" {
+    when    = create
+    command = "sleep 180"
+  }
+}
diff --git a/cloudtrail/prefixes.tf b/cloudtrail/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/cloudtrail/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/cloudtrail/role.tf b/cloudtrail/role.tf
new file mode 100644
index 0000000..c443d4e
--- /dev/null
+++ b/cloudtrail/role.tf
@@ -0,0 +1,141 @@
+locals {
+  cloudwatch_prefix     = replace(aws_cloudwatch_log_group.inf-cloudtrail.arn, "/:\\*$/", "")
+  cloudwatch_suffix     = "${var.account_id}_CloudTrail_${var.region}*"
+  cloudwatch_resources  = join(":", list(local.cloudwatch_prefix, "log-stream", local.cloudwatch_suffix))
+  cloudtrail_policies   = list(data.terraform_remote_state.common.outputs.policy_deny_billing_arn, aws_iam_policy.inf-cloudtrail.arn)
+  cloudtrail_bucket_arn = aws_s3_bucket.cloudtrail.arn
+
+  cloudtrail_role_name   = format("%v%v", local._prefixes["role"], local.role_name)
+  cloudtrail_policy_name = format("%v%v", local._prefixes["policy"], local.role_name)
+
+}
+
+resource "aws_iam_role" "cloudtrail" {
+  name                  = local.cloudtrail_role_name
+  assume_role_policy    = data.aws_iam_policy_document.cloudtrail_assume.json
+  description           = "AWS CloudTrail Role for ${local.region}"
+  force_detach_policies = false
+  max_session_duration  = 3600
+  # add deny billing
+  attached_policies = [aws_iam_policy.cloudtrail_policy.arn]
+  path              = "/"
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+  )
+}
+
+
+data "aws_iam_policy_document" "cloudtrail_assume" {
+  statement {
+    sid     = "AWSCloudTrailServiceAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "cloudtrail_policy" {
+  name   = local.cloudtrail_policy_name
+  policy = data.aws_iam_policy_document.cloudtrail_cloudwatch.json
+}
+
+
+resource "aws_kms_key" "cloudtrail_key" {
+  description         = "encrypt inf-cloudtrail objects and streams"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.cloudtrail_key.json
+
+  tags = merge(
+    local.common_tags,
+    map("Name", var.kms_cloudtrail_key)
+  )
+}
+
+data "aws_iam_policy_document" "cloudtrail_cloudwatch" {
+  statement {
+    sid       = "AWSCloudTrailCreateLogStream"
+    effect    = "Allow"
+    actions   = ["logs:CreateLogStream"]
+    resources = [local.cloudwatch_resources]
+  }
+
+  statement {
+    sid       = "AWSCloudTrailPutLogEvents"
+    effect    = "Allow"
+    actions   = ["logs:PutLogEvents"]
+    resources = [local.cloudwatch_resources]
+  }
+}
+
+resource "aws_cloudtrail" "cloudtrail" {
+  name           = "inf-cloudtrail"
+  s3_bucket_name = aws_s3_bucket.cloudtrail.id
+
+  #  s3_key_prefix = 
+  include_global_service_events = true
+  is_multi_region_trail         = true
+  enable_log_file_validation    = true
+  enable_logging                = true
+
+  kms_key_id                 = aws_kms_key.cloudtrail_key.arn
+  sns_topic_name             = aws_sns_topic.cloudtrail.arn
+  cloud_watch_logs_group_arn = aws_cloudwatch_log_group.inf-cloudtrail.arn
+  cloud_watch_logs_role_arn  = aws_iam_role.inf-cloudtrail.arn
+
+  tags = merge(
+    local.common_tags,
+    {
+      "Project Role" = local.project_role["inf"]
+    },
+    map("Name", "inf-cloudtrail-cloudwatch"),
+  )
+}
+
+resource "aws_cloudwatch_log_group" "inf-cloudtrail" {
+  name = "inf-cloudtrail"
+
+  #  kms_key_id                 = aws_kms_key.cloudtrail_key.arn
+  retention_in_days = 7
+
+  tags = merge(
+    local.common_tags,
+    map("Name", "inf-cloudtrail-cloudwatch-log"),
+  )
+}
+
+## # add this later after creating additional buckets for applications
+## # or, create an app-specific bucket for the cloudtrail logs
+## resource "aws_cloudtrail" "inf-cloudtrail-s3" {
+##   name           = "inf-cloudtrail-s3"
+##   s3_bucket_name = aws_s3_bucket.cloudtrail.id
+##   s3_key_prefix = "inf-s3"
+## 
+##   include_global_service_events = true
+##   is_multi_region_trail         = true
+##   enable_log_file_validation    = true
+##   enable_logging                = true
+## 
+##   kms_key_id                 = aws_kms_key.cloudtrail_key.arn
+## 
+##   tags = merge(
+##     local.common_tags,
+##     map("Name", "inf-cloudtrail-s3"),
+##   )
+## 
+##   event_selector { 
+##     read_write_type = "All"
+##     include_management_events = true
+## 
+##     data_resource {
+##       type = "AWS::S3::Object"
+##       values = [ "${aws_s3_bucket.edl-poc-dl-versioned.arn}/" ]
+##     }
+##   }
+## }
+## 
diff --git a/cloudtrail/s3.tf2 b/cloudtrail/s3.tf2
new file mode 100644
index 0000000..287b161
--- /dev/null
+++ b/cloudtrail/s3.tf2
@@ -0,0 +1,57 @@
+#---
+# s3
+#---
+resource "aws_s3_bucket" "cloudtrail" {
+  bucket = local.bucket_name
+  acl    = "private"
+
+  server_side_encryption_cloudtrailuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.cloudtrail_key.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  versioning {
+    enabled = false
+  }
+
+  logging {
+    target_bucket = aws_s3_bucket.logs.id
+    target_prefix = "s3/{local.cloudtrail_bucket}/"
+  }
+
+  lifecycle {
+    prevent_destroy = true
+    ignore_changes  = [tags["boc:tf_module_version"]]
+  }
+
+  # probably want some migration of old data to some other location
+  # like glacier
+
+  tags = merge(
+    var.tags,
+    local.base_tags,
+    lookup(var.component_tags, "s3", {}),
+    map("Name", local.bucket_name),
+  )
+
+  provisioner "local-exec" {
+    command = "sleep 30"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "cloudtrail" {
+  bucket                  = aws_s3_bucket.cloudtrail.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_policy" "cloudtrail" {
+  bucket = aws_s3_bucket.cloudtrail.id
+  policy = data.aws_iam_policy_document.cloudtrail_s3.json
+}
diff --git a/cloudtrail/stuff b/cloudtrail/stuff
new file mode 100644
index 0000000..438d5b0
--- /dev/null
+++ b/cloudtrail/stuff
@@ -0,0 +1,353 @@
+
+#---
+# cloudtrail
+#---
+locals {
+  cloudwatch_prefix     = replace(aws_cloudwatch_log_group.inf-cloudtrail.arn, "/:\\*$/", "")
+  cloudwatch_suffix     = "${var.account_id}_CloudTrail_${var.region}*"
+  cloudwatch_resources  = join(":", list(local.cloudwatch_prefix, "log-stream", local.cloudwatch_suffix))
+  cloudtrail_policies   = list(data.terraform_remote_state.common.outputs.policy_deny_billing_arn, aws_iam_policy.inf-cloudtrail.arn)
+  cloudtrail_bucket_arn = aws_s3_bucket.cloudtrail.arn
+
+  cloudtrail_role_name = format("%v%v",local._prefixes["role"], local.role_name)
+  cloudtrail_policy_name = format("%v%v",local._prefixes["policy"], local.role_name)
+
+}
+
+resource "aws_iam_role" "cloudtrail" {
+  name                  = local.cloudtrail_role_name
+  assume_role_policy    = data.aws_iam_policy_document.cloudtrail_assume.json
+  description           = "AWS CloudTrail Role for ${local.region}"
+  force_detach_policies = false
+  max_session_duration  = 3600
+  path                  = "/"
+
+ tags = merge(
+   local.base_tags,
+   var.tags,
+  )
+}
+
+resource "aws_iam_policy" "cloudtrail_policy {
+  name   = local.cloudtrail_policy_name
+  policy = data.aws_iam_policy_document.cloudtrail_cloudwatch.json
+}
+
+
+resource "aws_iam_role_policy_attachment" "inf-cloudtrail" {
+  count      = length(local.cloudtrail_policies)
+  role       = aws_iam_role.inf-cloudtrail.name
+  policy_arn = local.cloudtrail_policies[count.index]
+}
+
+resource "aws_kms_key" "cloudtrail_key" {
+  description         = "encrypt inf-cloudtrail objects and streams"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.cloudtrail_key.json
+
+  tags = merge(
+    local.common_tags,
+    map("Name", var.kms_cloudtrail_key)
+  )
+}
+
+resource "aws_kms_alias" "cloudtrail_key" {
+  name          = "alias/${var.kms_cloudtrail_key}"
+  target_key_id = aws_kms_key.cloudtrail_key.key_id
+}
+
+data "aws_iam_policy_document" "cloudtrail_s3" {
+  statement {
+    sid       = "AWSCloudTrailWrite"
+    effect    = "Allow"
+    resources = ["${local.cloudtrail_bucket_arn}/*"]
+    actions   = ["s3:PutObject"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+
+  statement {
+    sid       = "AWSCloudTrailAclCheck"
+    effect    = "Allow"
+    resources = [local.cloudtrail_bucket_arn]
+    actions   = ["s3:GetBucketAcl"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+}
+
+#---
+# STS: sts cloudtrail assume
+#---
+data "aws_iam_policy_document" "cloudtrail_assume" {
+  statement {
+    sid     = "AWSCloudTrailServiceAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+}
+
+# put cloud admin group(s) in this vs r-inf-cloud-admin
+data "aws_iam_policy_document" "cloudtrail_key" {
+  policy_id = "inf-cloudtrail KMS access"
+  statement {
+    sid       = "EnableIAMUserPermissions"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        data.aws_caller_identity.current.arn,
+        "arn:${data.aws_arn.current.partition}:iam::${var.account_id}:root",
+        "arn:${data.aws_arn.current.partition}:sts::${var.account_id}:assumed-role/r-inf-cloud-admin/${var.tag_creator}",
+      ]
+    }
+  }
+
+  statement {
+    sid       = "AllowCloudTrailEncryptLogs"
+    effect    = "Allow"
+    actions   = ["kms:GenerateDataKey*"]
+    resources = ["*"]
+
+    principals {
+      type = "Service"
+      #      identifiers = ["cloudtrail.amazonaws.com"]
+      identifiers = ["cloudtrail.amazonaws.com", "logs.amazonaws.com", "logs.${var.region}.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:${data.aws_arn.current.partition}:cloudtrail:*:${var.account_id}:trail/*"]
+    }
+  }
+  #   statement {
+  #     sid    = "AllowCloudWatchEncryptLogs"
+  #     effect = "Allow"
+  #     actions   = ["kms:GenerateDataKey*"]
+  #     resources = ["*"]
+  # 
+  #     principals {
+  #       type        = "Service"
+  #       identifiers = ["log.${var.region}.amazonaws.com"]
+  #     }
+  # 
+  #     condition {
+  #       test     = "StringLike"
+  #       variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+  #       values   = ["arn:${data.aws_arn.current.partition}:cloudtrail:*:${var.account_id}:trail/*"]
+  #     }
+  #   }
+
+  statement {
+    sid    = "AllowCloudTrailKeyActivities"
+    effect = "Allow"
+    actions = [
+      "kms:Describe*",
+      "log:AssociateKmsKey",
+      "log:DisassociateKmsKey"
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com", "logs.amazonaws.com", "logs.${var.region}.amazonaws.com"]
+    }
+  }
+
+  #   statement {
+  #     sid    = "AllowCloudWatchDescribeKey"
+  #     effect = "Allow"
+  #     actions   = ["kms:Describe*"]
+  #     resources = ["*"]
+  # 
+  #     principals {
+  #       type        = "Service"
+  #       identifiers = ["logs.${var.region}.amazonaws.com"]
+  #     }
+  #   }
+
+  statement {
+    sid    = "AllowPrincipalsDecryptLogFiles"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncryptFrom"
+    ]
+    resources = ["*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values   = ["${var.account_id}"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:${data.aws_arn.current.partition}:cloudtrail:*:${var.account_id}:trail/*"]
+    }
+  }
+
+  statement {
+    sid    = "EnableCrossAccountDecryptLogFiles"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncryptFrom"
+    ]
+    resources = ["*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values   = [var.account_id]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = ["arn:${data.aws_arn.current.partition}:cloudtrail:*:${var.account_id}:trail/*"]
+    }
+  }
+
+  statement {
+    sid       = "AllowAliasCreationDuringSetup"
+    effect    = "Allow"
+    actions   = ["kms:CreateAlias"]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:CallerAccount"
+      values   = [var.account_id]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:ViaService"
+      values   = ["ec2.${var.region}.amazonaws.com}"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "cloudtrail_cloudwatch" {
+  statement {
+    sid       = "AWSCloudTrailCreateLogStream"
+    effect    = "Allow"
+    actions   = ["logs:CreateLogStream"]
+    resources = [local.cloudwatch_resources]
+  }
+
+  statement {
+    sid       = "AWSCloudTrailPutLogEvents"
+    effect    = "Allow"
+    actions   = ["logs:PutLogEvents"]
+    resources = [local.cloudwatch_resources]
+  }
+}
+
+resource "aws_cloudtrail" "cloudtrail" {
+  name           = "inf-cloudtrail"
+  s3_bucket_name = aws_s3_bucket.cloudtrail.id
+
+  #  s3_key_prefix = 
+  include_global_service_events = true
+  is_multi_region_trail         = true
+  enable_log_file_validation    = true
+  enable_logging                = true
+
+  kms_key_id                 = aws_kms_key.cloudtrail_key.arn
+  sns_topic_name             = aws_sns_topic.cloudtrail.arn
+  cloud_watch_logs_group_arn = aws_cloudwatch_log_group.inf-cloudtrail.arn
+  cloud_watch_logs_role_arn  = aws_iam_role.inf-cloudtrail.arn
+
+  tags = merge(
+    local.common_tags,
+ {
+    "Project Role" = local.project_role[ "inf"]     
+ },
+    map("Name", "inf-cloudtrail-cloudwatch"),
+  )
+}
+
+resource "aws_cloudwatch_log_group" "inf-cloudtrail" {
+  name = "inf-cloudtrail"
+
+  #  kms_key_id                 = aws_kms_key.cloudtrail_key.arn
+  retention_in_days = 7
+
+  tags = merge(
+    local.common_tags,
+    map("Name", "inf-cloudtrail-cloudwatch-log"),
+  )
+}
+
+## # add this later after creating additional buckets for applications
+## # or, create an app-specific bucket for the cloudtrail logs
+## resource "aws_cloudtrail" "inf-cloudtrail-s3" {
+##   name           = "inf-cloudtrail-s3"
+##   s3_bucket_name = aws_s3_bucket.cloudtrail.id
+##   s3_key_prefix = "inf-s3"
+## 
+##   include_global_service_events = true
+##   is_multi_region_trail         = true
+##   enable_log_file_validation    = true
+##   enable_logging                = true
+## 
+##   kms_key_id                 = aws_kms_key.cloudtrail_key.arn
+## 
+##   tags = merge(
+##     local.common_tags,
+##     map("Name", "inf-cloudtrail-s3"),
+##   )
+## 
+##   event_selector { 
+##     read_write_type = "All"
+##     include_management_events = true
+## 
+##     data_resource {
+##       type = "AWS::S3::Object"
+##       values = [ "${aws_s3_bucket.edl-poc-dl-versioned.arn}/" ]
+##     }
+##   }
+## }
+## 
diff --git a/cloudtrail/variables.common.tf b/cloudtrail/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/cloudtrail/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/cloudtrail/variables.tf b/cloudtrail/variables.tf
new file mode 100644
index 0000000..b8cb955
--- /dev/null
+++ b/cloudtrail/variables.tf
@@ -0,0 +1,69 @@
+## variable "bucket_name" {
+##   description = "Cloudtrail S3 bucket name"
+##   type        = string
+##   default     = ""
+## }
+## 
+## variable "bucket_name_prefix" {
+##   description = "Cloudtrail S3 bucket prefix, prepended to the AWS account ID and region to make the bucket name."
+##   type        = string
+##   default     = ""
+## }
+
+# enable_sns
+# enable_sqs
+# name (default = inf-cloudtrail-{account}-{region})
+# cloudtrail_name (name)
+# log_bucket (existing bucket; if empty, will create one)
+# sns_name (name)
+# sqs_name (name)
+
+variable "name" {
+  description = "Name to apply to Cloudtrail, S3, SNS and SQS"
+  type        = string
+  default     = null
+}
+
+variable "cloudtrail_bucket_prefix" {
+  description = "Access log bucket prefix, to which the bucket name will be appended to make the target_prefix"
+  type        = string
+  default     = "cloudtrail"
+}
+
+# required
+variable "access_log_bucket" {
+  description = "Server Access Logging Bucket ID"
+  type        = string
+  #  default     = null
+}
+
+variable "access_log_bucket_prefix" {
+  description = "Server Access Log bucket prefix, to which the Object Logging bucket name will be appended to make the target_prefix"
+  type        = string
+  default     = "s3"
+}
+
+variable "kms_key_management_identifiers" {
+  description = "AWS IAM ARNs (roles, groups, users) for full access to the created KMS Key for this bucket"
+  type        = list(string)
+  default     = []
+}
+
+variable "enable_sns" {
+  description = "Flag to enable or disable the creation of SNS for Cloudtrail (TBD)"
+  type        = bool
+  default     = false
+}
+
+variable "enable_sqs" {
+  description = "Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail, used for Splunk ingestion (TBD)"
+  type        = bool
+  default     = false
+}
+
+variable "component_tags" {
+  description = "Additional tags for Components (s3, kms, ddb)"
+  type        = map(map(string))
+  default     = { "s3" = {}, "kms" = {}, "ddb" = {} }
+}
+
diff --git a/cloudtrail/version.tf b/cloudtrail/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/cloudtrail/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file