Motivation
In the event the module receives these two variables:
- s3_bucket_arn == ""
- eventbridge_enabled == true
The module creates a new S3 bucket to store cloudtrail logs, and gives it a name with this structure:
"${var.prefix}-cloudtrail-${account_id}-${random_suffix}"
This is not recommended, since cloudtrail logs are for all the account, not only for secretsmanager.
Implementation approach
- Add a new variable: allow_auto_create_cloudtrail_bucket (default: false).
- Add validation so that s3_bucket_arn is required when eventbridge_enabled = true, unless fallback is explicitly enabled.
- Gate all auto-created CloudTrail bucket resources behind this fallback flag.
- Use fallback bucket name format:
cloudtrail-<account_id>-<random_suffix>
- Update examples and README to document:
- enterprise default behavior,
- explicit fallback mode,
- expected migration path for existing users.
Acceptance criteria
Motivation
In the event the module receives these two variables:
The module creates a new S3 bucket to store cloudtrail logs, and gives it a name with this structure:
"${var.prefix}-cloudtrail-${account_id}-${random_suffix}"This is not recommended, since cloudtrail logs are for all the account, not only for secretsmanager.
Implementation approach
cloudtrail-<account_id>-<random_suffix>Acceptance criteria
Docs/examples are aligned with the new default behavior.