Skip to content

Terraform module for a lambda function that deletes default cloudtrail when an account is added to an AWS Organization

License

Notifications You must be signed in to change notification settings

plus3it/terraform-aws-tardigrade-org-new-account-delete-cloudtrail

Repository files navigation

terraform-aws-tardigrade-org-new-account-delete-cloudtrail

A Terraform module to delete the default cloudtrail when new AWS accounts are added or invited to an AWS Organization.

The Lambda function is triggered for the account by an Event Rule that matches the CreateAccountResult or InviteAccountToOrganization events. The function then deletes the default cloudtrail and s3 objects and buckets for that account.

Requirements

Name Version
terraform >= 1.3
aws >= 4.9

Providers

Name Version
aws >= 4.9

Resources

Name Type
aws_iam_policy_document.lambda data source
aws_partition.current data source

Inputs

Name Description Type Default Required
project_name Project name to prefix resources with string n/a yes
assume_role_name Name of the IAM role that the lambda will assume in the target account string "OrganizationAccountAccessRole" no
cloudtrail_name_prefix Name Prefix of the cloudtrail name to delete string "cloudtrail-" no
dry_run Boolean toggle to control the dry-run mode of the lambda function bool true no
error_not_found Error if the cloudtrail name/pattern is not found bool true no
event_bus_name Event bus name to create event rules in string "default" no
event_types Event types that will trigger this lambda set(string)
[
"CreateAccountResult",
"InviteAccountToOrganization"
]
no
lambda Object of optional attributes passed on to the lambda module
object({
artifacts_dir = optional(string, "builds")
build_in_docker = optional(bool, false)
create_package = optional(bool, true)
ephemeral_storage_size = optional(number)
ignore_source_code_hash = optional(bool, true)
local_existing_package = optional(string)
memory_size = optional(number, 128)
recreate_missing_package = optional(bool, false)
runtime = optional(string, "python3.8")
s3_bucket = optional(string)
s3_existing_package = optional(map(string))
s3_prefix = optional(string)
store_on_s3 = optional(bool, false)
timeout = optional(number, 300)
})
{} no
log_level Log level for lambda string "INFO" no
tags Tags for resource map(string) {} no

Outputs

No outputs.

CLI Option

Steps to run via the CLI

  1. Install and configure aws cli.
  2. Set AWS_PROFILE and AWS_DEFAULT_REGION (account and region that can assume the role and run commands from)
  3. Review the options for the script and run

Script Options

Supported Environment Variables:
    'LOG_LEVEL': defaults to 'info'
        - set the desired log level ('error', 'warning', 'info' or 'debug')

    'DRY_RUN': defaults to 'true'
        - set whether actions should be simulated or live
        - value of 'true' (case insensitive) will be simulated.

    'CLOUDTRAIL_NAME_PREFIX': defaults to 'cloudtrail-'
        -sets the name of the cloudtrail to delete.

options:
  -h, --help            show this help message and exit

required arguments:
  --target-account-id TARGET_ACCOUNT_ID
                        Account number to delete default VPC resources in

  --assume-role-arn ASSUME_ROLE_ARN
                        ARN of IAM role to assume in the target account (case sensitive)
  OR
  --assume-role-name ASSUME_ROLE_NAME
                        Name of IAM role to assume in the target account (case sensitive)

usage: delete_default_cloudtrail.py [-h] --target-account-id TARGET_ACCOUNT_ID (--assume-role-arn ASSUME_ROLE_ARN | --assume-role-name ASSUME_ROLE_NAME)

Sample steps to execute in venv

mkdir vpc_env
python3 -m venv vpc_env
source vpc_env/bin/activate
python3 -m pip install -U pip
pip3 install -r src/requirements.txt
python3 src/delete_default_cloudtrail.py --target-account-id=<TARGET ACCT ID> (--assume-role-arn=<ROLE ARN TO ASSUME> | --assume-role-name=<ROLE NAME TO ASSUME>)
deactivate
rm -rf vpc_env

About

Terraform module for a lambda function that deletes default cloudtrail when an account is added to an AWS Organization

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages