feat: Epose s3 log retention (#130)

Author: hayk99

examples/organizational/README.md

@@ -183,6 +183,7 @@ $ terraform apply
 | <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether the created cloudtrail will ingest multi-regional events. testing/economization purpose. | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether the created cloudtrail should deliver encrypted events to s3 | `bool` | `true` | no |
+| <a name="input_cloudtrail_s3_bucket_expiration_days"></a> [cloudtrail\_s3\_bucket\_expiration\_days](#input\_cloudtrail\_s3\_bucket\_expiration\_days) | Number of days that the logs will persist in the bucket | `number` | `5` | no |
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
 | <a name="input_deploy_benchmark_organizational"></a> [deploy\_benchmark\_organizational](#input\_deploy\_benchmark\_organizational) | true/false whether benchmark module should be deployed on organizational or single-account mode (1 role per org accounts if true, 1 role in default aws provider account if false)</li></ul> | `bool` | `true` | no |

examples/organizational/cloudtrail.tf

@@ -16,8 +16,9 @@ module "cloudtrail" {
     sysdig_secure_for_cloud_member_account_id = var.sysdig_secure_for_cloud_member_account_id
     organizational_role_per_account           = var.organizational_member_default_admin_role
   }
-  is_multi_region_trail = var.cloudtrail_is_multi_region_trail
-  cloudtrail_kms_enable = var.cloudtrail_kms_enable
+  is_multi_region_trail     = var.cloudtrail_is_multi_region_trail
+  cloudtrail_kms_enable     = var.cloudtrail_kms_enable
+  s3_bucket_expiration_days = var.cloudtrail_s3_bucket_expiration_days
 
   tags = var.tags
 }

examples/organizational/variables.tf

@@ -40,6 +40,11 @@ variable "cloudtrail_kms_enable" {
   description = "true/false whether the created cloudtrail should deliver encrypted events to s3"
 }
 
+variable "cloudtrail_s3_bucket_expiration_days" {
+  type        = number
+  default     = 5
+  description = "Number of days that the logs will persist in the bucket"
+}
 
 variable "existing_cloudtrail_config" {
   type = object({

examples/single-account-ecs/README.md

@@ -99,6 +99,7 @@ $ terraform apply
 | <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
+| <a name="input_cloudtrail_s3_bucket_expiration_days"></a> [cloudtrail\_s3\_bucket\_expiration\_days](#input\_cloudtrail\_s3\_bucket\_expiration\_days) | Number of days that the logs will persist in the bucket | `number` | `5` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, sysdig deployment account and region must match with the specified SNS | `string` | `"create"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
 | <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |

examples/single-account-ecs/cloudtrail.tf

@@ -4,12 +4,13 @@ locals {
 }
 
 module "cloudtrail" {
-  count                 = local.cloudtrail_deploy ? 1 : 0
-  source                = "../../modules/infrastructure/cloudtrail"
-  name                  = var.name
-  is_organizational     = false
-  is_multi_region_trail = var.cloudtrail_is_multi_region_trail
-  cloudtrail_kms_enable = var.cloudtrail_kms_enable
+  count                     = local.cloudtrail_deploy ? 1 : 0
+  source                    = "../../modules/infrastructure/cloudtrail"
+  name                      = var.name
+  is_organizational         = false
+  is_multi_region_trail     = var.cloudtrail_is_multi_region_trail
+  cloudtrail_kms_enable     = var.cloudtrail_kms_enable
+  s3_bucket_expiration_days = var.cloudtrail_s3_bucket_expiration_days
 
   tags = var.tags
 }

examples/single-account-ecs/variables.tf

@@ -26,7 +26,11 @@ variable "cloudtrail_kms_enable" {
   description = "true/false whether cloudtrail delivered events to S3 should persist encrypted"
 }
 
-
+variable "cloudtrail_s3_bucket_expiration_days" {
+  type        = number
+  default     = 5
+  description = "Number of days that the logs will persist in the bucket"
+}
 #
 # ecs, security group,  vpc
 #