terraform-aws-tardigrade-org-new-account-delete-cloudtrail

A Terraform module to delete the default cloudtrail when new AWS accounts are added or invited to an AWS Organization.

The Lambda function is triggered for the account by an Event Rule that matches the CreateAccountResult or InviteAccountToOrganization events. The function then deletes the default cloudtrail and s3 objects and buckets for that account.

Requirements

Name	Version
terraform	>= 1.3
aws	>= 4.9

Providers

Name	Version
aws	>= 4.9

Resources

Name	Type
aws_iam_policy_document.lambda	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
project_name	Project name to prefix resources with	string	n/a	yes
assume_role_name	Name of the IAM role that the lambda will assume in the target account	string	"OrganizationAccountAccessRole"	no
cloudtrail_name_prefix	Name Prefix of the cloudtrail name to delete	string	"cloudtrail-"	no
dry_run	Boolean toggle to control the dry-run mode of the lambda function	bool	true	no
error_not_found	Error if the cloudtrail name/pattern is not found	bool	true	no
event_bus_name	Event bus name to create event rules in	string	"default"	no
event_types	Event types that will trigger this lambda	set(string)	[ "CreateAccountResult", "InviteAccountToOrganization" ]	no
lambda	Object of optional attributes passed on to the lambda module	object({ artifacts_dir = optional(string, "builds") build_in_docker = optional(bool, false) create_package = optional(bool, true) ephemeral_storage_size = optional(number) ignore_source_code_hash = optional(bool, true) local_existing_package = optional(string) memory_size = optional(number, 128) recreate_missing_package = optional(bool, false) runtime = optional(string, "python3.8") s3_bucket = optional(string) s3_existing_package = optional(map(string)) s3_prefix = optional(string) store_on_s3 = optional(bool, false) timeout = optional(number, 300) })	{}	no
log_level	Log level for lambda	string	"INFO"	no
tags	Tags for resource	map(string)	{}	no

Outputs

No outputs.

CLI Option

Steps to run via the CLI

1. Install and configure aws cli.
2. Set AWS_PROFILE and AWS_DEFAULT_REGION (account and region that can assume the role and run commands from)
3. Review the options for the script and run

Script Options

Supported Environment Variables:
    'LOG_LEVEL': defaults to 'info'
        - set the desired log level ('error', 'warning', 'info' or 'debug')

    'DRY_RUN': defaults to 'true'
        - set whether actions should be simulated or live
        - value of 'true' (case insensitive) will be simulated.

    'CLOUDTRAIL_NAME_PREFIX': defaults to 'cloudtrail-'
        -sets the name of the cloudtrail to delete.

options:
  -h, --help            show this help message and exit

required arguments:
  --target-account-id TARGET_ACCOUNT_ID
                        Account number to delete default VPC resources in

  --assume-role-arn ASSUME_ROLE_ARN
                        ARN of IAM role to assume in the target account (case sensitive)
  OR
  --assume-role-name ASSUME_ROLE_NAME
                        Name of IAM role to assume in the target account (case sensitive)

usage: delete_default_cloudtrail.py [-h] --target-account-id TARGET_ACCOUNT_ID (--assume-role-arn ASSUME_ROLE_ARN | --assume-role-name ASSUME_ROLE_NAME)

Sample steps to execute in venv

mkdir vpc_env
python3 -m venv vpc_env
source vpc_env/bin/activate
python3 -m pip install -U pip
pip3 install -r src/requirements.txt
python3 src/delete_default_cloudtrail.py --target-account-id=<TARGET ACCT ID> (--assume-role-arn=<ROLE ARN TO ASSUME> | --assume-role-name=<ROLE NAME TO ASSUME>)
deactivate
rm -rf vpc_env