terraform-aws-control_tower_account_factory icon indicating copy to clipboard operation
terraform-aws-control_tower_account_factory copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

Apply log_archive_bucket_object_expiration_days to current versions as well

Open markvankessel opened this issue 1 year ago • 1 comments

I would like all object in the log archive bucket, current or non-current, to expire after a configurable time. Since 1.12.0 it is possible to configure log_archive_bucket_object_expiration_days but this only applies to non-current versions.

For compliancy reasons, we need to ensure log archives are stored no more and no less then a defined number of years. Right now, the Cloud Trail created by AFT stores its logs indefinitely, even if you configure log_archive_bucket_object_expiration_days, because the S3 lifecycle rule only applies to noncurrent_version_expiration and CloudTrail does not actually update objects. See s3.tf.

I would propose to apply log_archive_bucket_object_expiration_days to expiration as well.

markvankessel avatar Feb 15 '24 09:02 markvankessel

Hey @markvankessel! Thank you for bringing this to our attention! I have created an item in our backlog to review this request!

hanafya avatar Feb 22 '24 21:02 hanafya