From af03366a368c128188200e394972737a53ef24a0 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 3 Sep 2024 16:58:40 +0100
Subject: [PATCH 1/3] use kms key for log group

---
 terraform/environment/dynamodb_cloudtrail.tf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/terraform/environment/dynamodb_cloudtrail.tf b/terraform/environment/dynamodb_cloudtrail.tf
index 867fcdaee4..898bce446c 100644
--- a/terraform/environment/dynamodb_cloudtrail.tf
+++ b/terraform/environment/dynamodb_cloudtrail.tf
@@ -8,10 +8,16 @@ data "aws_kms_alias" "cloudtrail" {
   provider = aws.eu_west_1
 }
 
+data "aws_kms_alias" "dynamodb_cloudtrail_log_group" {
+  name     = "alias/${local.default_tags.application}_dynamodb_cloudtrail_log_group_encryption"
+  provider = aws.eu_west_1
+}
+
 resource "aws_cloudwatch_log_group" "cloudtrail_dynamodb" {
   count             = local.environment.dynamodb.cloudtrail_enabled ? 1 : 0
   name              = "/aws/cloudtrail/dynamodb-${local.default_tags.environment-name}"
   retention_in_days = 365
+  kms_key_id        = data.aws_kms_alias.dynamodb_cloudtrail_log_group.target_key_arn
   provider          = aws.eu_west_1
 }
 

From 1f7f4a8fda3072f6bd3644b143cf5cce86b7ee97 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 3 Sep 2024 17:00:35 +0100
Subject: [PATCH 2/3] enable cloudtrail for testing

---
 terraform/environment/terraform.tfvars.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json
index b3dc4cb8e0..4c6706cfeb 100644
--- a/terraform/environment/terraform.tfvars.json
+++ b/terraform/environment/terraform.tfvars.json
@@ -58,7 +58,7 @@
       "dynamodb": {
         "table_name": "Lpas",
         "region_replica_enabled": false,
-        "cloudtrail_enabled": false
+        "cloudtrail_enabled": true
       },
       "ecs": {
         "fargate_spot_capacity_provider_enabled": true

From 2e7449f5e52dd887b8f48614cbc60b4ade0e12cb Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Tue, 3 Sep 2024 17:50:41 +0100
Subject: [PATCH 3/3] don't enable cloudtrail by default

---
 terraform/environment/terraform.tfvars.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json
index 4c6706cfeb..b3dc4cb8e0 100644
--- a/terraform/environment/terraform.tfvars.json
+++ b/terraform/environment/terraform.tfvars.json
@@ -58,7 +58,7 @@
       "dynamodb": {
         "table_name": "Lpas",
         "region_replica_enabled": false,
-        "cloudtrail_enabled": true
+        "cloudtrail_enabled": false
       },
       "ecs": {
         "fargate_spot_capacity_provider_enabled": true