Steps to migrate from traditional to multi account CloudTrail

[gruntwork-support]

This message was extracted from a discussion that originally took place in Gruntwork Community Slack. Names and URLs have been removed where appropriate

From a customer

Hey there,

I have a short question and I hope that I did not miss the documentation for that. As far as I know you added support for the AWS organization cloud trail to the aws-security-module in one of the last versions.

Is there a migration path or documentation available which describes which steps are required to move from a traditional multi account cloud trail setup to organization trail with the Gruntwork module.

Thanks in advance and best regards

[gruntwork-support]

From a grunt

Hi person,

I'd actually advise you to use v0.48.1 or later due to a couple of bugs in the initial release of the Organizations CloudTrail feature. The bugs were resolved in that version. Do note the WARNING about undeleting the KMS key to ensure that old CloudTrail logs remain readable after updating.

No other specific steps are required to migrate. You can bump the version of terraform-aws-security (being sure to review the release notes between your current version and v0.48.1 in case something else changed), then add cloudtrail_is_organization_trail = true to account-baseline-root, which I assume you're using, and set enable_cloudtrail = false in account-baseline-app and account-baseline-security. This should update the trail to be an Organization trail. Those steps are covered in the v0.45.3 release notes.

I hope this helps!

[gruntwork-support]

From a customer

Hi person,

Sounds great, I think I will come back to that next week because I have to finish something else first.
I will keep you informed.

[gruntwork-support]

From a customer

I want to give you a short feedback. What should I say, everything worked with your guidance.

Thank you very much.