AWSTemplateFormatVersion: 2010-09-09
Description: Template to enable cloudtrail with a provided bucket (qs-1ti330r7o)

Parameters:
  BucketName:
    Type: String
  BucketArn:
    Type: String

Resources:
  Trail:
    Type: AWS::CloudTrail::Trail
    DependsOn: BucketPolicy
    Properties:
      S3BucketName: !Ref BucketName
      IsLogging: true
      EnableLogFileValidation: true
      IncludeGlobalServiceEvents: true
      IsMultiRegionTrail: true
      EventSelectors:
        - DataResources:
            - Type: AWS::S3::Object
              Values:
                - !Sub "arn:${AWS::Partition}:s3"
          IncludeManagementEvents: true
          ReadWriteType: All

  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref BucketName
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AWSCloudTrailCheck
            Action: 'S3:GetBucketAcl'
            Effect: Allow
            Resource: !Ref BucketArn
            Principal: 
              Service: cloudtrail.amazonaws.com
          - Sid: AWSCloudTrailWrite
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: 'S3:PutObject'
            Resource: !Join
              - ''
              - - !Ref BucketArn
                - /*
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control