Remove CloudTrail from monitoring (managed in org/) (#15)

Alexanderamiri · web-flow · commit c5dc333fe075 · 2026-03-08T22:48:38.000+01:00
Fixes the apply failure from PR #13. CloudTrail resources are in terraform/org/ — the duplicate in monitoring caused a DeleteTrail error blocked by the permission boundary.
diff --git a/scripts/post-review-comment.sh b/scripts/post-review-comment.sh
@@ -3,26 +3,16 @@
 #
 # Usage: post-review-comment.sh
 #
-# Reads review-result.json and review-output.txt from current directory.
+# Reads review-output.txt from current directory.
 # Env: GH_TOKEN (or gh auth), GITHUB_REPOSITORY, PR_NUMBER
 
 set -e
 
-RISK=$(jq -r '.risk // "FAILED"' review-result.json 2>/dev/null || echo "FAILED")
 REVIEW=$(cat review-output.txt 2>/dev/null || echo "LLM review output not available.")
 
-case "$RISK" in
-  LOW)    EMOJI="🟢" ;;
-  MEDIUM) EMOJI="🟡" ;;
-  HIGH)   EMOJI="🔴" ;;
-  *)      EMOJI="⚪" ;;
-esac
-
 cat > /tmp/review-comment.md <<EOF
 ## LLM Plan Review
 
-**Risk: ${EMOJI} ${RISK}**
-
 ${REVIEW}
 EOF
 
diff --git a/terraform/platform/monitoring/main.tf b/terraform/platform/monitoring/main.tf
@@ -1,106 +1,3 @@
-################################################################################
-# CloudTrail — required for EventBridge to receive API call events
-#
-# Without a trail, EventBridge rules matching "AWS API Call via CloudTrail"
-# never fire. This is the single trail (free tier) with management events only.
-################################################################################
-
-resource "aws_s3_bucket" "cloudtrail" {
-  bucket = "${var.project}-cloudtrail-${var.aws_account_id}"
-
-  tags = {
-    Name = "${var.project}-cloudtrail"
-  }
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" {
-  bucket = aws_s3_bucket.cloudtrail.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
-    }
-  }
-}
-
-resource "aws_s3_bucket_public_access_block" "cloudtrail" {
-  bucket = aws_s3_bucket.cloudtrail.id
-
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail" {
-  bucket = aws_s3_bucket.cloudtrail.id
-
-  rule {
-    id     = "expire-old-logs"
-    status = "Enabled"
-
-    expiration {
-      days = 90
-    }
-  }
-}
-
-resource "aws_s3_bucket_policy" "cloudtrail" {
-  bucket = aws_s3_bucket.cloudtrail.id
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Sid       = "AWSCloudTrailAclCheck"
-        Effect    = "Allow"
-        Principal = { Service = "cloudtrail.amazonaws.com" }
-        Action    = "s3:GetBucketAcl"
-        Resource  = aws_s3_bucket.cloudtrail.arn
-        Condition = {
-          StringEquals = {
-            "aws:SourceArn" = "arn:aws:cloudtrail:${var.region}:${var.aws_account_id}:trail/${var.project}-trail"
-          }
-        }
-      },
-      {
-        Sid       = "AWSCloudTrailWrite"
-        Effect    = "Allow"
-        Principal = { Service = "cloudtrail.amazonaws.com" }
-        Action    = "s3:PutObject"
-        Resource  = "${aws_s3_bucket.cloudtrail.arn}/AWSLogs/${var.aws_account_id}/*"
-        Condition = {
-          StringEquals = {
-            "s3:x-amz-acl"  = "bucket-owner-full-control"
-            "aws:SourceArn" = "arn:aws:cloudtrail:${var.region}:${var.aws_account_id}:trail/${var.project}-trail"
-          }
-        }
-      }
-    ]
-  })
-}
-
-resource "aws_cloudtrail" "main" {
-  name                       = "${var.project}-trail"
-  s3_bucket_name             = aws_s3_bucket.cloudtrail.id
-  is_multi_region_trail      = true
-  enable_log_file_validation = true
-
-  # Send events to EventBridge (required for our rules to fire)
-  # This is enabled by default for management events when a trail exists,
-  # but being explicit about it
-  event_selector {
-    read_write_type           = "All"
-    include_management_events = true
-  }
-
-  depends_on = [aws_s3_bucket_policy.cloudtrail]
-
-  tags = {
-    Name = "${var.project}-trail"
-  }
-}
-
 ################################################################################
 # SNS Topics for Alerts
 ################################################################################
