I would like all object in the log archive bucket, current or non-current, to expire after a configurable time. Since 1.12.0 it is possible to configure log_archive_bucket_object_expiration_days but this only applies to non-current versions.
For compliancy reasons, we need to ensure log archives are stored no more and no less then a defined number of years. Right now, the Cloud Trail created by AFT stores its logs indefinitely, even if you configure log_archive_bucket_object_expiration_days, because the S3 lifecycle rule only applies to noncurrent_version_expiration and CloudTrail does not actually update objects. See s3.tf.
I would propose to apply log_archive_bucket_object_expiration_days to expiration as well.
I would like all object in the log archive bucket, current or non-current, to expire after a configurable time. Since 1.12.0 it is possible to configure
log_archive_bucket_object_expiration_days
but this only applies to non-current versions.For compliancy reasons, we need to ensure log archives are stored no more and no less then a defined number of years. Right now, the Cloud Trail created by AFT stores its logs indefinitely, even if you configure
log_archive_bucket_object_expiration_days
, because the S3 lifecycle rule only applies tononcurrent_version_expiration
and CloudTrail does not actually update objects. See s3.tf.I would propose to apply
log_archive_bucket_object_expiration_days
toexpiration
as well.