Signin for BreakGlass user is not logged in every region

[RickS-C137]

The actions the BreakGlass user does are logged in CloudTrail, but at least for the signin, this depends on the region. By default it's only logged, if the user signs in in us-east-1. All our resources are located in eu-central-1. If the user signs in there, nothing is logged.
In my opinion it's not a good solution to just deploy the logging resources in every region, as the list of default regions is pretty long. They can not be disabled as it's very error prone, as one can easily forget a region.

Either an easy to deploy logging accross all regions needs to be added or a chance to limit the user to login in dedicated regions.

Our organisation is only active in one region, eu-central-1. IAM is a global service to it's logged in us-east-1.

Tasks

Preview Give feedback

1. fix: extend region support for cloudtrail logs

[smguggen]

You should be able to set it to all regions by settings regions to ["*"] - have you tried that? If not go ahead and try it and please let me know if it's not working as expected.

[RickS-C137]

You should be able to set it to all regions by settings regions to ["*"] - have you tried that? If not go ahead and try it and please let me know if it's not working as expected.

The only region that's set in the code is the one for the provider. And that one can not be set to *, I tried it:

│ Error: Incorrect attribute value type
│
│   on provider.tf line 9, in provider "aws":
│    9:   region  = ["*"]
│
│ Inappropriate value for attribute "region": string required.

So I'm not sure where you want me to set it?
Is this request special? I would think that everyone using this would have the same requirements, the logging for this in every region. Because there's no way to prevent the break glass user from logging in in dedicated regions.

[smguggen]

Ok that's a bug, thanks for pointing out, I'll add a task to fix