thunderbird · ryanjjung · Mar 24, 2026
diff --git a/pulumi/__main__.py b/pulumi/__main__.py
@@ -12,6 +12,7 @@
 import tb_pulumi
 import tb_pulumi.fargate
 import tb_pulumi.network
+import tb_pulumi.s3
 import tb_pulumi.secrets
 
 from site24x7 import main as site24x7
@@ -29,13 +30,25 @@
     site24x7()
 
 if build_tbpulumi:
+    # Resources that don't require a VPC or subnets
     psm_opts = resources.get('tb:secrets:PulumiSecretsManager', {}).get('secrets')
     psm = tb_pulumi.secrets.PulumiSecretsManager(
         name=f'{project.name_prefix}-secrets',
         project=project,
         **psm_opts,
     )
 
+    s3_bucket_opts = resources.get('tb:s3:S3Bucket', {})
+    s3_buckets = {
+        bucket_name: tb_pulumi.s3.S3Bucket(
+            name=f'{project.name_prefix}-s3bucket-{bucket_name}',
+            project=project,
+            **bucket_config,
+        )
+        for bucket_name, bucket_config in s3_bucket_opts.items()
+    }
+
+    # The VPC and everything that depends upon it
     vpc_config = resources.get('tb:network:MultiCidrVpc', {}).get('fluentbit', {})
     vpc_fluentbit = tb_pulumi.network.MultiCidrVpc(
         f'{project.name_prefix}-vpc-fluentbit',

diff --git a/pulumi/config.dev.yaml b/pulumi/config.dev.yaml
@@ -9,6 +9,10 @@ resources:
     secrets:
       secret_names:
         - posthog_api_key
+
+  tb:s3:S3Bucket:
+    cloudtrail:
+      bucket_name: tb-observability-cloudtrail-target-dev
 
   tb:network:MultiCidrVpc:
     fluentbit:

diff --git a/pulumi/config.prod.yaml b/pulumi/config.prod.yaml
@@ -11,6 +11,10 @@ resources:
       secret_names:
         - posthog_api_key
 
+  tb:s3:S3Bucket:
+    cloudtrail:
+      bucket_name: tb-observability-cloudtrail-target-prod
+
   tb:network:MultiCidrVpc:
     fluentbit:
       # The observability project has all of 10.200.0.0/16 assigned to it, but let's not soak all

diff --git a/pulumi/config.stage.yaml b/pulumi/config.stage.yaml
@@ -10,6 +10,10 @@ resources:
       secret_names:
         - posthog_api_key
 
+  tb:s3:S3Bucket:
+    cloudtrail:
+      bucket_name: tb-observability-cloudtrail-target-stage
+
   tb:network:MultiCidrVpc:
     fluentbit:
       # The observability project has all of 10.201.0.0/16 assigned to it, but let's not soak all