Enable CMK KMS

Author: StealthBadger747

src/kms-key.tf

@@ -0,0 +1,90 @@
+module "kms_key_archive" {
+  source  = "cloudposse/kms-key/aws"
+  version = "0.12.2"
+
+  description             = "KMS key for Datadog Log Archives"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+  policy                  = join("", data.aws_iam_policy_document.kms_key_archive[*].json)
+
+  context = module.this.context
+}
+
+data "aws_iam_policy_document" "kms_key_archive" {
+  count = local.enabled ? 1 : 0
+
+  statement {
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format("arn:${local.aws_partition}:iam::%s:root", local.aws_account_id)
+      ]
+    }
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "Allow CloudTrail to use the key" 
+    effect = "Allow"
+    principals {
+      type = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:GenerateDataKey*"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values = [
+        format("arn:${local.aws_partition}:cloudtrail:*:%s:trail/*", local.aws_account_id)
+      ]
+    }
+  }
+
+  statement {
+    sid    = "Allow use of the key"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format("arn:${local.aws_partition}:iam::%s:role/${local.datadog_aws_role_name}", local.aws_account_id)
+      ]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt", 
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "Allow attachment of persistent resources"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format("arn:${local.aws_partition}:iam::%s:role/${local.datadog_aws_role_name}", local.aws_account_id)
+      ]
+    }
+    actions = [
+      "kms:CreateGrant",
+      "kms:ListGrants",
+      "kms:RevokeGrant"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "Bool"
+      variable = "kms:GrantIsForAWSResource"
+      values   = ["true"]
+    }
+  }
+}

src/main.tf

@@ -169,6 +169,9 @@ module "archive_bucket" {
   enabled       = local.enabled
   force_destroy = var.s3_force_destroy
 
+  kms_master_key_arn = module.kms_key_archive.key_arn
+  sse_algorithm      = "aws:kms"
+
   lifecycle_rules = [
     {
       prefix  = null
@@ -220,7 +223,7 @@ module "archive_bucket" {
 
 module "cloudtrail_s3_bucket" {
   source  = "cloudposse/s3-bucket/aws"
-  version = "3.1.2"
+  version = "4.10.0"
 
   depends_on = [data.aws_iam_policy_document.default]
 
@@ -231,6 +234,9 @@ module "cloudtrail_s3_bucket" {
   enabled       = local.enabled
   force_destroy = var.s3_force_destroy
 
+  kms_master_key_arn = module.kms_key_archive.key_arn
+  sse_algorithm      = "aws:kms"
+
   source_policy_documents = data.aws_iam_policy_document.default.*.json
 
   lifecycle_rules = [
@@ -241,8 +247,8 @@ module "cloudtrail_s3_bucket" {
 
       abort_incomplete_multipart_upload_days         = null
       enable_glacier_transition                      = var.enable_glacier_transition
-      glacier_transition_days                        = 365
-      noncurrent_version_glacier_transition_days     = 365
+      glacier_transition_days                        = var.glacier_transition_days
+      noncurrent_version_glacier_transition_days     = var.glacier_transition_days
       enable_deeparchive_transition                  = false
       deeparchive_transition_days                    = 0
       noncurrent_version_deeparchive_transition_days = 0
@@ -304,6 +310,7 @@ module "cloudtrail" {
   enabled                       = local.enabled
   enable_logging                = true
   s3_bucket_name                = module.cloudtrail_s3_bucket[0].bucket_id
+  kms_key_arn                   = module.kms_key_archive.key_arn
 
   event_selector = [
     {