Delegate account ID fetching to the implementation

This enables the module to be a little bit more flexible about which
accounts are set up for CloudTrail.

Also added CHANGELOG.md

Author: aarongorka

CHANGELOG.md

@@ -0,0 +1,12 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.0.0] - 2019-01-13
+### Changed
+  - Remove functionality for getting account IDs in module, delegated to implementation
+
+## [0.1.0] - 2019-01-13
+  - Initial release

cloudtrail.tf

@@ -24,17 +24,6 @@ data "aws_caller_identity" "master" {
   provider = aws.master
 }
 
-data "terraform_remote_state" "globals" {
-  backend   = "s3"
-  workspace = "global"
-  config = {
-    bucket  = "${var.global_state_bucket}"
-    key     = "${var.global_state_key}"
-    region  = "${var.global_state_region}"
-    profile = "${var.global_state_profile}"
-  }
-}
-
 resource "aws_kms_alias" "cloudtrail" {
   provider = aws.master
 
@@ -105,7 +94,7 @@ resource "aws_kms_key" "cloudtrail" {
       "Action": "kms:GenerateDataKey*",
       "Condition": {
         "ForAllValues:StringLike": {
-          "kms:EncryptionContext:aws:cloudtrail:arn": ${jsonencode([for id in data.terraform_remote_state.globals.outputs.aws_account_ids : join("", ["arn:aws:cloudtrail:*:", id, ":trail/*"])])}
+          "kms:EncryptionContext:aws:cloudtrail:arn": ${jsonencode([for id in var.account_ids : join("", ["arn:aws:cloudtrail:*:", id, ":trail/*"])])}
         }
       },
       "Effect": "Allow",
@@ -121,7 +110,7 @@ resource "aws_kms_key" "cloudtrail" {
       "Effect": "Allow",
       "Principal": {
         "AWS": [
-          "arn:aws:iam::${data.terraform_remote_state.globals.outputs.aws_account_ids.master}:root"
+          "arn:aws:iam::${data.aws_caller_identity.master.account_id}:root"
         ]
       },
       "Action": [
@@ -138,7 +127,7 @@ resource "aws_kms_key" "cloudtrail" {
       "Effect": "Allow",
       "Principal": {
         "AWS": [
-          "arn:aws:iam::${data.terraform_remote_state.globals.outputs.aws_account_ids.master}:root"
+          "arn:aws:iam::${data.aws_caller_identity.master.account_id}:root"
         ]
       },
       "Action": [
@@ -165,14 +154,14 @@ resource "aws_kms_key" "s3" {
 resource "aws_kms_alias" "s3" {
   provider = aws.master
 
-  name = "alias/s3"
+  name          = "alias/s3"
   target_key_id = "${aws_kms_key.s3.key_id}"
 }
 
 resource "aws_s3_bucket" "main" {
   provider = aws.audit
 
-  bucket = "s3-${var.client_name}-cloudtrail"
+  bucket        = "s3-${var.client_name}-cloudtrail"
   force_destroy = true
   versioning {
     enabled = true
@@ -181,7 +170,7 @@ resource "aws_s3_bucket" "main" {
     rule {
       apply_server_side_encryption_by_default {
         kms_master_key_id = "${aws_kms_alias.s3.arn}"
-        sse_algorithm = "aws:kms"
+        sse_algorithm     = "aws:kms"
       }
     }
   }

outputs.tf

@@ -2,18 +2,7 @@ variable "client_name" {
   description = "Name of the organisation, used in the bucket name to ensure there are no conflicts"
 }
 
-variable "global_state_bucket" {
-  description = "The name of the bucket containing the global module state"
-}
-
-variable "global_state_key" {
-  description = "The key of the global module state as defined in the backend"
-}
-
-variable "global_state_region" {
-  description = "The region of the bucket containing the global module state"
-}
-
-variable "global_state_profile" {
-  description = "The profile to be used to access the global module state bucket"
+variable "account_ids" {
+  description = "A list of account IDs permitted to send trails to the org master"
+  type        = list(string)
 }