replace key policy with that from s3 objct logging

cloudtrail-key/README.md

@@ -70,6 +70,7 @@ No modules.
 | [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_orig](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 

cloudtrail-key/main.tf

@@ -54,10 +54,11 @@ locals {
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
   partition           = data.aws_arn.current.partition
 
-  name                = var.name == null ? format("%v-%v", lookup(local._defaults["cloudtrail"], "name"), local.region) : var.name
-  kms_key_name        = format("%v%v", local._prefixes["kms"], local.name)
-  kms_admin_root      = format("arn:%v:iam::%v:root", local.partition, local.account_id)
-  kms_admin_roles     = compact(concat([local.kms_admin_root], var.kms_admin_roles))
+  name           = var.name == null ? format("%v-%v", lookup(local._defaults["cloudtrail"], "name"), local.region) : var.name
+  kms_key_name   = format("%v%v", local._prefixes["kms"], local.name)
+  kms_admin_root = format("arn:%v:iam::%v:root", local.partition, local.account_id)
+  #  kms_admin_roles     = compact(concat([local.kms_admin_root], var.kms_admin_roles))
+  kms_admin_roles     = var.kms_admin_roles
   kms_policy_document = var.kms_policy_document != null ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
 
 }
@@ -88,7 +89,7 @@ data "aws_iam_policy_document" "key_policy_combined" {
   ]
 }
 
-data "aws_iam_policy_document" "key" {
+data "aws_iam_policy_document" "key_orig" {
   policy_id = "Cloudtrail KMS Access"
   statement {
     sid       = "EnableIAMUserPermissions"
@@ -216,3 +217,50 @@ data "aws_iam_policy_document" "key_admin" {
 }
 
 data "aws_iam_policy_document" "empty" {}
+
+
+#---
+# key policy for clodutrail
+# https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html
+# can't use aws_cloudtrail.this.arn as it makes for a circular reference
+#
+# from aws-setup-s3-object-logging
+#---
+data "aws_iam_policy_document" "key" {
+  policy_id = "object-logging-cloud-trail"
+  statement {
+    sid       = "IAMPermissionsAccessKMSManagement"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = [local.kms_admin_root]
+    }
+  }
+  statement {
+    sid       = "CloudTrailKMSAccess"
+    effect    = "Allow"
+    actions   = ["kms:DescribeKey"]
+    resources = ["*"]
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+  statement {
+    sid       = "CloudTrailKMSEncryptAccess"
+    effect    = "Allow"
+    actions   = ["kms:GenerateDataKey"]
+    resources = ["*"]
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+      values   = [format("arn:%v:cloudtrail:*:%v:trail/*", local.partition, local.account_id)]
+    }
+  }
+}