feat: enable cross account kms (#250)

* Support an S3 bucket in a different account

Allow principals in the S3 bucket's account to use the KMS Key to decrypt logs.

S3 itself cannot tell us which account an arbitrary bucket is in, so the caller must provide it.

Useful when using an Organization CloudTrail and a dedicated AWS account for logs, as recommended by [AWS Multi-account strategy](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html).

* Output the KMS Key ARN

So it can be used in for a bucket policy or similar.

---------

Co-authored-by: Dan Russell <[email protected]>

Author: esacteksab

README.md

@@ -67,6 +67,7 @@ previous invocations of the module prior to upgrading the version.
 | key_deletion_window_in_days | Duration in days after which the key is deleted after destruction of the resource, must be 7-30 days.  Default 30 days. | `string` | `30` | no |
 | log_retention_days | Number of days to keep AWS logs around in specific log group. | `string` | `90` | no |
 | org_trail | Whether or not this is an organization trail. Only valid in master account. | `string` | `"false"` | no |
+| s3_bucket_account_id | (optional) The AWS account ID which owns the S3 bucket. Only include if the S3 bucket is in a different account than the CloudTrail. | `string` | `null` | no |
 | s3_key_prefix | S3 key prefix for CloudTrail logs | `string` | `"cloudtrail"` | no |
 | sns_topic_arn | ARN of the SNS topic for notification of log file delivery. | `string` | `""` | no |
 | tags | A mapping of tags to CloudTrail resources. | `map(string)` | `{}` | no |
@@ -79,6 +80,7 @@ previous invocations of the module prior to upgrading the version.
 | cloudtrail_arn | CloudTrail ARN |
 | cloudtrail_home_region | CloudTrail Home Region |
 | cloudtrail_id | CloudTrail ID |
+| kms_key_arn | KMS Key ARN |
 <!-- END_TF_DOCS -->
 
 ## Developer Setup

main.tf

@@ -7,6 +7,10 @@ data "aws_caller_identity" "current" {}
 # The AWS partition (commercial or govcloud)
 data "aws_partition" "current" {}
 
+locals {
+  s3_bucket_account_id = var.s3_bucket_account_id != null ? var.s3_bucket_account_id : data.aws_caller_identity.current.account_id
+}
+
 #
 # CloudTrail - CloudWatch
 #
@@ -191,7 +195,7 @@ data "aws_iam_policy_document" "cloudtrail_kms_policy_doc" {
     condition {
       test     = "StringEquals"
       variable = "kms:CallerAccount"
-      values   = [data.aws_caller_identity.current.account_id]
+      values   = [local.s3_bucket_account_id]
     }
 
     condition {

outputs.tf

@@ -12,3 +12,8 @@ output "cloudtrail_id" {
   description = "CloudTrail ID"
   value       = aws_cloudtrail.main.id
 }
+
+output "kms_key_arn" {
+  description = "KMS Key ARN"
+  value       = aws_kms_key.cloudtrail.arn
+}

variables.tf

@@ -21,6 +21,12 @@ variable "s3_bucket_name" {
   type        = string
 }
 
+variable "s3_bucket_account_id" {
+  description = "(optional) The AWS account ID which owns the S3 bucket. Only include if the S3 bucket is in a different account than the CloudTrail."
+  default     = null
+  type        = string
+}
+
 variable "org_trail" {
   description = "Whether or not this is an organization trail. Only valid in master account."
   default     = "false"