Skip to content

Commit 14edaa0

Browse files
authored
ELI-704: add depends_on for CloudTrail KMS key policy before log grou… (#622)
* ELI-704: add depends_on for CloudTrail KMS key policy before log group creation * updated duplicated in-line policy
1 parent dbb0ec3 commit 14edaa0

2 files changed

Lines changed: 2 additions & 28 deletions

File tree

infrastructure/stacks/api-layer/cloudtrail.tf

Lines changed: 0 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -27,34 +27,6 @@ resource "aws_kms_key" "cloudtrail_kms_key" {
2727
deletion_window_in_days = 14
2828
enable_key_rotation = true
2929

30-
policy = jsonencode({
31-
Version = "2012-10-17"
32-
Statement = [
33-
{
34-
Sid = "EnableRootPermissions"
35-
Effect = "Allow"
36-
Principal = {
37-
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
38-
}
39-
Action = "kms:*"
40-
Resource = "*"
41-
},
42-
{
43-
Sid = "AllowCloudTrailEncryptLogs"
44-
Effect = "Allow"
45-
Principal = {
46-
Service = "cloudtrail.amazonaws.com"
47-
}
48-
Action = [
49-
"kms:GenerateDataKey*",
50-
"kms:DescribeKey",
51-
"kms:Encrypt"
52-
]
53-
Resource = "*"
54-
}
55-
]
56-
})
57-
5830
tags = {
5931
environment = var.environment
6032
project_name = var.project_name

infrastructure/stacks/api-layer/cloudwatch.tf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,4 +46,6 @@ resource "aws_cloudwatch_log_group" "cloudtrail_log_group" {
4646
name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}elid-aws-cloudtrail-logs"
4747
retention_in_days = 365
4848
kms_key_id = aws_kms_alias.cloudtrail_kms_alias.arn
49+
50+
depends_on = [aws_kms_key_policy.cloudtrail_kms_key_policy]
4951
}

0 commit comments

Comments
 (0)