Support kms_key for cloudtrail-event-data-store (#48)

Author: posquit0

modules/cloudtrail-event-data-store/README.md

@@ -43,7 +43,7 @@ This module creates following resources.
 | <a name="input_management_event_selector"></a> [management\_event\_selector](#input\_management\_event\_selector) | (Optional) A configuration of management event selector to use to select the events for the event data store. Only used if `event_type` is `CLOUDTRAIL_EVENTS`. `management_event_selector` block as defined below.<br>    (Optional) `enabled` - Whether to capture management events. Defaults to `false`.<br>    (Optional) `scope` - The type of events to log. Valid values are `ALL`, `READ` and `WRITE`. Defaults to `ALL`.<br>    (Optional) `exclude_event_sources` - A set of event sources to exclude. Valid values are `kms.amazonaws.com` and `rdsdata.amazonaws.com`. `management_event_selector.enabled` must be set to true to allow this. | <pre>object({<br>    enabled               = optional(bool, false)<br>    scope                 = optional(string, "ALL")<br>    exclude_event_sources = optional(set(string), [])<br>  })</pre> | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | (Required) The name of the event data store. | `string` | n/a | yes |
 | <a name="input_data_event_selectors"></a> [data\_event\_selectors](#input\_data\_event\_selectors) | (Optional) A configuration of event selectors to use to select the data events for the event data store. Each item of `data_event_selectors` block as defined below.<br>    (Optional) `name` - A name of the advanced event selector.<br>    (Optional) `resource_type` - A resource type to log data events to log. Valid values are one of the following:<br>    - `AWS::DynamoDB::Table`<br>    - `AWS::Lambda::Function`<br>    - `AWS::S3::Object`<br>    - `AWS::AppConfig::Configuration`<br>    - `AWS::B2BI::Transformer`<br>    - `AWS::Bedrock::AgentAlias`<br>    - `AWS::Bedrock::KnowledgeBase`<br>    - `AWS::Cassandra::Table`<br>    - `AWS::CloudFront::KeyValueStore`<br>    - `AWS::CloudTrail::Channel`<br>    - `AWS::CodeWhisperer::Customization`<br>    - `AWS::CodeWhisperer::Profile`<br>    - `AWS::Cognito::IdentityPool`<br>    - `AWS::DynamoDB::Stream`<br>    - `AWS::EC2::Snapshot`<br>    - `AWS::EMRWAL::Workspace`<br>    - `AWS::FinSpace::Environment`<br>    - `AWS::Glue::Table`<br>    - `AWS::GreengrassV2::ComponentVersion`<br>    - `AWS::GreengrassV2::Deployment`<br>    - `AWS::GuardDuty::Detector`<br>    - `AWS::IoT::Certificate`<br>    - `AWS::IoT::Thing`<br>    - `AWS::IoTSiteWise::Asset`<br>    - `AWS::IoTSiteWise::TimeSeries`<br>    - `AWS::IoTTwinMaker::Entity`<br>    - `AWS::IoTTwinMaker::Workspace`<br>    - `AWS::KendraRanking::ExecutionPlan`<br>    - `AWS::KinesisVideo::Stream`<br>    - `AWS::ManagedBlockchain::Network`<br>    - `AWS::ManagedBlockchain::Node`<br>    - `AWS::MedicalImaging::Datastore`<br>    - `AWS::NeptuneGraph::Graph`<br>    - `AWS::PCAConnectorAD::Connector`<br>    - `AWS::QBusiness::Application`<br>    - `AWS::QBusiness::DataSource`<br>    - `AWS::QBusiness::Index`<br>    - `AWS::QBusiness::WebExperience`<br>    - `AWS::RDS::DBCluster`<br>    - `AWS::S3::AccessPoint`<br>    - `AWS::S3ObjectLambda::AccessPoint`<br>    - `AWS::S3Outposts::Object`<br>    - `AWS::SageMaker::Endpoint`<br>    - `AWS::SageMaker::ExperimentTrialComponent`<br>    - `AWS::SageMaker::FeatureGroup`<br>    - `AWS::ServiceDiscovery::Namespace`<br>    - `AWS::ServiceDiscovery::Service`<br>    - `AWS::SCN::Instance`<br>    - `AWS::SNS::PlatformEndpoint`<br>    - `AWS::SNS::Topic`<br>    - `AWS::SWF::Domain`<br>    - `AWS::SQS::Queue`<br>    - `AWS::SSMMessages::ControlChannel`<br>    - `AWS::ThinClient::Device`<br>    - `AWS::ThinClient::Environment`<br>    - `AWS::Timestream::Database`<br>    - `AWS::Timestream::Table`<br>    - `AWS::VerifiedPermissions::PolicyStore`<br>    (Optional) `scope` - The type of events to log. Valid values are `ALL`, `READ` and `WRITE`. Defaults to `WRITE`.<br>    (Optional) `conditions` - A configuration of field conditions to filter events by the ARN of resource and the event name. Each item of `conditions` as defined below.<br>      (Required) `field` - A field to compare by the field condition. Valid values are `event_name` and `resource_arn`.<br>      (Required) `operator` - An operator of the field condition. Valid values are `equals`, `not_equals`, `starts_with`, `not_starts_with`, `ends_with`, `not_ends_with`.<br>      (Required) `values` - A set of values of the field condition to compare. | <pre>list(object({<br>    name          = optional(string)<br>    resource_type = string<br>    scope         = optional(string, "WRITE")<br>    conditions = optional(list(object({<br>      field    = string<br>      operator = string<br>      values   = set(string)<br>    })), [])<br>  }))</pre> | `[]` | no |
-| <a name="input_encryption_kms_key"></a> [encryption\_kms\_key](#input\_encryption\_kms\_key) | (Optional) Specify the KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by 'alias/', a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier. By default, the event data store is encrypted with a KMS key that AWS owns and manages. | `string` | `null` | no |
+| <a name="input_encryption"></a> [encryption](#input\_encryption) | (Optional) A configuration to encrypt the events delivered by CloudTrail. By default, the event data store is encrypted with a KMS key that AWS owns and manages.`encryption` as defined below.<br>    (Optional) `kms_key` - The ID of AWS KMS key to use to encrypt the events delivered by CloudtTrail. The value can be an alias name prefixed by 'alias/', a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier. | <pre>object({<br>    kms_key = optional(string)<br>  })</pre> | `{}` | no |
 | <a name="input_event_type"></a> [event\_type](#input\_event\_type) | (Required) A type of event to be collected by the event data store. Valid values are `CLOUDTRAIL_EVENTS`, `CONFIG_CONFIGURATION_ITEMS`. Defaults to `CLOUDTRAIL_EVENTS`. | `string` | `"CLOUDTRAIL_EVENTS"` | no |
 | <a name="input_import_trail_events_iam_role"></a> [import\_trail\_events\_iam\_role](#input\_import\_trail\_events\_iam\_role) | (Optional) A configuration of IAM Role for importing CloudTrail events from S3 Bucket. `import_trail_events_iam_role` as defined below.<br>    (Optional) `enabled` - Indicates whether you want to create IAM Role to import trail events. Defaults to `true`.<br>    (Optional) `source_s3_buckets` - A list of source S3 buckets to import events from. Each item of `source_s3_buckets` as defined below.<br>      (Required) `name` - A name of source S3 bucket.<br>      (Optional) `key_prefix` - A key prefix of source S3 bucket. | <pre>object({<br>    enabled = optional(bool, true)<br>    source_s3_buckets = optional(list(object({<br>      name       = string<br>      key_prefix = optional(string, "/")<br>    })), [])<br>  })</pre> | `{}` | no |
 | <a name="input_level"></a> [level](#input\_level) | (Optional) The level of the event data store to decide whether the event data store collects events logged for an organization in AWS Organizations. Can be created in the management account or delegated administrator account. Valid values are `ACCOUNT` and `ORGANIZATION`. Defaults to `ACCOUNT`. | `string` | `"ACCOUNT"` | no |

modules/cloudtrail-event-data-store/main.tf

@@ -43,8 +43,7 @@ resource "aws_cloudtrail_event_data_store" "this" {
 
 
   ## Encryption
-  # TODO: Not supported yet in aws provider
-  # kms_key_id = var.encryption_kms_key
+  kms_key_id = var.encryption.kms_key
 
 
   ## Event Selector - AWS CloudTrail Events (Management)

modules/cloudtrail-event-data-store/outputs.tf

@@ -2,6 +2,7 @@ output "arn" {
   description = "The Amazon Resource Name (ARN) of the event data store."
   value       = aws_cloudtrail_event_data_store.this.arn
 }
+
 output "id" {
   description = "The ID of the event data store."
   value       = aws_cloudtrail_event_data_store.this.id
@@ -40,7 +41,7 @@ output "data_event_selectors" {
 output "encryption" {
   description = "The configuration for the encryption of the event data store."
   value = {
-    # kms_key = aws_cloudtrail_event_data_store.this.kms_key_id
+    kms_key = aws_cloudtrail_event_data_store.this.kms_key_id
   }
 }
 

modules/cloudtrail-event-data-store/variables.tf

@@ -179,11 +179,16 @@ variable "data_event_selectors" {
   }
 }
 
-variable "encryption_kms_key" {
-  description = "(Optional) Specify the KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by 'alias/', a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier. By default, the event data store is encrypted with a KMS key that AWS owns and manages."
-  type        = string
-  default     = null
-  nullable    = true
+variable "encryption" {
+  description = <<EOF
+  (Optional) A configuration to encrypt the events delivered by CloudTrail. By default, the event data store is encrypted with a KMS key that AWS owns and manages.`encryption` as defined below.
+    (Optional) `kms_key` - The ID of AWS KMS key to use to encrypt the events delivered by CloudtTrail. The value can be an alias name prefixed by 'alias/', a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
+  EOF
+  type = object({
+    kms_key = optional(string)
+  })
+  default  = {}
+  nullable = false
 }
 
 variable "retention_in_days" {