fix: use the same CMK for encrypting the SNS topic

examples/external-bucket/main.tf

@@ -24,6 +24,7 @@ module "secure_baseline" {
     aws                = aws
     aws.ap-northeast-1 = aws.ap-northeast-1
     aws.ap-northeast-2 = aws.ap-northeast-2
+    aws.ap-northeast-3 = aws.ap-northeast-3
     aws.ap-south-1     = aws.ap-south-1
     aws.ap-southeast-1 = aws.ap-southeast-1
     aws.ap-southeast-2 = aws.ap-southeast-2

examples/external-bucket/regions.tf

@@ -17,6 +17,13 @@ provider "aws" {
   alias      = "ap-northeast-2"
 }
 
+provider "aws" {
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = "ap-northeast-3"
+  alias      = "ap-northeast-3"
+}
+
 provider "aws" {
   access_key = var.access_key
   secret_key = var.secret_key

examples/organization/master/main.tf

@@ -39,6 +39,7 @@ module "secure_baseline" {
     aws                = aws
     aws.ap-northeast-1 = aws.ap-northeast-1
     aws.ap-northeast-2 = aws.ap-northeast-2
+    aws.ap-northeast-3 = aws.ap-northeast-3
     aws.ap-south-1     = aws.ap-south-1
     aws.ap-southeast-1 = aws.ap-southeast-1
     aws.ap-southeast-2 = aws.ap-southeast-2

examples/organization/master/regions.tf

@@ -17,6 +17,13 @@ provider "aws" {
   alias      = "ap-northeast-2"
 }
 
+provider "aws" {
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = "ap-northeast-3"
+  alias      = "ap-northeast-3"
+}
+
 provider "aws" {
   access_key = var.access_key
   secret_key = var.secret_key

examples/organization/member/main.tf

@@ -33,6 +33,7 @@ module "secure_baseline" {
     aws                = aws
     aws.ap-northeast-1 = aws.ap-northeast-1
     aws.ap-northeast-2 = aws.ap-northeast-2
+    aws.ap-northeast-3 = aws.ap-northeast-3
     aws.ap-south-1     = aws.ap-south-1
     aws.ap-southeast-1 = aws.ap-southeast-1
     aws.ap-southeast-2 = aws.ap-southeast-2

examples/organization/member/regions.tf

@@ -17,6 +17,13 @@ provider "aws" {
   alias      = "ap-northeast-2"
 }
 
+provider "aws" {
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = "ap-northeast-3"
+  alias      = "ap-northeast-3"
+}
+
 provider "aws" {
   access_key = var.access_key
   secret_key = var.secret_key

examples/select-region/main.tf

@@ -31,6 +31,7 @@ module "secure_baseline" {
     aws                = aws
     aws.ap-northeast-1 = aws.ap-northeast-1
     aws.ap-northeast-2 = aws.ap-northeast-2
+    aws.ap-northeast-3 = aws.ap-northeast-3
     aws.ap-south-1     = aws.ap-south-1
     aws.ap-southeast-1 = aws.ap-southeast-1
     aws.ap-southeast-2 = aws.ap-southeast-2

examples/select-region/regions.tf

@@ -17,6 +17,13 @@ provider "aws" {
   alias      = "ap-northeast-2"
 }
 
+provider "aws" {
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = "ap-northeast-3"
+  alias      = "ap-northeast-3"
+}
+
 provider "aws" {
   access_key = var.access_key
   secret_key = var.secret_key

examples/simple/main.tf

@@ -28,6 +28,7 @@ module "secure_baseline" {
     aws                = aws
     aws.ap-northeast-1 = aws.ap-northeast-1
     aws.ap-northeast-2 = aws.ap-northeast-2
+    aws.ap-northeast-3 = aws.ap-northeast-3
     aws.ap-south-1     = aws.ap-south-1
     aws.ap-southeast-1 = aws.ap-southeast-1
     aws.ap-southeast-2 = aws.ap-southeast-2

examples/simple/regions.tf

@@ -17,6 +17,13 @@ provider "aws" {
   alias      = "ap-northeast-2"
 }
 
+provider "aws" {
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = "ap-northeast-3"
+  alias      = "ap-northeast-3"
+}
+
 provider "aws" {
   access_key = var.access_key
   secret_key = var.secret_key

modules/cloudtrail-baseline/README.md

@@ -33,7 +33,6 @@ Enable CloudTrail in all regions and deliver events to CloudWatch Logs. CloudTra
 | region | The AWS region in which CloudTrail is set up. | `any` | n/a | yes |
 | s3\_bucket\_name | The name of the S3 bucket which will store configuration snapshots. | `any` | n/a | yes |
 | s3\_key\_prefix | The prefix for the specified S3 bucket. | `string` | `""` | no |
-| sns\_topic\_kms\_master\_key\_id | The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK. | `string` | `"alias/aws/sns"` | no |
 | tags | Specifies object tags key and value. This applies to all resources created by this module. | `map` | <pre>{<br>  "Terraform": true<br>}</pre> | no |
 
 ## Outputs

modules/cloudtrail-baseline/main.tf

@@ -170,6 +170,20 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" {
       values   = ["arn:aws:cloudtrail:*:${var.aws_account_id}:trail/*"]
     }
   }
+
+  # https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-permissions-for-sns-notifications.html
+  statement {
+    sid = "Allow CloudTrail to send notifications to the encrypted SNS topic"
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt"
+    ]
+    resources = ["*"]
+  }
 }
 
 resource "aws_kms_key" "cloudtrail" {
@@ -193,7 +207,7 @@ resource "aws_sns_topic" "cloudtrail-sns-topic" {
   count = var.enabled ? 1 : 0
 
   name              = var.cloudtrail_sns_topic_name
-  kms_master_key_id = var.sns_topic_kms_master_key_id
+  kms_master_key_id = aws_kms_key.cloudtrail[0].id
 }
 
 data "aws_iam_policy_document" "cloudtrail-sns-policy" {

modules/cloudtrail-baseline/variables.tf

@@ -55,11 +55,6 @@ variable "s3_key_prefix" {
   default     = ""
 }
 
-variable "sns_topic_kms_master_key_id" {
-  description = "The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK."
-  default     = "alias/aws/sns"
-}
-
 variable "is_organization_trail" {
   description = "Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account."
   default     = false