# Create a KMS key for log encryption
resource "aws_kms_key" "logs" {
description = "KMS key for CloudWatch Logs encryption"
deletion_window_in_days = 7
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
}
Action = "kms:*"
Resource = "*"
},
{
Sid = "Allow CloudWatch Logs"
Effect = "Allow"
Principal = {
Service = "logs.${data.aws_region.current.name}.amazonaws.com"
}
Action = [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
]
Resource = "*"
Condition = {
ArnLike = {
"kms:EncryptionContext:aws:logs:arn" = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
}
}
}
]
})
}
resource "aws_kms_alias" "logs" {
name = "alias/cloudwatch-logs"
target_key_id = aws_kms_key.logs.key_id
}
# Create encrypted log group
module "secure_logs" {
source = "registry.patterneddesigns.ca/essentials/cloudwatch-logs/aws"
version = "1.3.0"
log_group_name = "/app/secure"
retention_in_days = 90
kms_key_arn = aws_kms_key.logs.arn
}
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}