From 1ff432b2bfc2ea732c6eabbc5f282dcd8951d60f Mon Sep 17 00:00:00 2001
From: khatraf <khatra.farah@digital.justice.gov.uk>
Date: Fri, 20 Sep 2024 11:26:40 +0100
Subject: [PATCH] encrypting cloudwatch log groups with kms

---
 terraform/modules/kms/main.tf | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/terraform/modules/kms/main.tf b/terraform/modules/kms/main.tf
index af441fd83..7420443d8 100644
--- a/terraform/modules/kms/main.tf
+++ b/terraform/modules/kms/main.tf
@@ -128,6 +128,31 @@ data "aws_iam_policy_document" "kms-general" {
       ]
     }
   }
+  statement {
+    effect = "Allow"
+    
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+
+    resources = ["*"]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "logs.eu-west-2.amazonaws.com"
+      ]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "kms:EncryptionContext:aws:logs:arn"
+      values   = ["arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:*"]
+    }
+  }
 }
 
 data "aws_iam_policy_document" "combined-kms-general" {