Policy Setting: AWS > Turbot > Audit Trail > CloudTrail > Trail > Encryption Key

resource "turbot_policy_setting" "aws_trail_encryption_key" {
  resource       = turbot_policy_pack.main.id
  type           = "tmod:@turbot/aws#/policy/types/trailEncryptionKey"
  note           = "AWS CIS v3.0.0 - Controls: 3.1"
  template_input = <<-EOT
    {
      resource {
        children(filter: "resourceTypeId:tmod:@turbot/aws-kms#/resource/types/key level:self,descendant limit:5000") {
          items {
            AliasName: get(path: "AliasName")
            KeyArn: get(path: "KeyArn")
          }
        }
      }
    }
    EOT
  template       = <<-EOT
    {%-  for key in $.resource.children.items -%}

      {%- if key.AliasName == "${var.kms_key_alias}" -%}

        {{ key.KeyArn | json }}

      {%- endif -%}

    {%- endfor -%}
    EOT
}