Hi @stuart-c
Thanks for the reply which pointed me actually in the right direction. I’ve managed to fix it and now have the right configuration and works as expected.
For anyone else wanting to do the same or something similar, I’m posting the final configuration below.
The locals and the module call now look like this (I moved the for loops inside the locals block instead of having them inside the template):
guardduty_detector_ids = [
{"${var.aws_region}" = data.aws_guardduty_detector.ireland_guardduty_detector.id},
{"${var.virginia_region}" = data.aws_guardduty_detector.virginia_guardduty_detector.id},
{"${var.frankfurt_region}" = data.aws_guardduty_detector.frankfurt_guardduty_detector.id},
{"${var.london_region}" = data.aws_guardduty_detector.london_guardduty_detector.id},
{"${var.paris_region}" = data.aws_guardduty_detector.paris_guardduty_detector.id},
{"${var.stockholm_region}" = data.aws_guardduty_detector.stockholm_guardduty_detector.id},
{"${var.ohio_region}" = data.aws_guardduty_detector.ohio_guardduty_detector.id},
{"${var.north_california_region}" = data.aws_guardduty_detector.north_california_guardduty_detector.id},
{"${var.oregon_region}" = data.aws_guardduty_detector.oregon_guardduty_detector.id},
{"${var.central_region}" = data.aws_guardduty_detector.central_guardduty_detector.id},
{"${var.mumbai_region}" = data.aws_guardduty_detector.mumbai_guardduty_detector.id},
{"${var.osaka_region}" = data.aws_guardduty_detector.osaka_guardduty_detector.id},
{"${var.seoul_region}" = data.aws_guardduty_detector.seoul_guardduty_detector.id},
{"${var.singapore_region}" = data.aws_guardduty_detector.singapore_guardduty_detector.id},
{"${var.sydney_region}" = data.aws_guardduty_detector.sydney_guardduty_detector.id},
{"${var.tokyo_region}" = data.aws_guardduty_detector.tokyo_guardduty_detector.id},
{"${var.sao_paulo_region}" = data.aws_guardduty_detector.sao_paulo_guardduty_detector.id}
]
guardduty_detector_arns = flatten([
for guardduty_detector_id_info in local.guardduty_detector_ids : [
for guardduty_detector_region, guardduty_detector_id in guardduty_detector_id_info : [
"arn:${var.aws_partition}:guardduty:${guardduty_detector_region}:${var.account_id}:detector/${guardduty_detector_id}"
]
]
])
module "aws_guardduty_findings_kms_key" {
source = "./kms-key"
description = "This is used to encrypt GuardDuty exported findings"
policy = templatefile("policy/aws_guardduty_findings_kms_key_policy.json", {
source_account = var.account_id
kms_key_region = var.aws_region
kms_key_id = "*"
guardduty_detector_arns = local.guardduty_detector_arns
aws_partition = "aws"
})
}
The JSON file with the policy template now looks like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGuardDutyKey",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "kms:GenerateDataKey",
"Resource": "arn:${aws_partition}:kms:${kms_key_region}:${source_account}:key/${kms_key_id}",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "${source_account}",
"aws:SourceArn": ${jsonencode("${guardduty_detector_arns}")}
}
}
}
]
}
Hope it helps someone.
Thank you both for the help!