Multi-region CloudWatch Logs KMS keys

This Terraform project provisions a customer managed AWS KMS key in every region you specify and configures the key policy so the CloudWatch Logs service in that same region can encrypt log groups. Each key receives its own alias, optional rotation, and granular policy statements limiting usage to CloudWatch Logs encryption contexts.

Layout

• versions.tf – Terraform and provider constraints
• providers.tf – Default AWS provider plus one alias per account/region you plan to manage
• variables.tf – Inputs such as the account/region matrix and admin principals
• main.tf – Iterates over every account/region pair and instantiates the reusable kms-key module
• modules/kms-key – Creates the CMK, alias, and CloudWatch-friendly policy
• terraform.tfvars.example – Example configuration you can copy to terraform.tfvars

Prerequisites

1. Terraform v1.6+ and AWS provider v5+
2. AWS credentials capable of creating and managing KMS keys in each targeted region
3. (Optional) An IAM principal list that should have admin access to every key

Usage

1. Copy terraform.tfvars.example to terraform.tfvars and adjust the account_region_configs, alias_prefix, and key_admin_arns values as needed.

2. Make sure providers.tf contains one provider "aws" { alias = "..." } block for every provider_alias listed under each account's regions. Each alias can configure a different AWS account (for example, by specifying distinct credentials or assume-role settings) and must target the region you pair it with. After adding a new alias, add an entry to local.provider_alias_map in main.tf so Terraform knows which provider instance to hand to each module (see the default use1, use2, and usw2 aliases for reference).

3. Initialize Terraform:

   terraform init

4. Review the planned changes:

   terraform plan

5. Apply when satisfied:

   terraform apply

Extending to new accounts or regions

• Add a new provider "aws" { alias = "<alias>" ... } block to providers.tf. Point it at the desired account/credentials and region.
• Insert or update an entry in account_region_configs so the account label references that provider alias under the appropriate region entry.
• The root module automatically instantiates the kms-key module for every account/region pair that you declare.

Defaults

Out of the box, the configuration targets AWS account 111111111111111 in us-east-1, us-east-2, and us-west-2. If you supply your own account_region_configs, those defaults are replaced entirely.

Outputs

kms_keys exposes a nested map keyed first by account label, then by region. Each entry contains the key ARN, key ID, and alias ARN so you can wire the CMKs into CloudWatch Log Group encryption settings or other services.