Giving cloudfront logs service access to kms

aws-cloudfront-logs-bucket/main.tf

@@ -1,5 +1,7 @@
 data "aws_canonical_user_id" "current_user" {}
 
+data "aws_caller_identity" "current" {}
+
 module "aws-cloudfront-logs-bucket" {
   source                                 = "../aws-s3-private-bucket"
   env                                    = var.env
@@ -48,4 +50,42 @@ resource "aws_s3_bucket_acl" "cloudfront-owner-grant" {
       id = data.aws_canonical_user_id.current_user.id
     }
   }
-}
+}
+
+data "aws_iam_policy_document" "logs_bucket_kms_policy" {
+  statement {
+    sid = "Allow Cloudfront Access logs delivery to use the key"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+  }
+  statement {
+    sid = "Default permission"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+}
+
+locals {
+  aws_kms_key_id = var.kms_encryption != null ? split("/", module.aws-cloudfront-logs-bucket.bucket_kms_encryption_key_arn)[1] : ""
+}
+
+resource "aws_kms_key_policy" "log_bucket_kms_policy" {
+  count = var.kms_encryption != null ? 1 : 0
+  key_id = local.aws_kms_key_id
+  policy = data.aws_iam_policy_document.logs_bucket_kms_policy.json
+}