This message is extracted from a ticket originally received at support at Gruntwork dot io. Names and URLs have been changed where appropriate.
When upgrading to the latest module-security package, I get the following when applying the cloudtrail module:
aws_kms_key.cloudtrail: MalformedPolicyDocumentException: Policy contains a statement with no principal.
status code: 400, request id: c587edb4-0b57-11e8-a95a-31abf030f480
It looks like the AWS APIs now require an administrator and (possibly) one non-admin user to be associated with the KMS key used for CloudTrail encryption. Could you try the following:
Set the kms_key_administrator_iam_arns variable to include a user and see if you can now apply without an error?
If you still receive an error, set the kms_key_user_iam_arns variable as well and apply and see if it works.