Received error when upgrading to latest CloudTrail module

This message is extracted from a ticket originally received at support at Gruntwork dot io. Names and URLs have been changed where appropriate.

When upgrading to the latest module-security package, I get the following when applying the cloudtrail module:

  • aws_kms_key.cloudtrail: MalformedPolicyDocumentException: Policy contains a statement with no principal.
    status code: 400, request id: c587edb4-0b57-11e8-a95a-31abf030f480

It looks like the AWS APIs now require an administrator and (possibly) one non-admin user to be associated with the KMS key used for CloudTrail encryption. Could you try the following:

  • Set the kms_key_administrator_iam_arns variable to include a user and see if you can now apply without an error?
  • If you still receive an error, set the kms_key_user_iam_arns variable as well and apply and see if it works.