Enabled Rotation on All KMS Keys

CIS requirement. But also, no reason _not_ to rotate. AWS keeps all the
old keys regardless.

To be tagged v0.7.7

base/account_standards_c2/config_aggregator.tf

@@ -86,6 +86,7 @@ resource "aws_sns_topic_subscription" "config-notifications-to-queue" {
 resource "aws_kms_key" "config-notifications-key" {
   description             = "Encryption of SNS and SQS queue for config change notifications"
   policy                  = data.aws_iam_policy_document.config-notifications-kms-policy.json
+  enable_key_rotation     = true
 }
 
 data "aws_iam_policy_document" "config-notifications-kms-policy" {

base/account_standards_c2/main.tf

@@ -182,6 +182,7 @@ resource "aws_sns_topic_subscription" "bucket_change_notification_to_queue" {
 
 resource "aws_kms_key" "new_object_key" {
   description             = "Encryption of SNS and SQS queues on new S3 objects"
+  enable_key_rotation     = true
   policy                  = data.aws_iam_policy_document.new_object_key_kms_policy.json
 }
 

submodules/kms/ami-key/main.tf

@@ -1,5 +1,6 @@
 resource "aws_kms_key" "key" {
-  description             = var.description
+  description = var.description
+  enable_key_rotation = true
   policy = data.aws_iam_policy_document.kms_policy.json
   tags = merge(
     var.standard_tags,

submodules/kms/ebs-key/main.tf

@@ -5,7 +5,8 @@
 # with the corresponding service. This key is available as a fallback,
 # but better to create one per service.
 resource "aws_kms_key" "key" {
-  description             = var.description
+  description = var.description
+  enable_key_rotation = true
   policy = data.aws_iam_policy_document.kms_policy.json
   tags = merge(
     var.standard_tags,