Reenables Customer CMK for Flowlogs and Cloudtrail

These were disabled due to a bug in AWS.

To be tagged v3.2.4

base/account_standards/cloudtrail.tf

@@ -5,7 +5,6 @@ module "cloudtrail-logging" {
   cloudtrail_name   = "xdr-centralized-cloudtrail"
   cloudtrail_bucket = "xdr-cloudtrail-logs-${local.logging_environment}"
   iam_path          = "/aws_services/"
-  # kms broken in us-gov-east-1: Reenable after 11/15/2021
   kms_key_id        = var.cloudtrail_key_arn
   log_group_name    = var.log_group_name
   retention_in_days = 7 # Days available in the local account cloudtrail logs. See the S3 bucket for retention there.

base/account_standards/flowlogs.tf

@@ -2,8 +2,7 @@
 resource "aws_cloudwatch_log_group" "vpc_flow_logs" {
   name = "vpc_flow_logs"
   retention_in_days = 7
-  # kms broken in us-gov-east-1. Reenable after 11/15/2021
-  #kms_key_id = var.cloudtrail_key_arn
+  kms_key_id = var.cloudtrail_key_arn
   tags = merge(var.standard_tags, var.tags)
 }
 

thirdparty/terraform-aws-cloudtrail-logging/main.tf

@@ -92,7 +92,7 @@ data "aws_iam_policy_document" "cwl_policy" {
 
 resource "aws_cloudwatch_log_group" "cwl_loggroup" {
   name              = var.log_group_name
-  #kms_key_id        = var.kms_key_id
+  kms_key_id        = var.kms_key_id
   retention_in_days = var.retention_in_days == -1 ? null : var.retention_in_days
 }