logs encrypted with other aws account cmk

[hansadriaans]

Describe the bug
Working with organizations using multiple accounts, I created a bucket in the main control account. This is for logging al cloudwatch logs. However every file logged has it's own cmk that is not accessible from the main account

To Reproduce
Steps to reproduce the behavior:

1. deploy resource "aws_kms_key" "cloudtrail"
2. the files will show in the selected bucket on the cotrol account
3. inside the control account the files are not accessible because the cmk is not accessible in the client account

Expected behavior
I wan't to read the files in the shared account

Code Snippet

statement {
   sid    = "Enable cross account log decryption"
   effect = "Allow"

   actions = [
     "kms:Decrypt",
     "kms:ReEncryptFrom",
   ]

   principals {
     type        = "AWS"
     identifiers = ["*"]
   }

   condition {
     test     = "StringEquals"
     variable = "kms:CallerAccount"
     values   = [data.aws_caller_identity.current.account_id]
   }

   condition {
     test     = "StringLike"
     variable = "kms:EncryptionContext:aws:cloudtrail:arn"
     values   = ["arn:${data.aws_partition.current.partition}:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"]
   }

   resources = ["*"]
 }

Additional context
Changing

 condition {
      test     = "StringEquals"
      variable = "kms:CallerAccount"
      values   = [data.aws_caller_identity.current.account_id]
    }

into var.shared_account.account_id does work but tf corrects it every deploy

[esacteksab]

Apologies for the late response. Thanks to @DanielRussell, their PR has been merged. A version v5.3.0 has been released. Please let us know if this resolves your issue. Thank you!