How do you write a custom check that requires one resource referencing another?

[agjmills]

AWS KMS keys names don't display in the console, you have to create a KMS Key alias.

This is a separate resource, and you'd write it like this:

resource "aws_kms_key" "a" {}

resource "aws_kms_alias" "a" {
  name          = "alias/my-key-alias"
  target_key_id = aws_kms_key.a.key_id
}

How would I write a rule which checks that at least one alias exists for an aws_kms_key resource?

[aleksandary]

https://aquasecurity.github.io/tfsec/v1.27.1/guides/configuration/custom-checks/#requirespresence

[cadeff01]

That would check for any alias though wouldn't it? So two keys with only one having an alias would still pass the check even though not correct.