Merge branch 'main' into dependabot/pip/source/src/posting/requests-2.32.0

brnkrygs · web-flow · commit 457c0f134dc6 · 2025-06-02T16:34:31.000-04:00
diff --git a/.github/solutionid_validator.sh b/.github/solutionid_validator.sh
@@ -0,0 +1,17 @@
+#!/bin/sh 
+#set -e 
+
+echo "checking solution id $1"
+echo "grep -nr --exclude-dir='.github' "$1" ./.."
+result=$(grep -nr --exclude-dir='.github' "$1" ./..)
+if [ $? -eq 0 ]
+then
+  echo "Solution ID $1 found\n"
+  echo "$result"
+  exit 0
+else
+  echo "Solution ID $1 not found"
+  exit 1
+fi
+
+export result
diff --git a/.github/workflows/maintainer_workflows.yml b/.github/workflows/maintainer_workflows.yml
@@ -0,0 +1,19 @@
+# Workflows managed by aws-solutions-library-samples maintainers
+name: Maintainer Workflows
+on:
+  # Triggers the workflow on push or pull request events but only for the "main" branch
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+    types: [opened, reopened, edited]
+
+jobs:
+  CheckSolutionId:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run solutionid validator
+        run: |
+          chmod u+x ./.github/solutionid_validator.sh
+          ./.github/solutionid_validator.sh ${{ vars.SOLUTIONID }}
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1,3 @@
+CODEOWNERS @aws-solutions-library-samples/maintainers
+/.github/workflows/maintainer_workflows.yml @aws-solutions-library-samples/maintainers
+/.github/solutionid_validator.sh @aws-solutions-library-samples/maintainers
diff --git a/README.md b/README.md
diff --git a/assets/images/building-real-time-payment-systems-using-event-driven-architecture-on-aws.png b/assets/images/building-real-time-payment-systems-using-event-driven-architecture-on-aws.png
diff --git a/source/event-pipes/main.tf b/source/event-pipes/main.tf
@@ -58,6 +58,28 @@ resource "aws_iam_role_policy" "target" {
   })
 }
 
+resource "aws_iam_role_policy" "kms" {
+  role = aws_iam_role.this.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ],
+        Resource = [
+          "*"
+        ]
+      },
+    ]
+  })
+}
+
 resource "aws_iam_role_policy" "invoke_dedup" {
   role = aws_iam_role.this.id
   policy = jsonencode({
@@ -81,6 +103,7 @@ resource "aws_pipes_pipe" "this" {
   role_arn = aws_iam_role.this.arn
   source   = var.stream_arn
   target   = var.eb_arn
+  kms_key_identifier = var.kms_key_id
   #target = "arn:aws:events:eu-west-1:926516876030:event-bus/default"
 
   source_parameters {
@@ -146,4 +169,4 @@ resource "aws_pipes_pipe" "this" {
     EOT
   }
 
-}
+}
diff --git a/source/event-pipes/variables.tf b/source/event-pipes/variables.tf
@@ -26,4 +26,10 @@ variable "target_event_source" {
   type        = string
   description = "Source property of the event published to the target."
   default     = null
-}
+}
+
+variable "kms_key_id" {
+  description = "Pass the ARN of the KMS Key Id for CMK"
+  type        = string
+  default     = null
+}
diff --git a/source/event_bridge/main.tf b/source/event_bridge/main.tf
@@ -45,7 +45,8 @@ locals {
   }
 }
 resource "aws_cloudwatch_event_bus" "this" {
-  name = var.event_bridge_name
+  name               = var.event_bridge_name
+  kms_key_identifier = var.kms_key_id
 }
 
 resource "aws_schemas_discoverer" "this" {
@@ -285,4 +286,4 @@ resource "aws_cloudwatch_event_target" "posted_queue" {
   dead_letter_config {
     arn = aws_sqs_queue.dlq.arn
   }
-}
+}
diff --git a/source/event_bridge/variables.tf b/source/event_bridge/variables.tf
@@ -50,4 +50,10 @@ variable "state_machine_arn" {
   type        = string
   default     = ""
   description = "Pass the State Machine arn"
-}
+}
+
+variable "kms_key_id" {
+  description = "Pass the ARN of the KMS Key Id for CMK"
+  type        = string
+  default     = null
+}
diff --git a/source/main.tf b/source/main.tf
@@ -3,6 +3,7 @@ provider "aws" {
 }
 
 provider "random" {}
+data "aws_caller_identity" "current" {}
 
 locals {
   definition_template = <<EOF
@@ -203,6 +204,10 @@ locals {
   }
 }
 EOF
+tags = {
+    Name        = "payments"
+    Environment = "PROD"
+  }
 }
 
 
@@ -225,6 +230,7 @@ module "dynamodb" {
 module "event_bridge" {
   source            = "./event_bridge"
   event_bridge_name = var.event_bridge_name
+  kms_key_id        = module.kms.key_arn
   posting_queue_arn = module.posting_queue.arn
   posted_queue_arn  = module.posted_queue.arn
   enrich_lambda_arn = module.enrich_lambda.arn
@@ -263,6 +269,7 @@ module "event-pipes" {
   stream_arn               = module.dynamodb.stream_arn
   eb_arn                   = module.event_bridge.arn
   lambda_arn               = module.dedup_lambda.arn
+  kms_key_id               = module.kms.key_arn
   target_event_detail_type = "TransactionAuthorized"
   target_event_source      = "octank.payments.posting.visaIngest"
 }
@@ -369,6 +376,51 @@ module "fx_lambda" {
   
 }
 
+module "kms" {
+  source      = "terraform-aws-modules/kms/aws"
+  version     = "~> 1.0"
+  description = "Securing SFN and EventBridge with KMS Keys"
+
+  # Aliases
+  aliases                 = ["realtimepayments"]
+  aliases_use_name_prefix = true
+
+  #key_owners = [data.aws_caller_identity.current.arn]
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Id      = "default",
+    Statement = [
+      {
+        Sid    = "Enable IAM User Permissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "AllowSFNEventBridgeToGenerateDataKey",
+        Effect = "Allow",
+        Principal = {
+          #Service = "events.amazonaws.com"
+          Service = ["events.amazonaws.com", "pipes.amazonaws.com", "states.amazonaws.com"]
+        },
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*" 
+      }
+    ]
+  })
+  
+  tags = local.tags
+}
+
 module "sfn" {
   source = "./stepfunction"
 
@@ -379,6 +431,12 @@ module "sfn" {
   definition = local.definition_template
   publish    = true
 
+  encryption_configuration = {
+    type                              = "CUSTOMER_MANAGED_KMS_KEY"
+    kms_key_id                        = module.kms.key_arn
+    kms_data_key_reuse_period_seconds = 600
+  }
+
   logging_configuration = {
     include_execution_data = true
     level                  = "ALL"
@@ -390,6 +448,10 @@ module "sfn" {
       xray = true
     }
 
+    kms = {
+      kms = true
+    }
+
     stepfunction = {
       stepfunction = true
     }
@@ -460,7 +522,7 @@ resource "aws_cloudformation_stack" "guidance_deployment_metrics" {
     template_body = <<STACK
     {
         "AWSTemplateFormatVersion": "2010-09-09",
-        "Description": "AWS Guidance ID (SO123456)",
+        "Description": "Guidance for Building Payment Systems Using Event-Driven Architecture (SO9470)",
         "Resources": {
             "EmptyResource": {
                 "Type": "AWS::CloudFormation::WaitConditionHandle"
diff --git a/source/stepfunction/locals.tf b/source/stepfunction/locals.tf
@@ -15,6 +15,15 @@ locals {
       }
     }
 
+    kms = {
+      kms = {
+        actions = [
+          "kms:*"
+        ]
+        default_resources = ["*"]
+      }
+    }
+
     stepfunction = {
       stepfunction = {
         actions = [
@@ -55,4 +64,4 @@ locals {
   }
 }
 
-data "aws_caller_identity" "current" {}
+data "aws_caller_identity" "current" {}
diff --git a/source/stepfunction/main.tf b/source/stepfunction/main.tf
@@ -21,6 +21,16 @@ resource "aws_sfn_state_machine" "this" {
   definition = var.definition
   publish    = var.publish
 
+  dynamic "encryption_configuration" {
+    for_each = length(var.encryption_configuration) > 0 ? [var.encryption_configuration] : []
+
+    content {
+      type                              = encryption_configuration.value.type
+      kms_key_id                        = try(encryption_configuration.value.kms_key_id, null)
+      kms_data_key_reuse_period_seconds = try(encryption_configuration.value.kms_data_key_reuse_period_seconds, null)
+    }
+  }
+
   dynamic "logging_configuration" {
     for_each = local.enable_logging ? [true] : []
 
@@ -313,4 +323,4 @@ resource "aws_cloudwatch_log_group" "sfn" {
   kms_key_id        = var.cloudwatch_log_group_kms_key_id
 
   tags = merge(var.tags, var.cloudwatch_log_group_tags)
-}
+}
diff --git a/source/stepfunction/variables.tf b/source/stepfunction/variables.tf
@@ -73,6 +73,12 @@ variable "publish" {
   default     = false
 }
 
+variable "encryption_configuration" {
+  description = "Newly added encryption configuration which is used to encrypt data in the State Machine."
+  type        = any
+  default     = {}
+}
+
 #################
 # CloudWatch Logs
 #################
@@ -256,4 +262,4 @@ variable "policy_statements" {
   description = "Map of dynamic policy statements to attach to IAM role"
   type        = any
   default     = {}
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+CODEOWNERS @aws-solutions-library-samples/maintainers`
	`2`	`+/.github/workflows/maintainer_workflows.yml @aws-solutions-library-samples/maintainers`
	`3`	`+/.github/solutionid_validator.sh @aws-solutions-library-samples/maintainers`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,8 @@ locals {`
`45`	`45`	`}`
`46`	`46`	`}`
`47`	`47`	`resource "aws_cloudwatch_event_bus" "this" {`
`48`		`- name = var.event_bridge_name`
	`48`	`+ name = var.event_bridge_name`
	`49`	`+ kms_key_identifier = var.kms_key_id`
`49`	`50`	`}`
`50`	`51`
`51`	`52`	`resource "aws_schemas_discoverer" "this" {`
`@@ -285,4 +286,4 @@ resource "aws_cloudwatch_event_target" "posted_queue" {`
`285`	`286`	`dead_letter_config {`
`286`	`287`	`arn = aws_sqs_queue.dlq.arn`
`287`	`288`	`}`
`288`		`-}`
	`289`	`+}`