Merge pull request #1 from rajdban/kms

Kms changes for SFN

Author: rajdban

source/main.tf

@@ -3,6 +3,7 @@ provider "aws" {
 }
 
 provider "random" {}
+data "aws_caller_identity" "current" {}
 
 locals {
   definition_template = <<EOF
@@ -203,6 +204,10 @@ locals {
   }
 }
 EOF
+tags = {
+    Name        = "payments"
+    Environment = "PROD"
+  }
 }
 
 
@@ -369,6 +374,20 @@ module "fx_lambda" {
 
 }
 
+module "kms" {
+  source      = "terraform-aws-modules/kms/aws"
+  version     = "~> 1.0"
+  description = "Securing SFN with KMS Keys"
+
+  # Aliases
+  aliases                 = ["realtimepayments"]
+  aliases_use_name_prefix = true
+
+  key_owners = [data.aws_caller_identity.current.arn]
+
+  tags = local.tags
+}
+
 module "sfn" {
   source = "./stepfunction"
 
@@ -379,6 +398,12 @@ module "sfn" {
   definition = local.definition_template
   publish    = true
 
+  encryption_configuration = {
+    type                              = "CUSTOMER_MANAGED_KMS_KEY"
+    kms_key_id                        = module.kms.key_arn
+    kms_data_key_reuse_period_seconds = 600
+  }
+
   logging_configuration = {
     include_execution_data = true
     level                  = "ALL"

source/stepfunction/main.tf

@@ -21,6 +21,16 @@ resource "aws_sfn_state_machine" "this" {
   definition = var.definition
   publish    = var.publish
 
+  dynamic "encryption_configuration" {
+    for_each = length(var.encryption_configuration) > 0 ? [var.encryption_configuration] : []
+
+    content {
+      type                              = encryption_configuration.value.type
+      kms_key_id                        = try(encryption_configuration.value.kms_key_id, null)
+      kms_data_key_reuse_period_seconds = try(encryption_configuration.value.kms_data_key_reuse_period_seconds, null)
+    }
+  }
+
   dynamic "logging_configuration" {
     for_each = local.enable_logging ? [true] : []
 
@@ -313,4 +323,4 @@ resource "aws_cloudwatch_log_group" "sfn" {
   kms_key_id        = var.cloudwatch_log_group_kms_key_id
 
   tags = merge(var.tags, var.cloudwatch_log_group_tags)
-}
+}

source/stepfunction/variables.tf

@@ -73,6 +73,12 @@ variable "publish" {
   default     = false
 }
 
+variable "encryption_configuration" {
+  description = "Newly added encryption configuration which is used to encrypt data in the State Machine."
+  type        = any
+  default     = {}
+}
+
 #################
 # CloudWatch Logs
 #################
@@ -256,4 +262,4 @@ variable "policy_statements" {
   description = "Map of dynamic policy statements to attach to IAM role"
   type        = any
   default     = {}
-}
+}