Merge pull request #4 from rajdban/main

CMK changes to Step Functions,SQS

Author: anindith123

source/event-pipes/main.tf

@@ -58,6 +58,28 @@ resource "aws_iam_role_policy" "target" {
   })
 }
 
+resource "aws_iam_role_policy" "kms" {
+  role = aws_iam_role.this.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ],
+        Resource = [
+          "*"
+        ]
+      },
+    ]
+  })
+}
+
 resource "aws_iam_role_policy" "invoke_dedup" {
   role = aws_iam_role.this.id
   policy = jsonencode({
@@ -81,6 +103,7 @@ resource "aws_pipes_pipe" "this" {
   role_arn = aws_iam_role.this.arn
   source   = var.stream_arn
   target   = var.eb_arn
+  kms_key_identifier = var.kms_key_id
   #target = "arn:aws:events:eu-west-1:926516876030:event-bus/default"
 
   source_parameters {
@@ -146,4 +169,4 @@ resource "aws_pipes_pipe" "this" {
     EOT
   }
 
-}
+}

source/event-pipes/variables.tf

@@ -26,4 +26,10 @@ variable "target_event_source" {
   type        = string
   description = "Source property of the event published to the target."
   default     = null
-}
+}
+
+variable "kms_key_id" {
+  description = "Pass the ARN of the KMS Key Id for CMK"
+  type        = string
+  default     = null
+}

source/event_bridge/main.tf

@@ -45,7 +45,8 @@ locals {
   }
 }
 resource "aws_cloudwatch_event_bus" "this" {
-  name = var.event_bridge_name
+  name               = var.event_bridge_name
+  kms_key_identifier = var.kms_key_id
 }
 
 resource "aws_schemas_discoverer" "this" {
@@ -285,4 +286,4 @@ resource "aws_cloudwatch_event_target" "posted_queue" {
   dead_letter_config {
     arn = aws_sqs_queue.dlq.arn
   }
-}
+}

source/event_bridge/variables.tf

@@ -50,4 +50,10 @@ variable "state_machine_arn" {
   type        = string
   default     = ""
   description = "Pass the State Machine arn"
-}
+}
+
+variable "kms_key_id" {
+  description = "Pass the ARN of the KMS Key Id for CMK"
+  type        = string
+  default     = null
+}

source/main.tf

@@ -3,6 +3,7 @@ provider "aws" {
 }
 
 provider "random" {}
+data "aws_caller_identity" "current" {}
 
 locals {
   definition_template = <<EOF
@@ -203,6 +204,10 @@ locals {
   }
 }
 EOF
+tags = {
+    Name        = "payments"
+    Environment = "PROD"
+  }
 }
 
 
@@ -225,6 +230,7 @@ module "dynamodb" {
 module "event_bridge" {
   source            = "./event_bridge"
   event_bridge_name = var.event_bridge_name
+  kms_key_id        = module.kms.key_arn
   posting_queue_arn = module.posting_queue.arn
   posted_queue_arn  = module.posted_queue.arn
   enrich_lambda_arn = module.enrich_lambda.arn
@@ -263,6 +269,7 @@ module "event-pipes" {
   stream_arn               = module.dynamodb.stream_arn
   eb_arn                   = module.event_bridge.arn
   lambda_arn               = module.dedup_lambda.arn
+  kms_key_id               = module.kms.key_arn
   target_event_detail_type = "TransactionAuthorized"
   target_event_source      = "octank.payments.posting.visaIngest"
 }
@@ -369,6 +376,51 @@ module "fx_lambda" {
 
 }
 
+module "kms" {
+  source      = "terraform-aws-modules/kms/aws"
+  version     = "~> 1.0"
+  description = "Securing SFN and EventBridge with KMS Keys"
+
+  # Aliases
+  aliases                 = ["realtimepayments"]
+  aliases_use_name_prefix = true
+
+  #key_owners = [data.aws_caller_identity.current.arn]
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Id      = "default",
+    Statement = [
+      {
+        Sid    = "Enable IAM User Permissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "AllowSFNEventBridgeToGenerateDataKey",
+        Effect = "Allow",
+        Principal = {
+          #Service = "events.amazonaws.com"
+          Service = ["events.amazonaws.com", "pipes.amazonaws.com", "states.amazonaws.com"]
+        },
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*" 
+      }
+    ]
+  })
+  
+  tags = local.tags
+}
+
 module "sfn" {
   source = "./stepfunction"
 
@@ -379,6 +431,12 @@ module "sfn" {
   definition = local.definition_template
   publish    = true
 
+  encryption_configuration = {
+    type                              = "CUSTOMER_MANAGED_KMS_KEY"
+    kms_key_id                        = module.kms.key_arn
+    kms_data_key_reuse_period_seconds = 600
+  }
+
   logging_configuration = {
     include_execution_data = true
     level                  = "ALL"
@@ -390,6 +448,10 @@ module "sfn" {
       xray = true
     }
 
+    kms = {
+      kms = true
+    }
+
     stepfunction = {
       stepfunction = true
     }

source/stepfunction/locals.tf

@@ -15,6 +15,15 @@ locals {
       }
     }
 
+    kms = {
+      kms = {
+        actions = [
+          "kms:*"
+        ]
+        default_resources = ["*"]
+      }
+    }
+
     stepfunction = {
       stepfunction = {
         actions = [
@@ -55,4 +64,4 @@ locals {
   }
 }
 
-data "aws_caller_identity" "current" {}
+data "aws_caller_identity" "current" {}

source/stepfunction/main.tf

@@ -21,6 +21,16 @@ resource "aws_sfn_state_machine" "this" {
   definition = var.definition
   publish    = var.publish
 
+  dynamic "encryption_configuration" {
+    for_each = length(var.encryption_configuration) > 0 ? [var.encryption_configuration] : []
+
+    content {
+      type                              = encryption_configuration.value.type
+      kms_key_id                        = try(encryption_configuration.value.kms_key_id, null)
+      kms_data_key_reuse_period_seconds = try(encryption_configuration.value.kms_data_key_reuse_period_seconds, null)
+    }
+  }
+
   dynamic "logging_configuration" {
     for_each = local.enable_logging ? [true] : []
 
@@ -313,4 +323,4 @@ resource "aws_cloudwatch_log_group" "sfn" {
   kms_key_id        = var.cloudwatch_log_group_kms_key_id
 
   tags = merge(var.tags, var.cloudwatch_log_group_tags)
-}
+}

source/stepfunction/variables.tf

@@ -73,6 +73,12 @@ variable "publish" {
   default     = false
 }
 
+variable "encryption_configuration" {
+  description = "Newly added encryption configuration which is used to encrypt data in the State Machine."
+  type        = any
+  default     = {}
+}
+
 #################
 # CloudWatch Logs
 #################
@@ -256,4 +262,4 @@ variable "policy_statements" {
   description = "Map of dynamic policy statements to attach to IAM role"
   type        = any
   default     = {}
-}
+}