sfn encryption (#66)

Author: magreenbaum

Diff for: README.md

@@ -134,13 +134,13 @@ module "step_function" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.61 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.6 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.61 |
 
 ## Modules
 
@@ -192,6 +192,7 @@ No modules.
 | <a name="input_create"></a> [create](#input\_create) | Whether to create Step Function resource | `bool` | `true` | no |
 | <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Whether to create IAM role for the Step Function | `bool` | `true` | no |
 | <a name="input_definition"></a> [definition](#input\_definition) | The Amazon States Language definition of the Step Function | `string` | `""` | no |
+| <a name="input_encryption_configuration"></a> [encryption\_configuration](#input\_encryption\_configuration) | Defines what encryption configuration is used to encrypt data in the State Machine. | `any` | `{}` | no |
 | <a name="input_logging_configuration"></a> [logging\_configuration](#input\_logging\_configuration) | Defines what execution history events are logged and where they are logged | `map(string)` | `{}` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the Step Function | `string` | `""` | no |
 | <a name="input_number_of_policies"></a> [number\_of\_policies](#input\_number\_of\_policies) | Number of policies to attach to IAM role | `number` | `0` | no |

Diff for: examples/complete/README.md

@@ -23,15 +23,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.61 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.6 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.61 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2 |
 
@@ -40,6 +40,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_disabled_step_function"></a> [disabled\_step\_function](#module\_disabled\_step\_function) | ../../ | n/a |
+| <a name="module_kms"></a> [kms](#module\_kms) | terraform-aws-modules/kms/aws | ~> 1.0 |
 | <a name="module_lambda_function"></a> [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | ~> 2.0 |
 | <a name="module_step_function"></a> [step\_function](#module\_step\_function) | ../../ | n/a |
 | <a name="module_step_function_with_existing_log_group"></a> [step\_function\_with\_existing\_log\_group](#module\_step\_function\_with\_existing\_log\_group) | ../../ | n/a |
@@ -52,6 +53,8 @@ Note that this example may create resources which cost money. Run `terraform des
 | [aws_sqs_queue.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [null_resource.download_package](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 

Diff for: examples/complete/main.tf

@@ -5,10 +5,14 @@ provider "aws" {
   skip_metadata_api_check     = true
   skip_region_validation      = true
   skip_credentials_validation = true
-  skip_requesting_account_id  = true
 }
 
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
 locals {
+  name = "ex-${basename(path.cwd)}"
+
   definition_template = <<EOF
 {
   "Comment": "A Hello World example of the Amazon States Language using Pass states",
@@ -27,6 +31,12 @@ locals {
   }
 }
 EOF
+
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-step-functions"
+    GithubOrg  = "terraform-aws-modules"
+  }
 }
 
 module "step_function" {
@@ -39,6 +49,12 @@ module "step_function" {
   definition = local.definition_template
   publish    = true
 
+  encryption_configuration = {
+    type                              = "CUSTOMER_MANAGED_KMS_KEY"
+    kms_key_id                        = module.kms.key_arn
+    kms_data_key_reuse_period_seconds = 600
+  }
+
   logging_configuration = {
     include_execution_data = true
     level                  = "ALL"
@@ -145,6 +161,16 @@ EOF
       actions   = ["s3:HeadObject", "s3:GetObject"],
       resources = ["arn:aws:s3:::my-bucket/*"]
     }
+    kms = {
+      effect    = "Allow"
+      actions   = ["kms:Decrypt", "kms:GenerateDataKey"]
+      resources = [module.kms.key_arn]
+      condition = [{
+        test     = "StringEquals"
+        variable = "kms:EncryptionContext:aws:states:stateMachineArn"
+        values   = ["arn:aws:states:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:stateMachine:${random_pet.this.id}"]
+      }]
+    }
   }
 
   ###########################
@@ -157,9 +183,9 @@ EOF
     update = "30m"
   }
 
-  tags = {
+  tags = merge(local.tags, {
     Module = "step_function"
-  }
+  })
 }
 
 ###############################################
@@ -168,6 +194,8 @@ EOF
 
 resource "aws_cloudwatch_log_group" "external" {
   name = "${random_pet.this.id}-my-log-group"
+
+  tags = local.tags
 }
 
 module "step_function_with_existing_log_group" {
@@ -187,6 +215,8 @@ module "step_function_with_existing_log_group" {
     level                  = "ERROR"
   }
 
+  tags = local.tags
+
   depends_on = [aws_cloudwatch_log_group.external]
 }
 
@@ -222,6 +252,8 @@ module "lambda_function" {
 
   create_package         = false
   local_existing_package = local.downloaded
+
+  tags = local.tags
 }
 
 ###########
@@ -244,4 +276,20 @@ resource "random_pet" "this" {
 
 resource "aws_sqs_queue" "queue" {
   name = random_pet.this.id
+
+  tags = local.tags
+}
+
+module "kms" {
+  source      = "terraform-aws-modules/kms/aws"
+  version     = "~> 1.0"
+  description = "KMS key for step functions"
+
+  # Aliases
+  aliases                 = [local.name]
+  aliases_use_name_prefix = true
+
+  key_owners = [data.aws_caller_identity.current.arn]
+
+  tags = local.tags
 }

Diff for: examples/complete/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.6"
+      version = ">= 5.61"
     }
     random = {
       source  = "hashicorp/random"

Diff for: main.tf

@@ -21,6 +21,16 @@ resource "aws_sfn_state_machine" "this" {
   definition = var.definition
   publish    = var.publish
 
+  dynamic "encryption_configuration" {
+    for_each = length(var.encryption_configuration) > 0 ? [var.encryption_configuration] : []
+
+    content {
+      type                              = encryption_configuration.value.type
+      kms_key_id                        = try(encryption_configuration.value.kms_key_id, null)
+      kms_data_key_reuse_period_seconds = try(encryption_configuration.value.kms_data_key_reuse_period_seconds, null)
+    }
+  }
+
   dynamic "logging_configuration" {
     for_each = local.enable_logging ? [true] : []
 

Diff for: variables.tf

@@ -73,6 +73,12 @@ variable "publish" {
   default     = false
 }
 
+variable "encryption_configuration" {
+  description = "Defines what encryption configuration is used to encrypt data in the State Machine."
+  type        = any
+  default     = {}
+}
+
 #################
 # CloudWatch Logs
 #################

Diff for: versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.6"
+      version = ">= 5.61"
     }
   }
 }