NRL-693 add kms key encryption for sns topic

eesa456 · eesa456 · commit 41d5b5ce00d0 · 2024-07-12T09:59:11.000+01:00
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/iam.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/iam.tf
@@ -0,0 +1,21 @@
+resource "aws_iam_policy" "lambda-errors-topic-kms-read-write" {
+  name        = "${var.name_prefix}-lambda-errors-topic-kms-read-write"
+  description = "Encrypt and decrypt with the lambda errors sns topic kms key"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "kms:Decrypt",
+          "kms:DescribeKey",
+          "kms:Encrypt",
+          "kms:GenerateDataKey"
+        ]
+        Effect = "Allow"
+        Resource = [
+          aws_kms_key.lambda-errors-topic-key.arn
+        ]
+      }
+    ]
+  })
+}
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/kms.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/kms.tf
@@ -0,0 +1,10 @@
+resource "aws_kms_key" "lambda-errors-topic-key" {
+  description             = "Lambda errors SNS topic table KMS key"
+  deletion_window_in_days = var.kms_deletion_window_in_days
+
+}
+
+resource "aws_kms_alias" "lambda-errors-topic-alias" {
+  name          = "alias/${var.name_prefix}-lambda-errors-topic-table-key"
+  target_key_id = aws_kms_key.lambda-errors-topic-key.key_id
+}
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/sns.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/sns.tf
@@ -1,10 +1,11 @@
 resource "aws_sns_topic" "sns_topic" {
-  name = "${var.name_prefix}--lambda-errors-sns-topic"
+  name              = "${var.name_prefix}--lambda-errors-sns-topic"
+  kms_master_key_id = aws_kms_key.lambda-errors-topic-key.key_id
 }
 
 resource "aws_sns_topic_subscription" "sns_subscription" {
-  for_each  = toset(data.aws_secretsmanager_secret_version.emails.secret_string)
+  for_each  = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))
   topic_arn = aws_sns_topic.sns_topic.arn
   protocol  = "email"
-  endpoint  = each.value
+  endpoint  = sensitive(each.value)
 }
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/vars.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/vars.tf
@@ -54,3 +54,9 @@ variable "name_prefix" {
   type        = string
   description = "The prefix to apply to all resources in the module."
 }
+
+variable "kms_deletion_window_in_days" {
+  type        = number
+  description = "The duration in days after which the key is deleted after destruction of the resource."
+  default     = 7
+}

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,11 @@`
`1`	`1`	`resource "aws_sns_topic" "sns_topic" {`
`2`		`- name = "${var.name_prefix}--lambda-errors-sns-topic"`
	`2`	`+ name = "${var.name_prefix}--lambda-errors-sns-topic"`
	`3`	`+ kms_master_key_id = aws_kms_key.lambda-errors-topic-key.key_id`
`3`	`4`	`}`
`4`	`5`
`5`	`6`	`resource "aws_sns_topic_subscription" "sns_subscription" {`
`6`		`- for_each = toset(data.aws_secretsmanager_secret_version.emails.secret_string)`
	`7`	`+ for_each = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))`
`7`	`8`	`topic_arn = aws_sns_topic.sns_topic.arn`
`8`	`9`	`protocol = "email"`
`9`		`- endpoint = each.value`
	`10`	`+ endpoint = sensitive(each.value)`
`10`	`11`	`}`