NRL-1188 athena kms

jackleary · axelkrastek1-nhs · commit d99de7704903 · 2024-12-05T08:14:18.000Z
diff --git a/terraform/account-wide-infrastructure/modules/athena/athena.tf b/terraform/account-wide-infrastructure/modules/athena/athena.tf
@@ -4,8 +4,8 @@ resource "aws_athena_database" "reporting-db" {
   bucket = aws_s3_bucket.target-data-bucket.bucket
 
 #   encryption_configuration {
-#     encryption_option = var.encryption_option
-#     kms_key           = var.kms_key_arn
+#     encryption_option = "SSE_KMS"
+#     kms_key           = aws_kms_key.athena.arn
 #   }
 
   force_destroy = true
@@ -19,14 +19,13 @@ resource "aws_athena_workgroup" "athena" {
     publish_cloudwatch_metrics_enabled = true
 
     result_configuration {
-      output_location = "s3://{aws_s3_bucket.example.bucket}/output/"
+      output_location = "s3://{aws_s3_bucket.athena.bucket}/output/"
 
       encryption_configuration {
         encryption_option = "SSE_KMS"
-        kms_key_arn       = var.kms_key_arn
+        kms_key_arn       = aws_kms_key.athena.arn
       }
     }
   }
 
-  tags = var.common_tags
 }
diff --git a/terraform/account-wide-infrastructure/modules/athena/kms.tf b/terraform/account-wide-infrastructure/modules/athena/kms.tf
@@ -0,0 +1,7 @@
+resource "aws_kms_key" "athena" {
+}
+
+resource "aws_kms_alias" "athena" {
+  name          = "alias/${var.prefix}-athena"
+  target_key_id = aws_kms_key.athena.key_id
+}
diff --git a/terraform/account-wide-infrastructure/modules/athena/s3.tf b/terraform/account-wide-infrastructure/modules/athena/s3.tf
@@ -8,7 +8,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "athena" {
   rule {
     apply_server_side_encryption_by_default {
       sse_algorithm     = "aws:kms"
-      kms_master_key_id = var.kms_key_arn
+      kms_master_key_id = aws_kms_key.athena.arn
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -4,8 +4,8 @@ resource "aws_athena_database" "reporting-db" {`
`4`	`4`	`bucket = aws_s3_bucket.target-data-bucket.bucket`
`5`	`5`
`6`	`6`	`# encryption_configuration {`
`7`		`-# encryption_option = var.encryption_option`
`8`		`-# kms_key = var.kms_key_arn`
	`7`	`+# encryption_option = "SSE_KMS"`
	`8`	`+# kms_key = aws_kms_key.athena.arn`
`9`	`9`	`# }`
`10`	`10`
`11`	`11`	`force_destroy = true`
`@@ -19,14 +19,13 @@ resource "aws_athena_workgroup" "athena" {`
`19`	`19`	`publish_cloudwatch_metrics_enabled = true`
`20`	`20`
`21`	`21`	`result_configuration {`
`22`		`- output_location = "s3://{aws_s3_bucket.example.bucket}/output/"`
	`22`	`+ output_location = "s3://{aws_s3_bucket.athena.bucket}/output/"`
`23`	`23`
`24`	`24`	`encryption_configuration {`
`25`	`25`	`encryption_option = "SSE_KMS"`
`26`		`- kms_key_arn = var.kms_key_arn`
	`26`	`+ kms_key_arn = aws_kms_key.athena.arn`
`27`	`27`	`}`
`28`	`28`	`}`
`29`	`29`	`}`
`30`	`30`
`31`		`- tags = var.common_tags`
`32`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "athena" {`
`8`	`8`	`rule {`
`9`	`9`	`apply_server_side_encryption_by_default {`
`10`	`10`	`sse_algorithm = "aws:kms"`
`11`		`- kms_master_key_id = var.kms_key_arn`
	`11`	`+ kms_master_key_id = aws_kms_key.athena.arn`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`