Add KMS encryption to topic

Author: dlzhry2nhs

infra/batch_processor_errors_sns_topic.tf

@@ -1,5 +1,6 @@
 resource "aws_sns_topic" "batch_processor_errors" {
-  name  = "${var.environment}-batch-processor-errors"
+  name              = "${var.environment}-batch-processor-errors"
+  kms_master_key_id = aws_kms_key.batch_processor_errors_sns_encryption_key.arn
 }
 
 resource "aws_sns_topic_policy" "batch_processor_errors_topic_policy" {

infra/kms.tf

@@ -179,3 +179,44 @@ resource "aws_kms_alias" "id_sync_sqs_encryption" {
   target_key_id = aws_kms_key.id_sync_sqs_encryption.key_id
 }
 
+resource "aws_kms_key" "batch_processor_errors_sns_encryption_key" {
+  description             = "KMS key for encrypting the batch processor errors SNS Topic messages"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      local.policy_statement_allow_administration,
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "sns.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow",
+        Principal = {
+          "Service": "cloudwatch.amazonaws.com"
+        },
+        Action = ["kms:GenerateDataKey*", "kms:Decrypt"],
+        Resource = "*"
+      },
+      {
+        Effect = "Allow",
+        Principal = {
+          "Service": "chatbot.amazonaws.com"
+        },
+        Action = ["kms:GenerateDataKey*", "kms:Decrypt"],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_kms_alias" "batch_processor_errors_sns_encryption_key" {
+  name          = "alias/${var.environment}-batch-processor-errors-imms-sns-encryption"
+  target_key_id = aws_kms_key.batch_processor_errors_sns_encryption_key.key_id
+}