TracecatHQ
diff --git a/‎deployments/eks/main.tf‎
Lines changed: 9 additions & 0 deletions b/‎deployments/eks/main.tf‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎deployments/eks/modules/eks/helm.tf‎
Lines changed: 10 additions & 0 deletions b/‎deployments/eks/modules/eks/helm.tf‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎deployments/eks/modules/eks/variables.tf‎
Lines changed: 48 additions & 0 deletions b/‎deployments/eks/modules/eks/variables.tf‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎deployments/eks/variables.tf‎
Lines changed: 48 additions & 0 deletions b/‎deployments/eks/variables.tf‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎deployments/fargate/main.tf‎
Lines changed: 21 additions & 14 deletions b/‎deployments/fargate/main.tf‎
Lines changed: 21 additions & 14 deletions
diff --git a/‎deployments/fargate/modules/ecs/iam.tf‎
Lines changed: 3 additions & 0 deletions b/‎deployments/fargate/modules/ecs/iam.tf‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎deployments/fargate/modules/ecs/locals.tf‎
Lines changed: 8 additions & 4 deletions b/‎deployments/fargate/modules/ecs/locals.tf‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎deployments/fargate/modules/ecs/secrets.tf‎
Lines changed: 58 additions & 1 deletion b/‎deployments/fargate/modules/ecs/secrets.tf‎
Lines changed: 58 additions & 1 deletion
diff --git a/‎deployments/fargate/modules/ecs/variables.tf‎
Lines changed: 42 additions & 0 deletions b/‎deployments/fargate/modules/ecs/variables.tf‎
Lines changed: 42 additions & 0 deletions
@@ -133,4 +133,13 @@ module "eks" {
 
   # Feature flags (maps to enterprise.featureFlags)
   feature_flags = var.feature_flags
+
+  temporal_payload_encryption_enabled                        = var.temporal_payload_encryption_enabled
+  temporal_payload_encryption_key_version                    = var.temporal_payload_encryption_key_version
+  temporal_payload_encryption_cache_ttl_seconds              = var.temporal_payload_encryption_cache_ttl_seconds
+  temporal_payload_encryption_cache_max_items                = var.temporal_payload_encryption_cache_max_items
+  temporal_payload_encryption_existing_secret                = var.temporal_payload_encryption_existing_secret
+  temporal_payload_encryption_payload_key_secret_key         = var.temporal_payload_encryption_payload_key_secret_key
+  temporal_payload_encryption_visibility_hmac_secret_key     = var.temporal_payload_encryption_visibility_hmac_secret_key
+  temporal_payload_encryption_codec_server_shared_secret_key = var.temporal_payload_encryption_codec_server_shared_secret_key
 }
@@ -150,6 +150,16 @@ resource "helm_release" "tracecat" {
             scrape  = true
           }
         }
+        temporalPayloadEncryption = {
+          enabled                    = var.temporal_payload_encryption_enabled
+          keyVersion                 = var.temporal_payload_encryption_key_version
+          cacheTtlSeconds            = var.temporal_payload_encryption_cache_ttl_seconds
+          cacheMaxItems              = var.temporal_payload_encryption_cache_max_items
+          secretName                 = var.temporal_payload_encryption_existing_secret
+          payloadKeySecretKey        = var.temporal_payload_encryption_payload_key_secret_key
+          visibilityHmacKeySecretKey = var.temporal_payload_encryption_visibility_hmac_secret_key
+          codecServerSharedSecretKey = var.temporal_payload_encryption_codec_server_shared_secret_key
+        }
       }
       # PostgreSQL TLS configuration with AWS RDS CA certificate
       externalPostgres = {
 
@@ -556,6 +556,54 @@ variable "feature_flags" {
   default     = ""
 }
 
+variable "temporal_payload_encryption_enabled" {
+  description = "Enable application-layer encryption for Temporal payloads"
+  type        = bool
+  default     = false
+}
+
+variable "temporal_payload_encryption_key_version" {
+  description = "Current Temporal payload encryption key version"
+  type        = string
+  default     = "1"
+}
+
+variable "temporal_payload_encryption_cache_ttl_seconds" {
+  description = "In-memory cache TTL in seconds for resolved Temporal encryption keys"
+  type        = number
+  default     = 3600
+}
+
+variable "temporal_payload_encryption_cache_max_items" {
+  description = "Maximum number of cached Temporal encryption keys"
+  type        = number
+  default     = 128
+}
+
+variable "temporal_payload_encryption_existing_secret" {
+  description = "Existing Kubernetes Secret name for Temporal payload encryption secrets"
+  type        = string
+  default     = ""
+}
+
+variable "temporal_payload_encryption_payload_key_secret_key" {
+  description = "Secret key name for the Temporal payload encryption root key"
+  type        = string
+  default     = "payloadEncryptionKey"
+}
+
+variable "temporal_payload_encryption_visibility_hmac_secret_key" {
+  description = "Secret key name for the Temporal visibility HMAC key"
+  type        = string
+  default     = "visibilityHmacKey"
+}
+
+variable "temporal_payload_encryption_codec_server_shared_secret_key" {
+  description = "Secret key name for the Temporal codec server shared secret"
+  type        = string
+  default     = "codecServerSharedSecret"
+}
+
 # Auth Configuration
 variable "auth_types" {
   description = "Comma-separated authentication types (e.g., 'oidc', 'basic,saml', 'basic,oidc')"
 
@@ -602,3 +602,51 @@ variable "feature_flags" {
   type        = string
   default     = ""
 }
+
+variable "temporal_payload_encryption_enabled" {
+  description = "Enable application-layer encryption for Temporal payloads"
+  type        = bool
+  default     = false
+}
+
+variable "temporal_payload_encryption_key_version" {
+  description = "Current Temporal payload encryption key version"
+  type        = string
+  default     = "1"
+}
+
+variable "temporal_payload_encryption_cache_ttl_seconds" {
+  description = "In-memory cache TTL in seconds for resolved Temporal encryption keys"
+  type        = number
+  default     = 3600
+}
+
+variable "temporal_payload_encryption_cache_max_items" {
+  description = "Maximum number of cached Temporal encryption keys"
+  type        = number
+  default     = 128
+}
+
+variable "temporal_payload_encryption_existing_secret" {
+  description = "Existing Kubernetes Secret name for Temporal payload encryption secrets"
+  type        = string
+  default     = ""
+}
+
+variable "temporal_payload_encryption_payload_key_secret_key" {
+  description = "Secret key name for the Temporal payload encryption root key"
+  type        = string
+  default     = "payloadEncryptionKey"
+}
+
+variable "temporal_payload_encryption_visibility_hmac_secret_key" {
+  description = "Secret key name for the Temporal visibility HMAC key"
+  type        = string
+  default     = "visibilityHmacKey"
+}
+
+variable "temporal_payload_encryption_codec_server_shared_secret_key" {
+  description = "Secret key name for the Temporal codec server shared secret"
+  type        = string
+  default     = "codecServerSharedSecret"
+}
@@ -54,17 +54,21 @@ module "ecs" {
   temporal_namespace         = var.temporal_namespace
 
   # Container environment variables
-  tracecat_app_env                       = var.tracecat_app_env
-  log_level                              = var.log_level
-  temporal_log_level                     = var.temporal_log_level
-  feature_flags                          = var.feature_flags
-  ee_multi_tenant                        = var.ee_multi_tenant
-  context_compression_enabled            = var.context_compression_enabled
-  context_compression_threshold_kb       = var.context_compression_threshold_kb
-  result_externalization_enabled         = var.result_externalization_enabled
-  collection_manifests_enabled           = var.collection_manifests_enabled
-  result_externalization_threshold_bytes = var.result_externalization_threshold_bytes
-  workflow_artifact_retention_days       = var.workflow_artifact_retention_days
+  tracecat_app_env                              = var.tracecat_app_env
+  log_level                                     = var.log_level
+  temporal_log_level                            = var.temporal_log_level
+  feature_flags                                 = var.feature_flags
+  ee_multi_tenant                               = var.ee_multi_tenant
+  context_compression_enabled                   = var.context_compression_enabled
+  context_compression_threshold_kb              = var.context_compression_threshold_kb
+  temporal_payload_encryption_enabled           = var.temporal_payload_encryption_enabled
+  temporal_payload_encryption_key_version       = var.temporal_payload_encryption_key_version
+  temporal_payload_encryption_cache_ttl_seconds = var.temporal_payload_encryption_cache_ttl_seconds
+  temporal_payload_encryption_cache_max_items   = var.temporal_payload_encryption_cache_max_items
+  result_externalization_enabled                = var.result_externalization_enabled
+  collection_manifests_enabled                  = var.collection_manifests_enabled
+  result_externalization_threshold_bytes        = var.result_externalization_threshold_bytes
+  workflow_artifact_retention_days              = var.workflow_artifact_retention_days
 
   # Database connection pool
   db_max_overflow          = var.db_max_overflow
@@ -83,9 +87,12 @@ module "ecs" {
   temporal_db_snapshot_name        = var.temporal_db_snapshot_name
 
   # Secrets from AWS Secrets Manager
-  tracecat_db_encryption_key_arn = var.tracecat_db_encryption_key_arn
-  tracecat_service_key_arn       = var.tracecat_service_key_arn
-  tracecat_signing_secret_arn    = var.tracecat_signing_secret_arn
+  tracecat_db_encryption_key_arn          = var.tracecat_db_encryption_key_arn
+  tracecat_service_key_arn                = var.tracecat_service_key_arn
+  tracecat_signing_secret_arn             = var.tracecat_signing_secret_arn
+  temporal_payload_encryption_key_arn     = var.temporal_payload_encryption_key_arn
+  temporal_visibility_hmac_key_arn        = var.temporal_visibility_hmac_key_arn
+  temporal_codec_server_shared_secret_arn = var.temporal_codec_server_shared_secret_arn
 
   # Authentication
   auth_types               = var.auth_types
 
@@ -137,6 +137,9 @@ resource "aws_iam_policy" "secrets_access" {
           var.tracecat_db_encryption_key_arn,
           var.tracecat_service_key_arn,
           var.tracecat_signing_secret_arn,
+          var.temporal_payload_encryption_key_arn,
+          var.temporal_visibility_hmac_key_arn,
+          var.temporal_codec_server_shared_secret_arn,
           var.oauth_client_id_arn,
           var.oauth_client_secret_arn,
           var.oidc_client_id_arn,
 
@@ -40,6 +40,10 @@ locals {
     TRACECAT__EE_MULTI_TENANT                        = var.ee_multi_tenant
     TRACECAT__CONTEXT_COMPRESSION_ENABLED            = var.context_compression_enabled
     TRACECAT__CONTEXT_COMPRESSION_THRESHOLD_KB       = var.context_compression_threshold_kb
+    TEMPORAL__PAYLOAD_ENCRYPTION_ENABLED             = var.temporal_payload_encryption_enabled
+    TEMPORAL__PAYLOAD_ENCRYPTION_KEY_VERSION         = var.temporal_payload_encryption_key_version
+    TEMPORAL__PAYLOAD_ENCRYPTION_CACHE_TTL_SECONDS   = var.temporal_payload_encryption_cache_ttl_seconds
+    TEMPORAL__PAYLOAD_ENCRYPTION_CACHE_MAX_ITEMS     = var.temporal_payload_encryption_cache_max_items
     TRACECAT__RESULT_EXTERNALIZATION_ENABLED         = var.result_externalization_enabled
     TRACECAT__COLLECTION_MANIFESTS_ENABLED           = var.collection_manifests_enabled
     TRACECAT__RESULT_EXTERNALIZATION_THRESHOLD_BYTES = var.result_externalization_threshold_bytes
@@ -148,10 +152,10 @@ locals {
   migrations_env = [
     for k, v in merge(
       {
-        LOG_LEVEL                  = var.log_level
-        TRACECAT__DB_SSLMODE       = "require"
-        TRACECAT__DB_ENDPOINT      = local.core_db_hostname
-        TRACECAT__FEATURE_FLAGS    = var.feature_flags
+        LOG_LEVEL               = var.log_level
+        TRACECAT__DB_SSLMODE    = "require"
+        TRACECAT__DB_ENDPOINT   = local.core_db_hostname
+        TRACECAT__FEATURE_FLAGS = var.feature_flags
       },
       local.tracecat_db_configs
     ) :
 
@@ -6,6 +6,9 @@
 # Optional secrets:
 # 1. OAUTH_CLIENT_ID
 # 2. OAUTH_CLIENT_SECRET
+# 3. TEMPORAL__PAYLOAD_ENCRYPTION_KEY
+# 4. TEMPORAL__VISIBILITY_HMAC_KEY
+# 5. TEMPORAL__CODEC_SERVER_SHARED_SECRET
 
 ### Required secrets
 data "aws_secretsmanager_secret" "tracecat_db_encryption_key" {
@@ -44,6 +47,21 @@ data "aws_secretsmanager_secret" "oidc_client_secret" {
   arn   = var.oidc_client_secret_arn
 }
 
+data "aws_secretsmanager_secret" "temporal_payload_encryption_key" {
+  count = var.temporal_payload_encryption_key_arn != null ? 1 : 0
+  arn   = var.temporal_payload_encryption_key_arn
+}
+
+data "aws_secretsmanager_secret" "temporal_visibility_hmac_key" {
+  count = var.temporal_visibility_hmac_key_arn != null ? 1 : 0
+  arn   = var.temporal_visibility_hmac_key_arn
+}
+
+data "aws_secretsmanager_secret" "temporal_codec_server_shared_secret" {
+  count = var.temporal_codec_server_shared_secret_arn != null ? 1 : 0
+  arn   = var.temporal_codec_server_shared_secret_arn
+}
+
 data "aws_secretsmanager_secret" "user_auth_secret" {
   count = var.user_auth_secret_arn != null ? 1 : 0
   arn   = var.user_auth_secret_arn
@@ -117,6 +135,21 @@ data "aws_secretsmanager_secret_version" "oidc_client_secret" {
   secret_id = data.aws_secretsmanager_secret.oidc_client_secret[0].id
 }
 
+data "aws_secretsmanager_secret_version" "temporal_payload_encryption_key" {
+  count     = var.temporal_payload_encryption_key_arn != null ? 1 : 0
+  secret_id = data.aws_secretsmanager_secret.temporal_payload_encryption_key[0].id
+}
+
+data "aws_secretsmanager_secret_version" "temporal_visibility_hmac_key" {
+  count     = var.temporal_visibility_hmac_key_arn != null ? 1 : 0
+  secret_id = data.aws_secretsmanager_secret.temporal_visibility_hmac_key[0].id
+}
+
+data "aws_secretsmanager_secret_version" "temporal_codec_server_shared_secret" {
+  count     = var.temporal_codec_server_shared_secret_arn != null ? 1 : 0
+  secret_id = data.aws_secretsmanager_secret.temporal_codec_server_shared_secret[0].id
+}
+
 data "aws_secretsmanager_secret_version" "user_auth_secret" {
   count     = var.user_auth_secret_arn != null ? 1 : 0
   secret_id = data.aws_secretsmanager_secret.user_auth_secret[0].id
@@ -203,9 +236,33 @@ locals {
     }
   ] : []
 
+  temporal_payload_encryption_secret = var.temporal_payload_encryption_key_arn != null ? [
+    {
+      name      = "TEMPORAL__PAYLOAD_ENCRYPTION_KEY"
+      valueFrom = data.aws_secretsmanager_secret_version.temporal_payload_encryption_key[0].arn
+    }
+  ] : []
+
+  temporal_visibility_hmac_secret = var.temporal_visibility_hmac_key_arn != null ? [
+    {
+      name      = "TEMPORAL__VISIBILITY_HMAC_KEY"
+      valueFrom = data.aws_secretsmanager_secret_version.temporal_visibility_hmac_key[0].arn
+    }
+  ] : []
+
+  temporal_codec_server_shared_secret = var.temporal_codec_server_shared_secret_arn != null ? [
+    {
+      name      = "TEMPORAL__CODEC_SERVER_SHARED_SECRET"
+      valueFrom = data.aws_secretsmanager_secret_version.temporal_codec_server_shared_secret[0].arn
+    }
+  ] : []
+
   tracecat_base_secrets = concat(
     local.required_tracecat_base_secrets,
-    local.temporal_api_key_secret
+    local.temporal_api_key_secret,
+    local.temporal_payload_encryption_secret,
+    local.temporal_visibility_hmac_secret,
+    local.temporal_codec_server_shared_secret
   )
 
   oauth_client_id_secret = var.oauth_client_id_arn != null ? [
 
@@ -286,6 +286,30 @@ variable "context_compression_threshold_kb" {
   default     = 16
 }
 
+variable "temporal_payload_encryption_enabled" {
+  type        = bool
+  description = "Enable application-layer encryption for Temporal payloads"
+  default     = false
+}
+
+variable "temporal_payload_encryption_key_version" {
+  type        = string
+  description = "Current Temporal payload encryption key version"
+  default     = "1"
+}
+
+variable "temporal_payload_encryption_cache_ttl_seconds" {
+  type        = number
+  description = "In-memory cache TTL in seconds for resolved Temporal encryption keys"
+  default     = 3600
+}
+
+variable "temporal_payload_encryption_cache_max_items" {
+  type        = number
+  description = "Maximum number of cached Temporal encryption keys"
+  default     = 128
+}
+
 ### Secret ARNs
 
 variable "tracecat_db_encryption_key_arn" {
@@ -303,6 +327,24 @@ variable "tracecat_signing_secret_arn" {
   description = "The ARN of the secret containing the Tracecat signing secret"
 }
 
+variable "temporal_payload_encryption_key_arn" {
+  type        = string
+  description = "The ARN of the secret containing the Temporal payload encryption root key"
+  default     = null
+}
+
+variable "temporal_visibility_hmac_key_arn" {
+  type        = string
+  description = "The ARN of the secret containing the Temporal visibility HMAC key"
+  default     = null
+}
+
+variable "temporal_codec_server_shared_secret_arn" {
+  type        = string
+  description = "The ARN of the secret containing the Temporal codec server shared secret"
+  default     = null
+}
+
 variable "oauth_client_id_arn" {
   type        = string
   description = "The ARN of the secret containing the OAuth client ID (optional)"
Original file line number	Diff line number	Diff line change
`@@ -150,6 +150,16 @@ resource "helm_release" "tracecat" {`
`150`	`150`	`scrape = true`
`151`	`151`	`}`
`152`	`152`	`}`
	`153`	`+ temporalPayloadEncryption = {`
	`154`	`+ enabled = var.temporal_payload_encryption_enabled`
	`155`	`+ keyVersion = var.temporal_payload_encryption_key_version`
	`156`	`+ cacheTtlSeconds = var.temporal_payload_encryption_cache_ttl_seconds`
	`157`	`+ cacheMaxItems = var.temporal_payload_encryption_cache_max_items`
	`158`	`+ secretName = var.temporal_payload_encryption_existing_secret`
	`159`	`+ payloadKeySecretKey = var.temporal_payload_encryption_payload_key_secret_key`
	`160`	`+ visibilityHmacKeySecretKey = var.temporal_payload_encryption_visibility_hmac_secret_key`
	`161`	`+ codecServerSharedSecretKey = var.temporal_payload_encryption_codec_server_shared_secret_key`
	`162`	`+ }`
`153`	`163`	`}`
`154`	`164`	`# PostgreSQL TLS configuration with AWS RDS CA certificate`
`155`	`165`	`externalPostgres = {`