From d6585a6893862ec42008fa393c11cb76641bd370 Mon Sep 17 00:00:00 2001
From: "marti.puig.tech" <marti.puig.tech@bbva.com>
Date: Wed, 26 Feb 2025 10:43:52 +0100
Subject: [PATCH 1/3] added dynamic block to enforce TLS messagin in SQS

---
 modules/karpenter/main.tf      | 25 +++++++++++++++++++++++++
 modules/karpenter/variables.tf |  6 ++++++
 2 files changed, 31 insertions(+)

diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
index d03dfa49f8..2302b30c19 100644
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -188,6 +188,31 @@ data "aws_iam_policy_document" "queue" {
       ]
     }
   }
+    dynamic "statement" {
+    for_each = var.queue_enforce_tls_messages ? [1] : []
+    content {
+      sid = "DenyNonTLS"
+      effect = "Deny"
+      actions= [
+        "sqs:SendMessage",
+        "sqs:ReceiveMessage"
+      ]
+      resources = [aws_sqs_queue.this[0].arn]
+      condition {
+        test     = "Bool"
+        variable = "aws:SecureTransport"
+        values = [
+          "false"
+        ]
+      }
+      principals {
+        type = "*"
+        identifiers = [
+          "*"
+        ]
+      }
+    }
+  }
 }
 
 resource "aws_sqs_queue_policy" "this" {
diff --git a/modules/karpenter/variables.tf b/modules/karpenter/variables.tf
index 71b2cbdf38..daeeec9893 100644
--- a/modules/karpenter/variables.tf
+++ b/modules/karpenter/variables.tf
@@ -207,6 +207,12 @@ variable "queue_kms_data_key_reuse_period_seconds" {
   default     = null
 }
 
+variable "queue_enforce_tls_messages" {
+  description = "Enforces TLS messaging on the SQS queue"
+  type        = bool
+  default     = false
+}
+
 ################################################################################
 # Node IAM Role
 ################################################################################

From f6425aa48d9354046a09ebb521e2ef7c1cdb77d2 Mon Sep 17 00:00:00 2001
From: "marti.puig.tech" <marti.puig.tech@bbva.com>
Date: Wed, 26 Feb 2025 10:58:49 +0100
Subject: [PATCH 2/3] updated example & readme

---
 examples/karpenter/main.tf  | 2 ++
 modules/karpenter/README.md | 1 +
 2 files changed, 3 insertions(+)

diff --git a/examples/karpenter/main.tf b/examples/karpenter/main.tf
index 9961063c95..368032e764 100644
--- a/examples/karpenter/main.tf
+++ b/examples/karpenter/main.tf
@@ -119,6 +119,8 @@ module "karpenter" {
     AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
   }
 
+  # Used to enforce TLS messaging on SQS queue
+  queue_enforce_tls_messages = true
   tags = local.tags
 }
 
diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md
index fe1956eb80..aa83b25d09 100644
--- a/modules/karpenter/README.md
+++ b/modules/karpenter/README.md
@@ -175,6 +175,7 @@ No modules.
 | <a name="input_queue_kms_master_key_id"></a> [queue\_kms\_master\_key\_id](#input\_queue\_kms\_master\_key\_id) | The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK | `string` | `null` | no |
 | <a name="input_queue_managed_sse_enabled"></a> [queue\_managed\_sse\_enabled](#input\_queue\_managed\_sse\_enabled) | Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys | `bool` | `true` | no |
 | <a name="input_queue_name"></a> [queue\_name](#input\_queue\_name) | Name of the SQS queue | `string` | `null` | no |
+| <a name="input_queue_enforce_tls_messages"></a> [queue\_enforce\_tls\_messages](#input\_queue\_enforce\_tls\_messages) | Enforces the SQS queue to use TLS messaging | `bool` | `false` | no |
 | <a name="input_rule_name_prefix"></a> [rule\_name\_prefix](#input\_rule\_name\_prefix) | Prefix used for all event bridge rules | `string` | `"Karpenter"` | no |
 | <a name="input_service_account"></a> [service\_account](#input\_service\_account) | Service account to associate with the Karpenter Pod Identity | `string` | `"karpenter"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |

From 9d0e16376a6da74113180f05a90d5df14c5fccfc Mon Sep 17 00:00:00 2001
From: "marti.puig.tech" <marti.puig.tech@bbva.com>
Date: Wed, 26 Feb 2025 11:23:28 +0100
Subject: [PATCH 3/3] changes made by precommit checks

---
 examples/karpenter/main.tf  | 2 +-
 modules/karpenter/README.md | 2 +-
 modules/karpenter/main.tf   | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/examples/karpenter/main.tf b/examples/karpenter/main.tf
index 368032e764..f2521b0e52 100644
--- a/examples/karpenter/main.tf
+++ b/examples/karpenter/main.tf
@@ -121,7 +121,7 @@ module "karpenter" {
 
   # Used to enforce TLS messaging on SQS queue
   queue_enforce_tls_messages = true
-  tags = local.tags
+  tags                       = local.tags
 }
 
 module "karpenter_disabled" {
diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md
index aa83b25d09..d2868aa6d6 100644
--- a/modules/karpenter/README.md
+++ b/modules/karpenter/README.md
@@ -171,11 +171,11 @@ No modules.
 | <a name="input_node_iam_role_permissions_boundary"></a> [node\_iam\_role\_permissions\_boundary](#input\_node\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
 | <a name="input_node_iam_role_tags"></a> [node\_iam\_role\_tags](#input\_node\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
 | <a name="input_node_iam_role_use_name_prefix"></a> [node\_iam\_role\_use\_name\_prefix](#input\_node\_iam\_role\_use\_name\_prefix) | Determines whether the Node IAM role name (`node_iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| <a name="input_queue_enforce_tls_messages"></a> [queue\_enforce\_tls\_messages](#input\_queue\_enforce\_tls\_messages) | Enforces TLS messaging on the SQS queue | `bool` | `false` | no |
 | <a name="input_queue_kms_data_key_reuse_period_seconds"></a> [queue\_kms\_data\_key\_reuse\_period\_seconds](#input\_queue\_kms\_data\_key\_reuse\_period\_seconds) | The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again | `number` | `null` | no |
 | <a name="input_queue_kms_master_key_id"></a> [queue\_kms\_master\_key\_id](#input\_queue\_kms\_master\_key\_id) | The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK | `string` | `null` | no |
 | <a name="input_queue_managed_sse_enabled"></a> [queue\_managed\_sse\_enabled](#input\_queue\_managed\_sse\_enabled) | Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys | `bool` | `true` | no |
 | <a name="input_queue_name"></a> [queue\_name](#input\_queue\_name) | Name of the SQS queue | `string` | `null` | no |
-| <a name="input_queue_enforce_tls_messages"></a> [queue\_enforce\_tls\_messages](#input\_queue\_enforce\_tls\_messages) | Enforces the SQS queue to use TLS messaging | `bool` | `false` | no |
 | <a name="input_rule_name_prefix"></a> [rule\_name\_prefix](#input\_rule\_name\_prefix) | Prefix used for all event bridge rules | `string` | `"Karpenter"` | no |
 | <a name="input_service_account"></a> [service\_account](#input\_service\_account) | Service account to associate with the Karpenter Pod Identity | `string` | `"karpenter"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
index 2302b30c19..39bc7ecdf8 100644
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -188,12 +188,12 @@ data "aws_iam_policy_document" "queue" {
       ]
     }
   }
-    dynamic "statement" {
+  dynamic "statement" {
     for_each = var.queue_enforce_tls_messages ? [1] : []
     content {
-      sid = "DenyNonTLS"
+      sid    = "DenyNonTLS"
       effect = "Deny"
-      actions= [
+      actions = [
         "sqs:SendMessage",
         "sqs:ReceiveMessage"
       ]