From 9a2c79d56966da892aa639105d273ca0d380317c Mon Sep 17 00:00:00 2001 From: Reinhard Prechtl Date: Mon, 7 Jul 2025 11:02:02 +0200 Subject: [PATCH 1/9] feat!: Set kms_key_identifier for EventBridge archives --- main.tf | 1 + versions.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index b89644d..de79931 100644 --- a/main.tf +++ b/main.tf @@ -286,6 +286,7 @@ resource "aws_cloudwatch_event_archive" "this" { name = lookup(each.value, "name", each.key) event_source_arn = try(each.value["event_source_arn"], aws_cloudwatch_event_bus.this[0].arn) + kms_key_identifier = var.kms_key_identifier description = lookup(each.value, "description", null) event_pattern = lookup(each.value, "event_pattern", null) diff --git a/versions.tf b/versions.tf index db13b0a..0d66b2d 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 6.0" + version = ">= 6.2" } } } From 5b9a76928b006d6b97da3fe127c96fcb2bd48b45 Mon Sep 17 00:00:00 2001 From: Reinhard Prechtl Date: Mon, 7 Jul 2025 13:27:37 +0200 Subject: [PATCH 2/9] feat!: Formatting and update of example --- examples/with-archive/main.tf | 50 +++++++++++++++++++++++++++++++++++ main.tf | 4 +-- 2 files changed, 52 insertions(+), 2 deletions(-) diff --git a/examples/with-archive/main.tf b/examples/with-archive/main.tf index ba265d5..049a6af 100644 --- a/examples/with-archive/main.tf +++ b/examples/with-archive/main.tf @@ -7,6 +7,10 @@ provider "aws" { skip_credentials_validation = true } +data "aws_caller_identity" "current" {} +data "aws_region" "current" {} + + module "eventbridge" { source = "../../" @@ -50,6 +54,7 @@ module "eventbridge_archive_only" { create_bus = false create_archives = true + kms_key_identifier = module.kms.key_id archives = { "launch-archive-existing-bus" = { @@ -79,3 +84,48 @@ resource "random_pet" "this" { resource "aws_cloudwatch_event_bus" "existing_bus" { name = "${random_pet.this.id}-existing-bus" } + +module "kms" { + source = "terraform-aws-modules/kms/aws" + version = "~> 2.0" + description = "KMS key for cross region automated backups replication" + + # Aliases + aliases = ["test"] + aliases_use_name_prefix = true + key_statements = [ + { + sid = "Allow eventbridge" + principals = [ + { + type = "Service" + identifiers = ["events.amazonaws.com"] + } + ] + actions = [ + "kms:DescribeKey", + "kms:GenerateDataKey", + "kms:Decrypt" + ] + resources = ["*"] + conditions = [ + { + test = "StringEquals" + variable = "kms:EncryptionContext:aws:events:event-bus:arn" + values = [ + "arn:aws:events:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:event-bus/example", + ] + }, + { + test = "StringEquals" + variable = "aws:SourceArn" + values = [ + "arn:aws:events:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:event-bus/example", + ] + } + ] + } + ] + + key_owners = [data.aws_caller_identity.current.arn] +} diff --git a/main.tf b/main.tf index de79931..24bdb4e 100644 --- a/main.tf +++ b/main.tf @@ -284,8 +284,8 @@ resource "aws_cloudwatch_event_archive" "this" { region = var.region - name = lookup(each.value, "name", each.key) - event_source_arn = try(each.value["event_source_arn"], aws_cloudwatch_event_bus.this[0].arn) + name = lookup(each.value, "name", each.key) + event_source_arn = try(each.value["event_source_arn"], aws_cloudwatch_event_bus.this[0].arn) kms_key_identifier = var.kms_key_identifier description = lookup(each.value, "description", null) From 5b399627fcc3f0fe16b43ac2d3fed605c23bd873 Mon Sep 17 00:00:00 2001 From: dnno Date: Wed, 9 Jul 2025 09:30:35 +0200 Subject: [PATCH 3/9] Use region property instead of id as per suggestion Co-authored-by: Anton Babenko --- examples/with-archive/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/with-archive/main.tf b/examples/with-archive/main.tf index 049a6af..4f68c88 100644 --- a/examples/with-archive/main.tf +++ b/examples/with-archive/main.tf @@ -113,7 +113,7 @@ module "kms" { test = "StringEquals" variable = "kms:EncryptionContext:aws:events:event-bus:arn" values = [ - "arn:aws:events:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:event-bus/example", + "arn:aws:events:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:event-bus/example", ] }, { From 2b6d7d5500dffcda97015021f4b7800c2dfe19e2 Mon Sep 17 00:00:00 2001 From: Reinhard Prechtl Date: Wed, 9 Jul 2025 09:37:35 +0200 Subject: [PATCH 4/9] Combine with PR #174: Eventbridge kms key identifier --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 24bdb4e..1591fe7 100644 --- a/main.tf +++ b/main.tf @@ -668,6 +668,7 @@ resource "aws_pipes_pipe" "this" { source = each.value.source target = each.value.target + kms_key_identifier = var.kms_key_identifier description = lookup(each.value, "description", null) desired_state = lookup(each.value, "desired_state", null) From 0c9f4a7b1449bd3217b81cd7996f941694642bb8 Mon Sep 17 00:00:00 2001 From: Reinhard Prechtl Date: Wed, 9 Jul 2025 09:46:09 +0200 Subject: [PATCH 5/9] Formatting --- examples/with-archive/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/with-archive/main.tf b/examples/with-archive/main.tf index 4f68c88..d8c3e2d 100644 --- a/examples/with-archive/main.tf +++ b/examples/with-archive/main.tf @@ -52,8 +52,8 @@ module "eventbridge" { module "eventbridge_archive_only" { source = "../../" - create_bus = false - create_archives = true + create_bus = false + create_archives = true kms_key_identifier = module.kms.key_id archives = { From b91a2a3819d4f6602928d624796768c6eed2116e Mon Sep 17 00:00:00 2001 From: Reinhard Prechtl Date: Wed, 9 Jul 2025 09:46:36 +0200 Subject: [PATCH 6/9] Formatting --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 1591fe7..8ffc949 100644 --- a/main.tf +++ b/main.tf @@ -669,8 +669,8 @@ resource "aws_pipes_pipe" "this" { target = each.value.target kms_key_identifier = var.kms_key_identifier - description = lookup(each.value, "description", null) - desired_state = lookup(each.value, "desired_state", null) + description = lookup(each.value, "description", null) + desired_state = lookup(each.value, "desired_state", null) dynamic "source_parameters" { for_each = try([each.value.source_parameters], []) From 1a71d15a6b83b70d148687e8bf04cd22d7cc4b02 Mon Sep 17 00:00:00 2001 From: Reinhard Prechtl Date: Wed, 9 Jul 2025 10:03:29 +0200 Subject: [PATCH 7/9] Use region property --- examples/with-archive/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/with-archive/main.tf b/examples/with-archive/main.tf index d8c3e2d..451ab93 100644 --- a/examples/with-archive/main.tf +++ b/examples/with-archive/main.tf @@ -120,7 +120,7 @@ module "kms" { test = "StringEquals" variable = "aws:SourceArn" values = [ - "arn:aws:events:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:event-bus/example", + "arn:aws:events:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:event-bus/example", ] } ] From a86221ca0a13889b355690f6afe82f1a3fe8e4e1 Mon Sep 17 00:00:00 2001 From: Reinhard Prechtl Date: Wed, 9 Jul 2025 11:10:04 +0200 Subject: [PATCH 8/9] Add kms_key_identifier property to individual pipes and archives --- examples/with-archive/main.tf | 6 +++--- examples/with-pipes/main.tf | 26 ++++++++++++++++++++++++++ main.tf | 14 +++++++------- 3 files changed, 36 insertions(+), 10 deletions(-) diff --git a/examples/with-archive/main.tf b/examples/with-archive/main.tf index 451ab93..b406dff 100644 --- a/examples/with-archive/main.tf +++ b/examples/with-archive/main.tf @@ -52,9 +52,8 @@ module "eventbridge" { module "eventbridge_archive_only" { source = "../../" - create_bus = false - create_archives = true - kms_key_identifier = module.kms.key_id + create_bus = false + create_archives = true archives = { "launch-archive-existing-bus" = { @@ -67,6 +66,7 @@ module "eventbridge_archive_only" { "detail-type" : ["EC2 Instance Launch Successful"] } ) + kms_key_identifier = module.kms.key_id } } diff --git a/examples/with-pipes/main.tf b/examples/with-pipes/main.tf index 8efd3a2..0cd8307 100644 --- a/examples/with-pipes/main.tf +++ b/examples/with-pipes/main.tf @@ -350,6 +350,25 @@ module "eventbridge" { } } +module "eventbridge_pipe_only" { + source = "../../" + + create_bus = false + + pipes = { + "pipe-for-existing-bus" = { + source = aws_sqs_queue.source.arn + target = aws_sqs_queue.target.arn + kms_key_identifier = module.kms.key_id + } + + tags = { + Pipe = "pipe-for-existing-bus" + } + } + depends_on = [aws_cloudwatch_event_bus.existing_bus] +} + ################## # Extra resources ################## @@ -358,6 +377,13 @@ resource "random_pet" "this" { length = 2 } +############################### +# Event Bus +############################### + +resource "aws_cloudwatch_event_bus" "existing_bus" { + name = "${random_pet.this.id}-existing-bus" +} ############################### # API Destination / Connection diff --git a/main.tf b/main.tf index 8ffc949..55634ed 100644 --- a/main.tf +++ b/main.tf @@ -284,13 +284,13 @@ resource "aws_cloudwatch_event_archive" "this" { region = var.region - name = lookup(each.value, "name", each.key) - event_source_arn = try(each.value["event_source_arn"], aws_cloudwatch_event_bus.this[0].arn) - kms_key_identifier = var.kms_key_identifier + name = lookup(each.value, "name", each.key) + event_source_arn = try(each.value["event_source_arn"], aws_cloudwatch_event_bus.this[0].arn) - description = lookup(each.value, "description", null) - event_pattern = lookup(each.value, "event_pattern", null) - retention_days = lookup(each.value, "retention_days", null) + description = lookup(each.value, "description", null) + event_pattern = lookup(each.value, "event_pattern", null) + retention_days = lookup(each.value, "retention_days", null) + kms_key_identifier = lookup(each.value, "kms_key_identifier", null) } resource "aws_cloudwatch_event_permission" "this" { @@ -668,7 +668,7 @@ resource "aws_pipes_pipe" "this" { source = each.value.source target = each.value.target - kms_key_identifier = var.kms_key_identifier + kms_key_identifier = lookup(each.value, "kms_key_identifier", null) description = lookup(each.value, "description", null) desired_state = lookup(each.value, "desired_state", null) From 84f20266d9ab53a1d532fc4736970378eecd21fd Mon Sep 17 00:00:00 2001 From: Reinhard Prechtl Date: Wed, 9 Jul 2025 11:34:20 +0200 Subject: [PATCH 9/9] Rework example --- examples/with-pipes/main.tf | 43 ++++++++++++------------------------- 1 file changed, 14 insertions(+), 29 deletions(-) diff --git a/examples/with-pipes/main.tf b/examples/with-pipes/main.tf index 0cd8307..79b27c2 100644 --- a/examples/with-pipes/main.tf +++ b/examples/with-pipes/main.tf @@ -33,7 +33,8 @@ module "eventbridge" { } api_destinations = { - smee = { # This key should match the key inside "connections" + smee = { + # This key should match the key inside "connections" description = "my smee endpoint" invocation_endpoint = "https://smee.io/6hx6fuQaVUKLfALn" http_method = "POST" @@ -47,7 +48,8 @@ module "eventbridge" { source = aws_sqs_queue.source.arn target = aws_sqs_queue.target.arn - enrichment = "smee" # This key should match the key inside "api_destinations" + enrichment = "smee" + # This key should match the key inside "api_destinations" enrichment_parameters = { input_template = jsonencode({ input : "yes" }) @@ -325,6 +327,16 @@ module "eventbridge" { } } + custom_kms_key = { + source = aws_sqs_queue.source.arn + target = aws_sqs_queue.target.arn + kms_key_identifier = module.kms.key_id + + tags = { + Pipe = "minimal" + } + } + # Minimal with IAM role created outside of the module minimal_external_role = { create_role = false @@ -350,25 +362,6 @@ module "eventbridge" { } } -module "eventbridge_pipe_only" { - source = "../../" - - create_bus = false - - pipes = { - "pipe-for-existing-bus" = { - source = aws_sqs_queue.source.arn - target = aws_sqs_queue.target.arn - kms_key_identifier = module.kms.key_id - } - - tags = { - Pipe = "pipe-for-existing-bus" - } - } - depends_on = [aws_cloudwatch_event_bus.existing_bus] -} - ################## # Extra resources ################## @@ -377,14 +370,6 @@ resource "random_pet" "this" { length = 2 } -############################### -# Event Bus -############################### - -resource "aws_cloudwatch_event_bus" "existing_bus" { - name = "${random_pet.this.id}-existing-bus" -} - ############################### # API Destination / Connection ###############################