feat: Set kms_key_identifier for EventBridge archives (#175)

Author: dnno

examples/with-archive/main.tf

@@ -7,6 +7,10 @@ provider "aws" {
   skip_credentials_validation = true
 }
 
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+
 module "eventbridge" {
   source = "../../"
 
@@ -62,6 +66,7 @@ module "eventbridge_archive_only" {
           "detail-type" : ["EC2 Instance Launch Successful"]
         }
       )
+      kms_key_identifier = module.kms.key_id
     }
   }
 
@@ -79,3 +84,48 @@ resource "random_pet" "this" {
 resource "aws_cloudwatch_event_bus" "existing_bus" {
   name = "${random_pet.this.id}-existing-bus"
 }
+
+module "kms" {
+  source      = "terraform-aws-modules/kms/aws"
+  version     = "~> 2.0"
+  description = "KMS key for cross region automated backups replication"
+
+  # Aliases
+  aliases                 = ["test"]
+  aliases_use_name_prefix = true
+  key_statements = [
+    {
+      sid = "Allow eventbridge"
+      principals = [
+        {
+          type        = "Service"
+          identifiers = ["events.amazonaws.com"]
+        }
+      ]
+      actions = [
+        "kms:DescribeKey",
+        "kms:GenerateDataKey",
+        "kms:Decrypt"
+      ]
+      resources = ["*"]
+      conditions = [
+        {
+          test     = "StringEquals"
+          variable = "kms:EncryptionContext:aws:events:event-bus:arn"
+          values = [
+            "arn:aws:events:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:event-bus/example",
+          ]
+        },
+        {
+          test     = "StringEquals"
+          variable = "aws:SourceArn"
+          values = [
+            "arn:aws:events:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:event-bus/example",
+          ]
+        }
+      ]
+    }
+  ]
+
+  key_owners = [data.aws_caller_identity.current.arn]
+}

examples/with-pipes/main.tf

@@ -33,7 +33,8 @@ module "eventbridge" {
   }
 
   api_destinations = {
-    smee = { # This key should match the key inside "connections"
+    smee = {
+      # This key should match the key inside "connections"
       description                      = "my smee endpoint"
       invocation_endpoint              = "https://smee.io/6hx6fuQaVUKLfALn"
       http_method                      = "POST"
@@ -47,7 +48,8 @@ module "eventbridge" {
       source = aws_sqs_queue.source.arn
       target = aws_sqs_queue.target.arn
 
-      enrichment = "smee" # This key should match the key inside "api_destinations"
+      enrichment = "smee"
+      # This key should match the key inside "api_destinations"
       enrichment_parameters = {
         input_template = jsonencode({ input : "yes" })
 
@@ -325,6 +327,16 @@ module "eventbridge" {
       }
     }
 
+    custom_kms_key = {
+      source             = aws_sqs_queue.source.arn
+      target             = aws_sqs_queue.target.arn
+      kms_key_identifier = module.kms.key_id
+
+      tags = {
+        Pipe = "minimal"
+      }
+    }
+
     # Minimal with IAM role created outside of the module
     minimal_external_role = {
       create_role = false
@@ -358,7 +370,6 @@ resource "random_pet" "this" {
   length = 2
 }
 
-
 ###############################
 # API Destination / Connection
 ###############################

main.tf

@@ -287,9 +287,10 @@ resource "aws_cloudwatch_event_archive" "this" {
   name             = lookup(each.value, "name", each.key)
   event_source_arn = try(each.value["event_source_arn"], aws_cloudwatch_event_bus.this[0].arn)
 
-  description    = lookup(each.value, "description", null)
-  event_pattern  = lookup(each.value, "event_pattern", null)
-  retention_days = lookup(each.value, "retention_days", null)
+  description        = lookup(each.value, "description", null)
+  event_pattern      = lookup(each.value, "event_pattern", null)
+  retention_days     = lookup(each.value, "retention_days", null)
+  kms_key_identifier = lookup(each.value, "kms_key_identifier", null)
 }
 
 resource "aws_cloudwatch_event_permission" "this" {
@@ -667,8 +668,9 @@ resource "aws_pipes_pipe" "this" {
   source = each.value.source
   target = each.value.target
 
-  description   = lookup(each.value, "description", null)
-  desired_state = lookup(each.value, "desired_state", null)
+  kms_key_identifier = lookup(each.value, "kms_key_identifier", null)
+  description        = lookup(each.value, "description", null)
+  desired_state      = lookup(each.value, "desired_state", null)
 
   dynamic "source_parameters" {
     for_each = try([each.value.source_parameters], [])

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.2"
     }
   }
 }