Skip to content

Commit

Permalink
feat: Encrypted data at REST on SQS by default (philips-labs#2431)
Browse files Browse the repository at this point in the history
  • Loading branch information
@npalm
npalm authored Sep 16, 2022
1 parent 78e99d1 commit 7f3f4bf
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 1 deletion.
9 changes: 8 additions & 1 deletion main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,13 @@ resource "aws_sqs_queue" "queued_builds" {
maxReceiveCount = var.redrive_build_queue.maxReceiveCount
}) : null

sqs_managed_sse_enabled = var.queue_encryption.sqs_managed_sse_enabled
kms_master_key_id = var.queue_encryption.kms_master_key_id
kms_data_key_reuse_period_seconds = var.queue_encryption.kms_data_key_reuse_period_seconds

tags = var.tags
}


resource "aws_sqs_queue_policy" "build_queue_dlq_policy" {
count = var.redrive_build_queue.enabled ? 1 : 0
queue_url = aws_sqs_queue.queued_builds.id
Expand All @@ -76,6 +79,10 @@ resource "aws_sqs_queue" "queued_builds_dlq" {
count = var.redrive_build_queue.enabled ? 1 : 0
name = "${var.prefix}-queued-builds_dead_letter"

sqs_managed_sse_enabled = var.queue_encryption.sqs_managed_sse_enabled
kms_master_key_id = var.queue_encryption.kms_master_key_id
kms_data_key_reuse_period_seconds = var.queue_encryption.kms_data_key_reuse_period_seconds

tags = var.tags
}

Expand Down
19 changes: 19 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -677,3 +677,22 @@ variable "enable_runner_binaries_syncer" {
type = bool
default = true
}

variable "queue_encryption" {
description = "Configure how data on queues managed by the modules in ecrypted at REST. Options are encryped via SSE, non encrypted and via KMSS. By default encryptes via SSE is enabled. See for more details the Terraform `aws_sqs_queue` resource https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue."
type = object({
kms_data_key_reuse_period_seconds = number
kms_master_key_id = string
sqs_managed_sse_enabled = bool
})
default = {
kms_data_key_reuse_period_seconds = null
kms_master_key_id = null
sqs_managed_sse_enabled = true
}
validation {
condition = var.queue_encryption == null || var.queue_encryption.sqs_managed_sse_enabled != null && var.queue_encryption.kms_master_key_id == null && var.queue_encryption.kms_data_key_reuse_period_seconds == null || var.queue_encryption.sqs_managed_sse_enabled == null && var.queue_encryption.kms_master_key_id != null
error_message = "Invalid configuration for `queue_encryption`. Valid configurations are encryption disabled, enabled via SSE. Or encryption via KMS."
}
}

0 comments on commit 7f3f4bf

Please sign in to comment.