Skip to content
This repository was archived by the owner on Jan 16, 2025. It is now read-only.

Commit 7f3f4bf

Browse files
npalmnpalm
authored
feat: Encrypted data at REST on SQS by default (#2431)
1 parent 78e99d1 commit 7f3f4bf

File tree

2 files changed

+27
-1
lines changed

2 files changed

+27
-1
lines changed

Diff for: main.tf

+8-1
Original file line numberDiff line numberDiff line change
@@ -62,10 +62,13 @@ resource "aws_sqs_queue" "queued_builds" {
6262
maxReceiveCount = var.redrive_build_queue.maxReceiveCount
6363
}) : null
6464

65+
sqs_managed_sse_enabled = var.queue_encryption.sqs_managed_sse_enabled
66+
kms_master_key_id = var.queue_encryption.kms_master_key_id
67+
kms_data_key_reuse_period_seconds = var.queue_encryption.kms_data_key_reuse_period_seconds
68+
6569
tags = var.tags
6670
}
6771

68-
6972
resource "aws_sqs_queue_policy" "build_queue_dlq_policy" {
7073
count = var.redrive_build_queue.enabled ? 1 : 0
7174
queue_url = aws_sqs_queue.queued_builds.id
@@ -76,6 +79,10 @@ resource "aws_sqs_queue" "queued_builds_dlq" {
7679
count = var.redrive_build_queue.enabled ? 1 : 0
7780
name = "${var.prefix}-queued-builds_dead_letter"
7881

82+
sqs_managed_sse_enabled = var.queue_encryption.sqs_managed_sse_enabled
83+
kms_master_key_id = var.queue_encryption.kms_master_key_id
84+
kms_data_key_reuse_period_seconds = var.queue_encryption.kms_data_key_reuse_period_seconds
85+
7986
tags = var.tags
8087
}
8188

Diff for: variables.tf

+19
Original file line numberDiff line numberDiff line change
@@ -677,3 +677,22 @@ variable "enable_runner_binaries_syncer" {
677677
type = bool
678678
default = true
679679
}
680+
681+
variable "queue_encryption" {
682+
description = "Configure how data on queues managed by the modules in ecrypted at REST. Options are encryped via SSE, non encrypted and via KMSS. By default encryptes via SSE is enabled. See for more details the Terraform `aws_sqs_queue` resource https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue."
683+
type = object({
684+
kms_data_key_reuse_period_seconds = number
685+
kms_master_key_id = string
686+
sqs_managed_sse_enabled = bool
687+
})
688+
default = {
689+
kms_data_key_reuse_period_seconds = null
690+
kms_master_key_id = null
691+
sqs_managed_sse_enabled = true
692+
}
693+
validation {
694+
condition = var.queue_encryption == null || var.queue_encryption.sqs_managed_sse_enabled != null && var.queue_encryption.kms_master_key_id == null && var.queue_encryption.kms_data_key_reuse_period_seconds == null || var.queue_encryption.sqs_managed_sse_enabled == null && var.queue_encryption.kms_master_key_id != null
695+
error_message = "Invalid configuration for `queue_encryption`. Valid configurations are encryption disabled, enabled via SSE. Or encryption via KMS."
696+
}
697+
}
698+

0 commit comments

Comments
 (0)