feat: added encryption config override (#669)

* added encryption config override

* added tests

---------

Co-authored-by: Dan Behrman <166764905+DanBehrman-CR@users.noreply.github.com>

Author: macdabby

lib/deploy/stepFunctions/compileIamRole.js

@@ -915,6 +915,13 @@ module.exports = {
         });
       }
 
+      if (stateMachineObj.encryptionConfig && stateMachineObj.encryptionConfig.KmsKeyId) {
+        iamPermissions.push({
+          action: 'kms:Decrypt,kms:Encrypt',
+          resource: { 'Fn::Sub': stateMachineObj.encryptionConfig.KmsKeyId },
+        });
+      }
+
       iamPermissions = consolidatePermissionsByAction(iamPermissions);
       iamPermissions = consolidatePermissionsByResource(iamPermissions);
       const iamStatements = getIamStatements(iamPermissions, stateMachineObj);

lib/deploy/stepFunctions/compileIamRole.test.js

@@ -4425,7 +4425,6 @@ describe('#compileIamRole', () => {
     expect(boundary).to.equal('arn:aws:iam::myAccount:policy/permission_boundary');
   });
 
-
   it('should handle permissions listObjectsV2', () => {
     const myBucket = 'myBucket';
     serverless.service.stepFunctions = {
@@ -4477,4 +4476,29 @@ describe('#compileIamRole', () => {
     expect(statements[3].Resource[0]).to.equal(`arn:aws:s3:::${myBucket}`);
     expect(statements[3].Resource[1]).to.equal(`arn:aws:s3:::${myBucket}/*`);
   });
+
+  it('should add permissions for KMS key if present', () => {
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: {
+          id: 'StateMachine1',
+          encryptionConfig: {
+            KmsKeyId: 'arn:kms:....',
+          },
+          definition: {},
+        },
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const statements = serverlessStepFunctions.serverless.service.provider
+      .compiledCloudFormationTemplate.Resources.StateMachine1Role.Properties.Policies[0]
+      .PolicyDocument.Statement;
+
+    expect(statements).to.have.lengthOf(1);
+    expect(statements[0].Effect).to.equal('Allow');
+    expect(statements[0].Action[0]).to.equal('kms:Decrypt');
+    expect(statements[0].Action[1]).to.equal('kms:Encrypt');
+    expect(statements[0].Resource[0]['Fn::Sub']).to.equal('arn:kms:....');
+  });
 });

lib/deploy/stepFunctions/compileStateMachines.js

@@ -100,6 +100,7 @@ module.exports = {
         let DependsOn = [];
         let LoggingConfiguration;
         let TracingConfiguration;
+        let EncryptionConfiguration;
         let Tags;
         if (stateMachineObj.inheritGlobalTags === false) {
           Tags = [];
@@ -219,6 +220,16 @@ module.exports = {
           };
         }
 
+        if (value.encryptionConfig) {
+          EncryptionConfiguration = {
+            KmsDataKeyReusePeriodSeconds: value.encryptionConfig.KmsDataKeyReusePeriodSeconds,
+            KmsKeyId: {
+              'Fn::Sub': value.encryptionConfig.KmsKeyId,
+            },
+            Type: value.encryptionConfig.Type,
+          };
+        }
+
         const stateMachineOutputLogicalId = this
           .getStateMachineOutputLogicalId(stateMachineName, stateMachineObj);
 
@@ -230,6 +241,7 @@ module.exports = {
             StateMachineType: stateMachineObj.type,
             LoggingConfiguration,
             TracingConfiguration,
+            EncryptionConfiguration,
           },
           DependsOn,
         };

lib/deploy/stepFunctions/compileStateMachines.schema.js

@@ -49,6 +49,12 @@ const tracingConfig = Joi.object().keys({
   enabled: Joi.boolean().default(false),
 });
 
+const encryptionConfig = Joi.object().keys({
+  KmsDataKeyReusePeriodSeconds: Joi.number().default(900),
+  KmsKeyId: Joi.string().default(''),
+  Type: Joi.string().default('AWS_OWNED_KEY'),
+});
+
 const iamRoleStatements = Joi.array().items(
   Joi.object({
     Effect: Joi.string().valid('Allow', 'Deny'),
@@ -82,6 +88,7 @@ const schema = Joi.object().keys({
   retain,
   loggingConfig,
   tracingConfig,
+  encryptionConfig,
   inheritGlobalTags,
   iamRoleStatements,
 }).oxor('role', 'iamRoleStatements');

lib/deploy/stepFunctions/compileStateMachines.test.js

@@ -1808,4 +1808,56 @@ describe('#compileStateMachines', () => {
       orderValue: '{% $states.input.order.total %}',
     });
   });
+
+  it('should compile with a specified KMS key', () => {
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: {
+          id: 'Test',
+          name: 'Test',
+          definition: {},
+          encryptionConfig: {
+            KmsKeyId: 'arn:kms:...',
+          },
+        },
+      },
+    };
+
+    serverlessStepFunctions.compileStateMachines();
+
+    const encryptionConfiguration = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources
+      .Test.Properties.EncryptionConfiguration;
+
+    expect(encryptionConfiguration.KmsKeyId['Fn::Sub']).to.equal('arn:kms:...');
+    expect(encryptionConfiguration.KmsDataKeyReusePeriodSeconds).to.equal(900);
+    expect(encryptionConfiguration.Type).to.equal('AWS_OWNED_KEY');
+  });
+
+  it('should compile with a specified KMS key, type and reuse period', () => {
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: {
+          id: 'Test',
+          name: 'Test',
+          definition: {},
+          encryptionConfig: {
+            KmsKeyId: 'arn:kms:...',
+            KmsDataKeyReusePeriodSeconds: 10,
+            Type: 'MANAGED',
+          },
+        },
+      },
+    };
+
+    serverlessStepFunctions.compileStateMachines();
+
+    const encryptionConfiguration = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources
+      .Test.Properties.EncryptionConfiguration;
+
+    expect(encryptionConfiguration.KmsKeyId['Fn::Sub']).to.equal('arn:kms:...');
+    expect(encryptionConfiguration.KmsDataKeyReusePeriodSeconds).to.equal(10);
+    expect(encryptionConfiguration.Type).to.equal('MANAGED');
+  });
 });