feat(stepfunctions): add support for EncryptionConfiguration

packages/aws-cdk-lib/aws-stepfunctions/lib/activity.ts

@@ -1,9 +1,11 @@
 import { Construct } from 'constructs';
+import { EncryptionConfiguration } from './encryption-configuration';
 import { StatesMetrics } from './stepfunctions-canned-metrics.generated';
 import { CfnActivity } from './stepfunctions.generated';
 import * as cloudwatch from '../../aws-cloudwatch';
 import * as iam from '../../aws-iam';
 import { ArnFormat, IResource, Lazy, Names, Resource, Stack } from '../../core';
+export * from './encryption-configuration';
 
 /**
  * Properties for defining a new Step Functions Activity
@@ -15,6 +17,12 @@ export interface ActivityProps {
    * @default - If not supplied, a name is generated
    */
   readonly activityName?: string;
+  /**
+   * The EncryptionConfiguration for this activity.
+   *
+   * @default - no EncryptionConfiguration
+   */
+  readonly encryptionConfiguration?: EncryptionConfiguration;
 }
 
 /**
@@ -57,14 +65,20 @@ export class Activity extends Resource implements IActivity {
    */
   public readonly activityName: string;
 
+  /**
+   * @attribute
+   */
+  public readonly encryptionConfiguration?: EncryptionConfiguration;
+
   constructor(scope: Construct, id: string, props: ActivityProps = {}) {
     super(scope, id, {
       physicalName: props.activityName ||
-                Lazy.string({ produce: () => this.generateName() }),
+        Lazy.string({ produce: () => this.generateName() }),
     });
 
     const resource = new CfnActivity(this, 'Resource', {
       name: this.physicalName!, // not null because of above call to `super`
+      encryptionConfiguration: props.encryptionConfiguration ?? undefined,
     });
 
     this.activityArn = this.getResourceArnAttribute(resource.ref, {
@@ -222,4 +236,11 @@ export interface IActivity extends IResource {
    * @attribute
    */
   readonly activityName: string;
+
+  /**
+   * The EncryptioConfiguration of the activity
+   *
+   * @attribute
+   */
+  readonly encryptionConfiguration?: EncryptionConfiguration;
 }

packages/aws-cdk-lib/aws-stepfunctions/lib/encryption-configuration.ts

@@ -0,0 +1,34 @@
+/**
+ * Define an EncryptionConfiguration
+ */
+export interface EncryptionConfiguration {
+  /**
+   * Identifier for KMS key, which can in the format of key ARN, key ID, alias ARN or alias name
+   * @default - no kmsKeyId is associated
+   */
+  readonly kmsKeyId?: string;
+  /**
+   * Maximum duration for which SFN will reuse data keys. When the period expires,
+   * SFN will call GenerateDataKey. This setting only applies to customer managed KMS key and does not apply to AWS owned KMS key.
+   * @default - 300s
+   */
+  readonly kmsDataKeyReusePeriodSeconds?: number;
+  /**
+   * The encryption option specified for the state machine
+   * @default - AWS_OWNED_KEY
+   */
+  readonly type: EncryptionType;
+}
+/**
+ * Define an EncryptionType
+ */
+export enum EncryptionType {
+/**
+ * SFN owned key
+ */
+  AWS_OWNED_KEY = 'AWS_OWNED_KEY',
+  /**
+ * Customer managed key
+ */
+  CUSTOMER_MANAGED_KMS_KEY = 'CUSTOMER_MANAGED_KMS_KEY',
+}

packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts

@@ -1,4 +1,5 @@
 import { Construct } from 'constructs';
+import { EncryptionConfiguration } from './encryption-configuration';
 import { StateGraph } from './state-graph';
 import { StatesMetrics } from './stepfunctions-canned-metrics.generated';
 import { CfnStateMachine } from './stepfunctions.generated';
@@ -8,6 +9,7 @@ import * as iam from '../../aws-iam';
 import * as logs from '../../aws-logs';
 import * as s3_assets from '../../aws-s3-assets';
 import { Arn, ArnFormat, Duration, IResource, RemovalPolicy, Resource, Stack, Token } from '../../core';
+export * from './encryption-configuration';
 
 /**
  * Two types of state machines are available in AWS Step Functions: EXPRESS AND STANDARD.
@@ -153,6 +155,12 @@ export interface StateMachineProps {
    * @default RemovalPolicy.DESTROY
    */
   readonly removalPolicy?: RemovalPolicy;
+
+  /**
+   * EncryptionConfiguration for this state machine
+   * @default No EncryptionConfiguration
+   */
+  readonly encryptionConfiguration?: EncryptionConfiguration;
 }
 
 /**
@@ -164,6 +172,7 @@ abstract class StateMachineBase extends Resource implements IStateMachine {
    */
   public static fromStateMachineArn(scope: Construct, id: string, stateMachineArn: string): IStateMachine {
     class Import extends StateMachineBase {
+      public encryptionConfiguration?: EncryptionConfiguration | undefined;
       public readonly stateMachineArn = stateMachineArn;
       public readonly grantPrincipal = new iam.UnknownPrincipal({ resource: this });
     }
@@ -187,19 +196,41 @@ abstract class StateMachineBase extends Resource implements IStateMachine {
 
   public abstract readonly stateMachineArn: string;
 
+  public abstract readonly encryptionConfiguration?: EncryptionConfiguration;
+
   /**
    * The principal this state machine is running as
    */
   public abstract readonly grantPrincipal: iam.IPrincipal;
 
+  private isEncryptionConfigurationSet() {
+    return this.encryptionConfiguration !== undefined;
+  }
+
+  private getKmsGenerateDataKeyAndDecryptActions() {
+    if (this.isEncryptionConfigurationSet()) {
+      return ['kms:GenerateDataKey', 'kms:Decrypt'];
+    } else {
+      return [];
+    }
+  }
+
+  private getKmsDecryptAction() {
+    if (this.isEncryptionConfigurationSet()) {
+      return ['kms:Decrypt'];
+    } else {
+      return [];
+    }
+  }
+
   /**
    * Grant the given identity permissions to start an execution of this state
    * machine.
    */
   public grantStartExecution(identity: iam.IGrantable): iam.Grant {
     return iam.Grant.addToPrincipal({
       grantee: identity,
-      actions: ['states:StartExecution'],
+      actions: ['states:StartExecution', ... this.getKmsGenerateDataKeyAndDecryptActions()],
       resourceArns: [this.stateMachineArn],
     });
   }
@@ -211,7 +242,7 @@ abstract class StateMachineBase extends Resource implements IStateMachine {
   public grantStartSyncExecution(identity: iam.IGrantable): iam.Grant {
     return iam.Grant.addToPrincipal({
       grantee: identity,
-      actions: ['states:StartSyncExecution'],
+      actions: ['states:StartSyncExecution', ...this.getKmsDecryptAction()],
       resourceArns: [this.stateMachineArn],
     });
   }
@@ -235,6 +266,7 @@ abstract class StateMachineBase extends Resource implements IStateMachine {
         'states:DescribeExecution',
         'states:DescribeStateMachineForExecution',
         'states:GetExecutionHistory',
+        ...this.getKmsDecryptAction(),
       ],
       resourceArns: [`${this.executionArn()}:*`],
     });
@@ -244,6 +276,7 @@ abstract class StateMachineBase extends Resource implements IStateMachine {
         'states:ListActivities',
         'states:DescribeStateMachine',
         'states:DescribeActivity',
+        ...this.getKmsDecryptAction(),
       ],
       resourceArns: ['*'],
     });
@@ -259,6 +292,7 @@ abstract class StateMachineBase extends Resource implements IStateMachine {
         'states:SendTaskSuccess',
         'states:SendTaskFailure',
         'states:SendTaskHeartbeat',
+        ...this.getKmsDecryptAction(),
       ],
       resourceArns: [this.stateMachineArn],
     });
@@ -413,6 +447,12 @@ export class StateMachine extends StateMachineBase {
    */
   public readonly stateMachineType: StateMachineType;
 
+  /**
+   * Type of the EncryptionConfiguration
+   * @attribute
+   */
+  public readonly encryptionConfiguration?: EncryptionConfiguration;
+
   /**
    * Identifier for the state machine revision, which is an immutable, read-only snapshot of a state machine’s definition and configuration.
    * @attribute
@@ -460,11 +500,12 @@ export class StateMachine extends StateMachineBase {
       tracingConfiguration: props.tracingEnabled ? this.buildTracingConfiguration() : undefined,
       ...definitionBody.bind(this, this.role, props, graph),
       definitionSubstitutions: props.definitionSubstitutions,
+      encryptionConfiguration: props.encryptionConfiguration,
     });
     resource.applyRemovalPolicy(props.removalPolicy, { default: RemovalPolicy.DESTROY });
 
     resource.node.addDependency(this.role);
-
+    this.encryptionConfiguration = props.encryptionConfiguration;
     this.stateMachineName = this.getResourceNameAttribute(resource.attrName);
     this.stateMachineArn = this.getResourceArnAttribute(resource.ref, {
       service: 'states',
@@ -561,6 +602,13 @@ export interface IStateMachine extends IResource, iam.IGrantable {
    */
   readonly stateMachineArn: string;
 
+  /**
+   * The EncryptioConfiguration of the activity
+   *
+   * @attribute
+   */
+  readonly encryptionConfiguration?: EncryptionConfiguration;
+
   /**
    * Grant the given identity permissions to start an execution of this state
    * machine.

packages/aws-cdk-lib/aws-stepfunctions/test/activity.test.ts

@@ -1,7 +1,9 @@
 import { Match, Template } from '../../assertions';
 import * as iam from '../../aws-iam';
+import * as kms from '../../aws-kms';
 import * as cdk from '../../core';
 import * as stepfunctions from '../lib';
+import { EncryptionType } from '../lib/encryption-configuration';
 
 describe('Activity', () => {
   test('instantiate Activity', () => {
@@ -70,4 +72,51 @@ describe('Activity', () => {
     });
 
   });
+
+  test('instantiate Activity with EncryptionConfiguration using Customer Managed Key', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const kmsKey = new kms.Key(stack, 'Key');
+
+    // WHEN
+    new stepfunctions.Activity(stack, 'Activity', {
+      encryptionConfiguration: {
+        kmsKeyId: kmsKey.keyId,
+        kmsDataKeyReusePeriodSeconds: 75,
+        type: EncryptionType.CUSTOMER_MANAGED_KMS_KEY,
+      },
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::StepFunctions::Activity', {
+      Name: 'Activity',
+      EncryptionConfiguration: Match.objectLike({
+        KmsKeyId: {
+          Ref: 'Key961B73FD',
+        },
+        KmsDataKeyReusePeriodSeconds: 75,
+        Type: EncryptionType.CUSTOMER_MANAGED_KMS_KEY,
+      }),
+    });
+  });
+
+  test('instantiate Activity with EncryptionConfiguration using AWS Owned Key', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    // WHEN
+    new stepfunctions.Activity(stack, 'Activity', {
+      encryptionConfiguration: {
+        type: EncryptionType.AWS_OWNED_KEY,
+      },
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::StepFunctions::Activity', {
+      Name: 'Activity',
+      EncryptionConfiguration: Match.objectLike({
+        Type: EncryptionType.AWS_OWNED_KEY,
+      }),
+    });
+  });
 });