feat: Event Bus DLQ and Event Connection CMK Encryption (#163)

magreenbaum · web-flow · commit 1ec8e4421aec · 2025-05-19T14:21:28.000+02:00
diff --git a/README.md b/README.md
@@ -382,13 +382,13 @@ module "eventbridge" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.85 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.98 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.85 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.98 |
 
 ## Modules
 
@@ -505,6 +505,7 @@ No modules.
 | <a name="input_create_schedules"></a> [create\_schedules](#input\_create\_schedules) | Controls whether EventBridge Schedule resources should be created | `bool` | `true` | no |
 | <a name="input_create_schemas_discoverer"></a> [create\_schemas\_discoverer](#input\_create\_schemas\_discoverer) | Controls whether default schemas discoverer should be created | `bool` | `false` | no |
 | <a name="input_create_targets"></a> [create\_targets](#input\_create\_targets) | Controls whether EventBridge Target resources should be created | `bool` | `true` | no |
+| <a name="input_dead_letter_config"></a> [dead\_letter\_config](#input\_dead\_letter\_config) | Configuration details of the Amazon SQS queue for EventBridge to use as a dead-letter queue (DLQ) | `any` | `{}` | no |
 | <a name="input_ecs_pass_role_resources"></a> [ecs\_pass\_role\_resources](#input\_ecs\_pass\_role\_resources) | List of approved roles to be passed | `list(string)` | `[]` | no |
 | <a name="input_ecs_target_arns"></a> [ecs\_target\_arns](#input\_ecs\_target\_arns) | The Amazon Resource Name (ARN) of the AWS ECS Tasks you want to use as EventBridge targets | `list(string)` | `[]` | no |
 | <a name="input_event_source_name"></a> [event\_source\_name](#input\_event\_source\_name) | The partner event source that the new event bus will be matched with. Must match name. | `string` | `null` | no |
diff --git a/examples/api-gateway-event-source/README.md b/examples/api-gateway-event-source/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.85 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.98 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.85 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.98 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
 ## Modules
diff --git a/examples/api-gateway-event-source/versions.tf b/examples/api-gateway-event-source/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.85"
+      version = ">= 5.98"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -20,15 +20,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.85 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.98 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.85 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.98 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.85"
+      version = ">= 5.98"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/default-bus/README.md b/examples/default-bus/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.85 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.98 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.85 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.98 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
 ## Modules
diff --git a/examples/default-bus/versions.tf b/examples/default-bus/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.85"
+      version = ">= 5.98"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/with-api-destination/README.md b/examples/with-api-destination/README.md
@@ -20,28 +20,30 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.85 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.98 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.85 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.98 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_eventbridge"></a> [eventbridge](#module\_eventbridge) | ../../ | n/a |
+| <a name="module_kms"></a> [kms](#module\_kms) | terraform-aws-modules/kms/aws | ~> 2.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_iam_role.eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
diff --git a/examples/with-api-destination/main.tf b/examples/with-api-destination/main.tf
@@ -7,6 +7,8 @@ provider "aws" {
   skip_credentials_validation = true
 }
 
+data "aws_caller_identity" "current" {}
+
 module "eventbridge" {
   source = "../../"
 
@@ -143,6 +145,7 @@ module "eventbridge" {
           value = random_pet.this.id
         }
       }
+      kms_key_identifier = module.kms.key_arn
     }
   }
 
@@ -200,3 +203,48 @@ data "aws_iam_policy_document" "assume_role" {
     }
   }
 }
+
+module "kms" {
+  source      = "terraform-aws-modules/kms/aws"
+  version     = "~> 2.0"
+  description = "KMS key for EventBridge"
+
+  # Aliases
+  aliases                 = ["test"]
+  aliases_use_name_prefix = true
+  key_statements = [
+    {
+      sid = "Allow use of the key"
+      principals = [
+        {
+          type        = "AWS"
+          identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+        }
+      ]
+      actions = [
+        "kms:DescribeKey",
+        "kms:GenerateDataKey",
+        "kms:Decrypt"
+      ]
+      resources = ["*"]
+      conditions = [
+        {
+          test     = "StringLike"
+          values   = ["secretsmanager.*.amazonaws.com"]
+          variable = "kms:ViaService"
+        },
+        {
+          test     = "StringLike"
+          values   = ["arn:aws:secretsmanager:*:*:secret:events!connection/*"]
+          variable = "kms:EncryptionContext:SecretARN"
+        }
+      ]
+    }
+  ]
+
+  tags = {
+    EventBridgeApiDestinations = "true"
+  }
+
+  key_owners = [data.aws_caller_identity.current.arn]
+}
diff --git a/examples/with-api-destination/versions.tf b/examples/with-api-destination/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.85"
+      version = ">= 5.98"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/with-archive/README.md b/examples/with-archive/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.85 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.98 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.85 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.98 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
 ## Modules
diff --git a/examples/with-archive/versions.tf b/examples/with-archive/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.85"
+      version = ">= 5.98"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/with-ecs-scheduling/README.md b/examples/with-ecs-scheduling/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.85 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.98 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.85 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.98 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
 ## Modules
diff --git a/examples/with-ecs-scheduling/versions.tf b/examples/with-ecs-scheduling/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.85"
+      version = ">= 5.98"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/with-lambda-scheduling/README.md b/examples/with-lambda-scheduling/README.md
@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.85 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.98 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
diff --git a/examples/with-lambda-scheduling/versions.tf b/examples/with-lambda-scheduling/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.85"
+      version = ">= 5.98"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/with-permissions/README.md b/examples/with-permissions/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.85 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.98 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.85 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.98 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
 ## Modules
diff --git a/examples/with-permissions/versions.tf b/examples/with-permissions/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.85"
+      version = ">= 5.98"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/with-pipes/README.md b/examples/with-pipes/README.md
@@ -20,15 +20,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.85 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.98 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.85 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.98 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
diff --git a/examples/with-pipes/versions.tf b/examples/with-pipes/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.85"
+      version = ">= 5.98"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/with-schedules/README.md b/examples/with-schedules/README.md
@@ -20,15 +20,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.85 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.98 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.85 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.98 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
diff --git a/examples/with-schedules/versions.tf b/examples/with-schedules/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.85"
+      version = ">= 5.98"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/main.tf b/main.tf
@@ -69,6 +69,13 @@ resource "aws_cloudwatch_event_bus" "this" {
   event_source_name  = var.event_source_name
   kms_key_identifier = var.kms_key_identifier
 
+  dynamic "dead_letter_config" {
+    for_each = length(var.dead_letter_config) > 0 ? [var.dead_letter_config] : []
+    content {
+      arn = try(dead_letter_config.value.arn, null)
+    }
+  }
+
   tags = var.tags
 }
 
@@ -301,6 +308,7 @@ resource "aws_cloudwatch_event_connection" "this" {
   name               = each.value.Name
   description        = lookup(each.value, "description", null)
   authorization_type = each.value.authorization_type
+  kms_key_identifier = try(each.value.kms_key_identifier, null)
 
   dynamic "auth_parameters" {
     for_each = [each.value.auth_parameters]
diff --git a/variables.tf b/variables.tf
@@ -144,6 +144,12 @@ variable "kms_key_identifier" {
   default     = null
 }
 
+variable "dead_letter_config" {
+  description = "Configuration details of the Amazon SQS queue for EventBridge to use as a dead-letter queue (DLQ)"
+  type        = any
+  default     = {}
+}
+
 variable "schemas_discoverer_description" {
   description = "Default schemas discoverer description"
   type        = string
diff --git a/versions.tf b/versions.tf

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 5.85"`
	`7`	`+ version = ">= 5.98"`
`8`	`8`	`}`
`9`	`9`	`random = {`
`10`	`10`	`source = "hashicorp/random"`