feat(stepfunctions): add support for EncryptionConfiguration

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-and-activity-cmk.ts

@@ -23,8 +23,7 @@ class KMSStateMachine extends cdk.Stack {
 
     this.activity = new sfn.Activity(this, 'ActivityWithCMKEncryptionConfiguration', {
       activityName: 'ActivityWithCMKEncryptionConfiguration',
-      kmsKey: this.activityKmsKey,
-      kmsDataKeyReusePeriodSeconds: cdk.Duration.seconds(75),
+      encryptionConfiguration: new sfn.EncryptionConfiguration(this.activityKmsKey, cdk.Duration.seconds(75)),
     });
 
     this.stateMachine = new sfn.StateMachine(this, 'StateMachineWithCMKEncryptionConfiguration', {
@@ -36,8 +35,7 @@ class KMSStateMachine extends cdk.Stack {
         },
       }))),
       stateMachineType: sfn.StateMachineType.STANDARD,
-      kmsKey: this.stateMachineKmsKey,
-      kmsDataKeyReusePeriodSeconds: cdk.Duration.seconds(75),
+      encryptionConfiguration: new sfn.EncryptionConfiguration(this.stateMachineKmsKey, cdk.Duration.seconds(75)),
       removalPolicy: cdk.RemovalPolicy.DESTROY,
     });
   }

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-cmk-with-cwl-encryption.ts

@@ -29,8 +29,7 @@ class KMSStateMachine extends cdk.Stack {
         result: sfn.Result.fromString(executionOutput),
       }))),
       stateMachineType: sfn.StateMachineType.STANDARD,
-      kmsKey: this.kmsKey,
-      kmsDataKeyReusePeriodSeconds: cdk.Duration.seconds(300),
+      encryptionConfiguration: new sfn.EncryptionConfiguration(this.kmsKey, cdk.Duration.seconds(300)),
       logs: {
         destination: this.logGroup,
         level: sfn.LogLevel.ALL,

packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/stepfunctions/invoke-activity.ts

@@ -36,8 +36,8 @@ export class StepFunctionsInvokeActivity extends sfn.TaskStateBase {
   constructor(scope: Construct, id: string, private readonly props: StepFunctionsInvokeActivityProps) {
     super(scope, id, props);
 
-    if (this.props.activity.kmsKey) {
-      this.taskPolicies = this.createPolicyStatements(this.props.activity.kmsKey);
+    if (this.props.activity.encryptionConfiguration) {
+      this.taskPolicies = this.createPolicyStatements(this.props.activity.encryptionConfiguration.kmsKey);
     }
     this.taskMetrics = {
       metricDimensions: { ActivityArn: this.props.activity.activityArn },

packages/aws-cdk-lib/aws-stepfunctions/README.md

@@ -976,7 +976,7 @@ new sfn.StateMachine(this, 'MyStateMachine', {
 ```
 
 ## Encryption 
-You can encrypt your data using a customer-managed key for AWS Step Functions state machines and activities. You can configure a symmetric AWS KMS key and data key reuse period when creating or updating a State Machine, and when creating an Activity. The execution history and state machine definition will be encrypted with the key applied to the State Machine. Activity inputs will be encrypted with the key applied to the Activity.
+You can encrypt your data using a customer-managed key for AWS Step Functions state machines and activities. You can configure a symmetric AWS KMS key and data key reuse period when creating or updating a State Machine or when creating an Activity. The execution history and state machine definition will be encrypted with the key applied to the State Machine. Activity inputs will be encrypted with the key applied to the Activity.
 
 ### Encrypting state machines 
 You can provide a symmetric KMS key to encrypt the state machine definition and execution history:
@@ -989,8 +989,7 @@ const stateMachine = new sfn.StateMachine(this, 'StateMachineWithCMKEncryptionCo
   stateMachineName: 'StateMachineWithCMKEncryptionConfiguration',
   definitionBody: sfn.DefinitionBody.fromChainable(sfn.Chain.start(new sfn.Pass(this, 'Pass'))),
   stateMachineType: sfn.StateMachineType.STANDARD,
-  kmsKey: kmsKey,
-  kmsDataKeyReusePeriodSeconds: cdk.Duration.seconds(60),
+  encryptionConfiguration: new sfn.EncryptionConfiguration(kmsKey, cdk.Duration.seconds(60)),
 });
 ```
 
@@ -1032,8 +1031,7 @@ const stateMachine = new sfn.StateMachine(this, 'StateMachineWithCMKWithCWLEncry
     result: sfn.Result.fromString('Hello World'),
   }))),
   stateMachineType: sfn.StateMachineType.STANDARD,
-  kmsKey: stateMachineKmsKey,
-  kmsDataKeyReusePeriodSeconds: cdk.Duration.seconds(300),
+  encryptionConfiguration: new sfn.EncryptionConfiguration(stateMachineKmsKey),
   logs: {
     destination: logGroup,
     level: sfn.LogLevel.ALL,
@@ -1051,8 +1049,7 @@ import * as cdk from 'aws-cdk-lib';
 const kmsKey = new kms.Key(this, 'Key');
 const activity = new sfn.Activity(this, 'ActivityWithCMKEncryptionConfiguration', {
   activityName: 'ActivityWithCMKEncryptionConfiguration',
-  kmsKey: kmsKey,
-  kmsDataKeyReusePeriodSeconds: cdk.Duration.seconds(75),
+  encryptionConfiguration: new sfn.EncryptionConfiguration(kmsKey, cdk.Duration.seconds(75))
 });
 ```
 

packages/aws-cdk-lib/aws-stepfunctions/lib/activity.ts

@@ -1,12 +1,11 @@
 import { Construct } from 'constructs';
+import { EncryptionConfiguration } from './encryptionconfiguration';
 import { StatesMetrics } from './stepfunctions-canned-metrics.generated';
 import { CfnActivity } from './stepfunctions.generated';
 import { constructEncryptionConfiguration } from './util';
 import * as cloudwatch from '../../aws-cloudwatch';
 import * as iam from '../../aws-iam';
-import * as kms from '../../aws-kms';
-import { ArnFormat, Duration, IResource, Lazy, Names, Resource, Stack } from '../../core';
-
+import { ArnFormat, IResource, Lazy, Names, Resource, Stack } from '../../core';
 /**
  * Properties for defining a new Step Functions Activity
  */
@@ -19,24 +18,11 @@ export interface ActivityProps {
   readonly activityName?: string;
 
   /**
-   * Specifies a symmetric customer managed KMS key for server-side encryption of the activity inputs.
-   * Step Functions will reuse the key for a maximum of `kmsDataKeyReusePeriodSeconds`.
+   * The encryptionConfiguration object used for server-side encryption of the activity inputs.
    *
    * @default - data is transparently encrypted using an AWS owned key
    */
-  readonly kmsKey?: kms.IKey;
-
-  /**
-   * Maximum duration that Step Functions will reuse customer managed data keys.
-   * When the period expires, Step Functions will call GenerateDataKey.
-   *
-   * You can only provide a value if `kmsKey` is set.
-   *
-   * Must be between 60 and 900 seconds.
-   *
-   * @default Duration.seconds(300)
-   */
-  readonly kmsDataKeyReusePeriodSeconds?: Duration;
+  readonly encryptionConfiguration?: EncryptionConfiguration;
 }
 
 /**
@@ -82,17 +68,17 @@ export class Activity extends Resource implements IActivity {
   /**
    * @attribute
    */
-  public readonly kmsKey?: kms.IKey;
+  public readonly encryptionConfiguration?: EncryptionConfiguration;
 
   constructor(scope: Construct, id: string, props: ActivityProps = {}) {
     super(scope, id, {
       physicalName: props.activityName ||
         Lazy.string({ produce: () => this.generateName() }),
     });
 
-    if (props.kmsKey) {
-      this.kmsKey = props.kmsKey;
-      props.kmsKey.addToResourcePolicy(new iam.PolicyStatement({
+    if (props.encryptionConfiguration) {
+      this.encryptionConfiguration = props.encryptionConfiguration;
+      props.encryptionConfiguration.kmsKey.addToResourcePolicy(new iam.PolicyStatement({
         resources: ['*'],
         actions: ['kms:Decrypt', 'kms:GenerateDataKey'],
         principals: [new iam.ServicePrincipal('states.amazonaws.com')],
@@ -111,7 +97,7 @@ export class Activity extends Resource implements IActivity {
 
     const resource = new CfnActivity(this, 'Resource', {
       name: this.physicalName!, // not null because of above call to `super`
-      encryptionConfiguration: constructEncryptionConfiguration(props.kmsKey, props.kmsDataKeyReusePeriodSeconds),
+      encryptionConfiguration: constructEncryptionConfiguration(props.encryptionConfiguration),
     });
 
     this.activityArn = this.getResourceArnAttribute(resource.ref, {
@@ -271,9 +257,9 @@ export interface IActivity extends IResource {
   readonly activityName: string;
 
   /**
-   * The symmetric customer managed KMS key for server-side encryption of the activity inputs.
+   * The encryptionConfiguration object used for server-side encryption of the activity inputs
    *
    * @attribute
    */
-  readonly kmsKey?: kms.IKey;
+  readonly encryptionConfiguration?: EncryptionConfiguration;
 }

packages/aws-cdk-lib/aws-stepfunctions/lib/encryptionconfiguration.ts

@@ -0,0 +1,39 @@
+import * as kms from '../../aws-kms';
+import * as cdk from '../../core';
+
+/**
+ * Define a new EncryptionConfiguration
+ */
+export class EncryptionConfiguration {
+  /**
+   * The symmetric customer managed KMS key for server-side encryption of the state machine definition, and execution history or activity inputs.
+   * Step Functions will reuse the key for a maximum of `kmsDataKeyReusePeriodSeconds`.
+   *
+   * @default - data is transparently encrypted using an AWS owned key
+   */
+  public readonly kmsKey: kms.IKey;
+  /**
+   * Maximum duration that Step Functions will reuse customer managed data keys.
+   * When the period expires, Step Functions will call GenerateDataKey.
+   *
+   * Must be between 60 and 900 seconds.
+   *
+   * @default Duration.seconds(300)
+   */
+  public readonly kmsDataKeyReusePeriodSeconds?;
+  constructor(kmsKey: kms.IKey, kmsDataKeyReusePeriodSeconds?: cdk.Duration) {
+    this.kmsKey = kmsKey;
+    this.validateKmsDataKeyReusePeriodSeconds(kmsDataKeyReusePeriodSeconds);
+    this.kmsDataKeyReusePeriodSeconds = kmsDataKeyReusePeriodSeconds;
+  }
+
+  private isInvalidKmsDataKeyReusePeriodSeconds(kmsDataKeyReusePeriodSeconds: cdk.Duration) {
+    return kmsDataKeyReusePeriodSeconds.toSeconds() < 60 || kmsDataKeyReusePeriodSeconds.toSeconds() > 900;
+  }
+
+  private validateKmsDataKeyReusePeriodSeconds(kmsDataKeyReusePeriodSeconds: cdk.Duration | undefined) {
+    if (kmsDataKeyReusePeriodSeconds && this.isInvalidKmsDataKeyReusePeriodSeconds(kmsDataKeyReusePeriodSeconds)) {
+      throw new Error('kmsDataKeyReusePeriodSeconds must have a value between 60 and 900 seconds');
+    }
+  }
+}

packages/aws-cdk-lib/aws-stepfunctions/lib/index.ts

@@ -28,6 +28,7 @@ export * from './states/custom-state';
 export * from './states/map-base';
 export * from './states/task-base';
 export * from './task-credentials';
+export * from './encryptionconfiguration';
 
 // AWS::StepFunctions CloudFormation Resources:
 export * from './stepfunctions.generated';

packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts

@@ -6,11 +6,10 @@ import { IChainable } from './types';
 import { constructEncryptionConfiguration } from './util';
 import * as cloudwatch from '../../aws-cloudwatch';
 import * as iam from '../../aws-iam';
-import * as kms from '../../aws-kms';
 import * as logs from '../../aws-logs';
 import * as s3_assets from '../../aws-s3-assets';
-
 import { Arn, ArnFormat, Duration, IResource, RemovalPolicy, Resource, Stack, Token } from '../../core';
+import { EncryptionConfiguration } from '../lib/encryptionconfiguration';
 
 /**
  * Two types of state machines are available in AWS Step Functions: EXPRESS AND STANDARD.
@@ -158,25 +157,11 @@ export interface StateMachineProps {
   readonly removalPolicy?: RemovalPolicy;
 
   /**
-   * Specifies a symmetric customer managed KMS key for server-side encryption of the state machine definition and execution history.
-   * Step Functions will reuse the key for a maximum of `kmsDataKeyReusePeriodSeconds`.
+   * The encryptionConfiguration object used for server-side encryption of the state machine definition and execution history.
    *
    * @default - data is transparently encrypted using an AWS owned key
    */
-  readonly kmsKey?: kms.IKey;
-
-  /**
-   * Maximum duration that Step Functions will reuse customer managed data keys.
-   * When the period expires, Step Functions will call GenerateDataKey.
-   *
-   * You can only provide a value if `kmsKey` is set.
-   *
-   * Must be between 60 and 900 seconds.
-   *
-   * @default Duration.seconds(300)
-   */
-  readonly kmsDataKeyReusePeriodSeconds?: Duration;
-
+  readonly encryptionConfiguration?: EncryptionConfiguration;
 }
 
 /**
@@ -476,13 +461,13 @@ export class StateMachine extends StateMachineBase {
       }
     }
 
-    if (props.kmsKey) {
+    if (props.encryptionConfiguration) {
       this.role.addToPrincipalPolicy(new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
         actions: [
           'kms:Decrypt', 'kms:GenerateDataKey',
         ],
-        resources: [`${props.kmsKey.keyArn}`],
+        resources: [`${props.encryptionConfiguration.kmsKey.keyArn}`],
         conditions: {
           StringEquals: {
             'kms:EncryptionContext:aws:states:stateMachineArn': Stack.of(this).formatArn({
@@ -501,7 +486,7 @@ export class StateMachine extends StateMachineBase {
           actions: [
             'kms:GenerateDataKey',
           ],
-          resources: [`${props.kmsKey.keyArn}`],
+          resources: [`${props.encryptionConfiguration.kmsKey.keyArn}`],
           conditions: {
             StringEquals: {
               'kms:EncryptionContext:SourceArn': Stack.of(this).formatArn({
@@ -512,7 +497,7 @@ export class StateMachine extends StateMachineBase {
             },
           },
         }));
-        props.kmsKey.addToResourcePolicy(new iam.PolicyStatement({
+        props.encryptionConfiguration.kmsKey.addToResourcePolicy(new iam.PolicyStatement({
           resources: ['*'],
           actions: ['kms:Decrypt*'],
           principals: [new iam.ServicePrincipal('delivery.logs.amazonaws.com')],
@@ -528,7 +513,7 @@ export class StateMachine extends StateMachineBase {
       tracingConfiguration: this.buildTracingConfiguration(props.tracingEnabled),
       ...definitionBody.bind(this, this.role, props, graph),
       definitionSubstitutions: props.definitionSubstitutions,
-      encryptionConfiguration: constructEncryptionConfiguration(props.kmsKey, props.kmsDataKeyReusePeriodSeconds),
+      encryptionConfiguration: constructEncryptionConfiguration(props.encryptionConfiguration),
     });
     resource.applyRemovalPolicy(props.removalPolicy, { default: RemovalPolicy.DESTROY });
 

packages/aws-cdk-lib/aws-stepfunctions/lib/util.ts

@@ -1,36 +1,20 @@
-import { IKey } from '../../aws-kms';
-import { Duration } from '../../core';
+import { EncryptionConfiguration } from './encryptionconfiguration';
 
 export function noEmptyObject<A>(o: Record<string, A>): Record<string, A> | undefined {
   if (Object.keys(o).length === 0) { return undefined; }
   return o;
 }
 
-function isInValidKmsDataKeyReusePeriodSeconds(kmsDataKeyReusePeriodSeconds: Duration) {
-  return kmsDataKeyReusePeriodSeconds.toSeconds() < 60 || kmsDataKeyReusePeriodSeconds.toSeconds() > 900;
-}
-
-function validateEncryptionConfiguration(kmsKey: IKey | undefined, kmsDataKeyReusePeriodSeconds: Duration | undefined) {
-  if (!kmsKey && kmsDataKeyReusePeriodSeconds) {
-    throw new Error('You cannot set kmsDataKeyReusePeriodSeconds without providing a value for kmsKey');
-  }
-  if (kmsKey && kmsDataKeyReusePeriodSeconds && isInValidKmsDataKeyReusePeriodSeconds(kmsDataKeyReusePeriodSeconds)) {
-    throw new Error('kmsDataKeyReusePeriodSeconds must have a value between 60 and 900 seconds');
-  }
-}
-
-export function constructEncryptionConfiguration(kmsKey: IKey | undefined, kmsDataKeyReusePeriodSeconds: Duration | undefined) {
-  validateEncryptionConfiguration(kmsKey, kmsDataKeyReusePeriodSeconds);
-
-  if (!kmsKey) {
+export function constructEncryptionConfiguration(encryptionConfiguration? : EncryptionConfiguration) {
+  if (!encryptionConfiguration) {
     return undefined;
   }
-
   // Default value for `kmsDataKeyReusePeriodSeconds`, see: https://docs.aws.amazon.com/step-functions/latest/dg/encryption-at-rest.html#cfn-resources-for-encryption-configuration
   const DEFAULT_KMS_DATA_KEY_REUSE_PERIOD_SECONDS = 300;
   return {
-    kmsKeyId: kmsKey.keyArn,
-    kmsDataKeyReusePeriodSeconds: kmsDataKeyReusePeriodSeconds ? kmsDataKeyReusePeriodSeconds.toSeconds() : DEFAULT_KMS_DATA_KEY_REUSE_PERIOD_SECONDS,
+    kmsKeyId: encryptionConfiguration.kmsKey.keyArn,
+    kmsDataKeyReusePeriodSeconds: encryptionConfiguration.kmsDataKeyReusePeriodSeconds ?
+      encryptionConfiguration.kmsDataKeyReusePeriodSeconds.toSeconds() : DEFAULT_KMS_DATA_KEY_REUSE_PERIOD_SECONDS,
     type: 'CUSTOMER_MANAGED_KMS_KEY',
   };
 

packages/aws-cdk-lib/aws-stepfunctions/test/activity.test.ts

@@ -3,6 +3,7 @@ import * as iam from '../../aws-iam';
 import * as kms from '../../aws-kms';
 import * as cdk from '../../core';
 import * as stepfunctions from '../lib';
+import { EncryptionConfiguration } from '../lib/encryptionconfiguration';
 
 describe('Activity', () => {
   test('instantiate Activity', () => {
@@ -79,8 +80,7 @@ describe('Activity', () => {
 
     // WHEN
     new stepfunctions.Activity(stack, 'Activity', {
-      kmsKey: kmsKey,
-      kmsDataKeyReusePeriodSeconds: cdk.Duration.seconds(75),
+      encryptionConfiguration: new EncryptionConfiguration(kmsKey, cdk.Duration.seconds(75)),
     });
 
     // THEN
@@ -167,7 +167,7 @@ describe('Activity', () => {
 
     // WHEN
     new stepfunctions.Activity(stack, 'Activity', {
-      kmsKey: kmsKey,
+      encryptionConfiguration: new EncryptionConfiguration(kmsKey),
     });
 
     // THEN
@@ -190,21 +190,8 @@ describe('Activity', () => {
     expect(() => {
       // WHEN
       new stepfunctions.Activity(stack, 'Activity', {
-        kmsKey: kmsKey,
-        kmsDataKeyReusePeriodSeconds: cdk.Duration.seconds(5),
+        encryptionConfiguration: new EncryptionConfiguration(kmsKey, cdk.Duration.seconds(5)),
       });
     }).toThrow('kmsDataKeyReusePeriodSeconds must have a value between 60 and 900 seconds');
   });
 });
-
-test('Instantiate Activity with no kms key and kmsDataKeyReusePeriodSeconds throws error', () => {
-  // GIVEN
-  const stack = new cdk.Stack();
-  // FAIL
-  expect(() => {
-    // WHEN
-    new stepfunctions.Activity(stack, 'Activity', {
-      kmsDataKeyReusePeriodSeconds: cdk.Duration.seconds(75),
-    });
-  }).toThrow('You cannot set kmsDataKeyReusePeriodSeconds without providing a value for kmsKey');
-});