chore: disable KMS stuff after testing

infrastructure/environments/dev/main.tf

@@ -13,7 +13,7 @@ module "glue" {
   # =====================================================================================
   # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3.
   # =====================================================================================
-  # s3_encryption_key_arn  = module.core.s3_encryption_key_arn
+  # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn
   glue_assets_bucket_name  = var.glue_assets_bucket_name
   glue_scripts_bucket_name = var.glue_scripts_bucket_name
 }
@@ -26,7 +26,7 @@ module "athena" {
   # =====================================================================================
   # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3.
   # =====================================================================================
-  s3_encryption_key_arn = module.core.s3_encryption_key_arn
-  data_bucket_id        = module.core.data_bucket_id
-  silver_database_name  = module.glue.silver_database_name
+  # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn
+  data_bucket_id       = module.core.data_bucket_id
+  silver_database_name = module.glue.silver_database_name
 }

infrastructure/environments/prod/main.tf

@@ -13,7 +13,7 @@ module "glue" {
   # =====================================================================================
   # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3.
   # =====================================================================================
-  # s3_encryption_key_arn  = module.core.s3_encryption_key_arn
+  # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn
   glue_assets_bucket_name  = var.glue_assets_bucket_name
   glue_scripts_bucket_name = var.glue_scripts_bucket_name
 }
@@ -23,6 +23,10 @@ module "athena" {
 
   environment                      = var.environment
   athena_query_results_bucket_name = var.athena_query_results_bucket_name
-  data_bucket_id                   = module.core.data_bucket_id
-  silver_database_name             = module.glue.silver_database_name
+  # =====================================================================================
+  # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3.
+  # =====================================================================================
+  # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn
+  data_bucket_id       = module.core.data_bucket_id
+  silver_database_name = module.glue.silver_database_name
 }

infrastructure/environments/qa/main.tf

@@ -13,7 +13,7 @@ module "glue" {
   # =====================================================================================
   # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3.
   # =====================================================================================
-  # s3_encryption_key_arn  = module.core.s3_encryption_key_arn
+  # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn
   glue_assets_bucket_name  = var.glue_assets_bucket_name
   glue_scripts_bucket_name = var.glue_scripts_bucket_name
 }
@@ -23,6 +23,10 @@ module "athena" {
 
   environment                      = var.environment
   athena_query_results_bucket_name = var.athena_query_results_bucket_name
-  data_bucket_id                   = module.core.data_bucket_id
-  silver_database_name             = module.glue.silver_database_name
+  # =====================================================================================
+  # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3.
+  # =====================================================================================
+  # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn
+  data_bucket_id       = module.core.data_bucket_id
+  silver_database_name = module.glue.silver_database_name
 }

infrastructure/environments/staging/main.tf

@@ -13,7 +13,7 @@ module "glue" {
   # =====================================================================================
   # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3.
   # =====================================================================================
-  # s3_encryption_key_arn  = module.core.s3_encryption_key_arn
+  # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn
   glue_assets_bucket_name  = var.glue_assets_bucket_name
   glue_scripts_bucket_name = var.glue_scripts_bucket_name
 }
@@ -23,6 +23,10 @@ module "athena" {
 
   environment                      = var.environment
   athena_query_results_bucket_name = var.athena_query_results_bucket_name
-  data_bucket_id                   = module.core.data_bucket_id
-  silver_database_name             = module.glue.silver_database_name
+  # =====================================================================================
+  # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3.
+  # =====================================================================================
+  # s3_data_encryption_key_arn = module.core.s3_data_encryption_key_arn
+  data_bucket_id       = module.core.data_bucket_id
+  silver_database_name = module.glue.silver_database_name
 }

infrastructure/modules/athena/data.tf

@@ -21,6 +21,21 @@ data "aws_iam_policy_document" "athena_query_results_management" {
       "*"
     ]
   }
+  # =====================================================================================
+  # DELETE THIS AND UNCOMMENT THE FOLLOWING STATEMENT TO ENABLE SSE-KMS ENCRYPTION IN
+  # ATHENA AND S3.
+  # =====================================================================================
+  # statement {
+  #   effect = "Allow"
+  #   actions = [
+  #     "kms:Decrypt",
+  #     "kms:GenerateDataKey"
+  #   ]
+  #   resources = [
+  #     aws_kms_key.athena_query_results.arn,
+  #     var.s3_data_encryption_key_arn
+  #   ]
+  # }
   statement {
     effect = "Allow"
     actions = [

infrastructure/modules/athena/kms.tf

@@ -0,0 +1,18 @@
+# This KMS key is used to implement SSE-KMS for Athena query results, improving the
+# encryption at rest standards (https://docs.aws.amazon.com/athena/latest/ug/encryption.html
+# for details). It is intended to be manually configured for the `primary` Athena
+# Workgroup for now given we are not yet managing Workgroups through Terraform.
+# =======================================================================================
+# KMS KEYS ARE NOT CREATED BY DEFAULT TO AVOID EXTRA COSTS IN THE BLUEPRINT VALIDATION
+# ACCOUNTS. DELETE THE LINES DELIMITED BY `# =...=` AND UNCOMMENT THE FOLLOWING RESOURCES
+# TO CREATE/ENABLE THEM.
+# =======================================================================================
+# resource "aws_kms_key" "athena_query_results" {
+#   description         = "Protects Athena query results tackled by the AWS Glue CI/CD Blueprint"
+#   enable_key_rotation = true
+# }
+
+# resource "aws_kms_alias" "athena_query_results" {
+#   name          = "alias/glue-ci-cd-blueprint/athena-query-results-${var.environment}"
+#   target_key_id = aws_kms_key.athena_query_results.key_id
+# }

infrastructure/modules/athena/s3.tf

@@ -2,19 +2,6 @@ resource "aws_s3_bucket" "athena_query_results" {
   bucket = "${var.athena_query_results_bucket_name}-${var.environment}"
 }
 
-# =======================================================================================
-# THE KMS KEY IS NOT CREATED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS.
-# =======================================================================================
-resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
-  bucket = aws_s3_bucket.athena_query_results.id
-  rule {
-    apply_server_side_encryption_by_default {
-      kms_master_key_id = var.s3_encryption_key_arn
-      sse_algorithm     = "aws:kms"
-    }
-  }
-}
-
 resource "aws_s3_bucket_lifecycle_configuration" "athena_query_results" {
   bucket = aws_s3_bucket.athena_query_results.id
   rule {
@@ -25,3 +12,17 @@ resource "aws_s3_bucket_lifecycle_configuration" "athena_query_results" {
     }
   }
 }
+
+# =======================================================================================
+# DELETE THIS AND UNCOMMENT THE FOLLOWING RESOURCE TO ENABLE SSE-KMS ENCRYPTION IN S3.
+# =======================================================================================
+# resource "aws_s3_bucket_server_side_encryption_configuration" "athena_query_results" {
+#   bucket = aws_s3_bucket.athena_query_results.id
+
+#   rule {
+#     apply_server_side_encryption_by_default {
+#       kms_master_key_id = var.s3_data_encryption_key_arn
+#       sse_algorithm     = "aws:kms"
+#     }
+#   }
+# }

infrastructure/modules/athena/variables.tf

@@ -13,11 +13,11 @@ variable "athena_query_results_bucket_name" {
 # =======================================================================================
 # DELETE THIS AND UNCOMMENT THE FOLLOWING VARIABLE TO ENABLE SSE-KMS ENCRYPTION IN S3.
 # =======================================================================================
-variable "s3_encryption_key_arn" {
-  description = "ARN of the KMS key that protects S3 objects tackled by the AWS Glue CI/CD Blueprint."
-  type        = string
-  default     = ""
-}
+# variable "s3_data_encryption_key_arn" {
+#   description = "ARN of the KMS key that protects data tackled by the AWS Glue CI/CD Blueprint and stored in S3."
+#   type        = string
+#   default     = ""
+# }
 
 variable "data_bucket_id" {
   description = "ID of the S3 bucket used to store data."

infrastructure/modules/core/kms.tf

@@ -1,22 +1,21 @@
-# This KMS key is used to implement SSE-KMS encryption in S3.
+# This KMS key is used to implement SSE-KMS in S3.
 #
-# Since January, 2023, AWS applies server-side encryption with Amazon S3 managed keys
-# (SSE-S3) as the base level of encryption for every bucket in S3. However, users can
-# choose to configure buckets to use server-side encryption with AWS Key Management
+# Since January, 2023, AWS applies server-side encryption (SSE) with Amazon S3 managed
+# keys (SSE-S3) as the base level of encryption for every bucket in S3. However, users
+# can choose to configure buckets to use server-side encryption with AWS Key Management
 # Service keys (SSE-KMS) instead. Please refer to
-# https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html for further
-# details.
+# https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html for details.
 # =======================================================================================
-# THE KMS KEY IS NOT CREATED BY DEFAULT TO AVOID EXTRA COSTS IN THE BLUEPRINT VALIDATION
+# KMS KEYS ARE NOT CREATED BY DEFAULT TO AVOID EXTRA COSTS IN THE BLUEPRINT VALIDATION
 # ACCOUNTS. DELETE THE LINES DELIMITED BY `# =...=` AND UNCOMMENT THE FOLLOWING RESOURCES
-# TO CREATE/ENABLE IT.
+# TO CREATE/ENABLE THEM.
 # =======================================================================================
-resource "aws_kms_key" "s3" {
-  description         = "This key protects S3 objects tackled by the AWS Glue CI/CD Blueprint"
-  enable_key_rotation = true
-}
+# resource "aws_kms_key" "s3_data" {
+#   description         = "Protects data tackled by the AWS Glue CI/CD Blueprint and stored in S3"
+#   enable_key_rotation = true
+# }
 
-resource "aws_kms_alias" "s3" {
-  name          = "alias/glue-ci-cd-blueprint/s3-${var.environment}"
-  target_key_id = aws_kms_key.s3.key_id
-}
+# resource "aws_kms_alias" "s3_data" {
+#   name          = "alias/glue-ci-cd-blueprint/s3-data-${var.environment}"
+#   target_key_id = aws_kms_key.s3_data.key_id
+# }

infrastructure/modules/core/outputs.tf

@@ -3,8 +3,8 @@ output "data_bucket_id" {
 }
 
 # =======================================================================================
-# THE KMS KEY IS NOT CREATED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS.
+# KMS KEYS ARE NOT CREATED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS.
 # =======================================================================================
-output "s3_encryption_key_arn" {
-  value = aws_kms_key.s3.arn
-}
+# output "s3_data_encryption_key_arn" {
+#   value = aws_kms_key.s3_data.arn
+# }

infrastructure/modules/core/s3.tf

@@ -3,14 +3,14 @@ resource "aws_s3_bucket" "data" {
 }
 
 # =======================================================================================
-# THE KMS KEY IS NOT CREATED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS.
+# KMS KEYS ARE NOT CREATED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS.
 # =======================================================================================
 # resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
 #   bucket = aws_s3_bucket.data.id
-#
+
 #   rule {
 #     apply_server_side_encryption_by_default {
-#       kms_master_key_id = aws_kms_key.s3.arn
+#       kms_master_key_id = aws_kms_key.s3_data.arn
 #       sse_algorithm     = "aws:kms"
 #     }
 #   }

infrastructure/modules/glue/data.tf

@@ -13,7 +13,7 @@ data "aws_iam_policy_document" "glue_service_custom" {
   #     "kms:GenerateDataKey"
   #   ]
   #   resources = [
-  #     var.s3_encryption_key_arn
+  #     var.s3_data_encryption_key_arn
   #   ]
   # }
   statement {

infrastructure/modules/glue/variables.tf

@@ -13,8 +13,8 @@ variable "data_bucket_id" {
 # =======================================================================================
 # DELETE THIS AND UNCOMMENT THE FOLLOWING VARIABLE TO ENABLE SSE-KMS ENCRYPTION IN S3.
 # =======================================================================================
-# variable "s3_encryption_key_arn" {
-#   description = "ARN of the KMS key that protects S3 objects tackled by the AWS Glue CI/CD Blueprint."
+# variable "s3_data_encryption_key_arn" {
+#   description = "ARN of the KMS key that protects data tackled by the AWS Glue CI/CD Blueprint and stored in S3."
 #   type        = string
 #   default     = ""
 # }