From 7bf19a668e886da4606a925ce390d044d0303780 Mon Sep 17 00:00:00 2001
From: Dan Behrman <166764905+DanBehrman-CR@users.noreply.github.com>
Date: Wed, 19 Feb 2025 17:31:49 -0600
Subject: [PATCH] added kms key

---
 lib/deploy/stepFunctions/compileIamRole.js             |  7 +++++++
 lib/deploy/stepFunctions/compileStateMachines.js       | 10 ++++++++++
 .../stepFunctions/compileStateMachines.schema.js       |  7 +++++++
 3 files changed, 24 insertions(+)

diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js
index 864491be..bcd65815 100644
--- a/lib/deploy/stepFunctions/compileIamRole.js
+++ b/lib/deploy/stepFunctions/compileIamRole.js
@@ -850,6 +850,13 @@ module.exports = {
         });
       }
 
+      if (stateMachineObj.encryptionConfig.KMSkeyId) {
+        iamPermissions.push({
+          action: 'kms:Decrypt,kms:Encrypt',
+          resource: stateMachineObj.encryptionConfig.KMSkeyId,
+        });
+      }
+
       iamPermissions = consolidatePermissionsByAction(iamPermissions);
       iamPermissions = consolidatePermissionsByResource(iamPermissions);
       const iamStatements = getIamStatements(iamPermissions, stateMachineObj);
diff --git a/lib/deploy/stepFunctions/compileStateMachines.js b/lib/deploy/stepFunctions/compileStateMachines.js
index a50136d7..d5a3c319 100644
--- a/lib/deploy/stepFunctions/compileStateMachines.js
+++ b/lib/deploy/stepFunctions/compileStateMachines.js
@@ -100,6 +100,7 @@ module.exports = {
         let DependsOn = [];
         let LoggingConfiguration;
         let TracingConfiguration;
+        let EncryptionConfiguration;
         let Tags;
         if (stateMachineObj.inheritGlobalTags === false) {
           Tags = [];
@@ -219,6 +220,14 @@ module.exports = {
           };
         }
 
+        if (value.encryptionConfig) {
+          EncryptionConfiguration = {
+            KmsDataKeyReusePeriodSeconds: value.encryptionConfig.KMSkeyReusePeriod,
+            KmsKeyId: value.encryptionConfig.KMSkeyId,
+            Type: value.encryptionConfig.type,
+          }
+        }
+
         const stateMachineOutputLogicalId = this
           .getStateMachineOutputLogicalId(stateMachineName, stateMachineObj);
 
@@ -230,6 +239,7 @@ module.exports = {
             StateMachineType: stateMachineObj.type,
             LoggingConfiguration,
             TracingConfiguration,
+            EncryptionConfiguration
           },
           DependsOn,
         };
diff --git a/lib/deploy/stepFunctions/compileStateMachines.schema.js b/lib/deploy/stepFunctions/compileStateMachines.schema.js
index abfa2eb6..1be1c417 100644
--- a/lib/deploy/stepFunctions/compileStateMachines.schema.js
+++ b/lib/deploy/stepFunctions/compileStateMachines.schema.js
@@ -49,6 +49,12 @@ const tracingConfig = Joi.object().keys({
   enabled: Joi.boolean().default(false),
 });
 
+const encryptionConfig = Joi.object().keys({
+  KMSkeyReusePeriod: Joi.number().default(900),
+  KMSkeyId: Joi.string().default(""),
+  type: Joi.string().default("AWS_OWNED_KEY"),
+});
+
 const iamRoleStatements = Joi.array().items(
   Joi.object({
     Effect: Joi.string().valid('Allow', 'Deny'),
@@ -82,6 +88,7 @@ const schema = Joi.object().keys({
   retain,
   loggingConfig,
   tracingConfig,
+  encryptionConfig,
   inheritGlobalTags,
   iamRoleStatements,
 }).oxor('role', 'iamRoleStatements');