Skip to content

fix: FTRS-371 Add KMS key configuration for SNS topic encryption and …#1088

Merged
michal-jarecki merged 19 commits intomainfrom
task/FTRS-371-Fix-SonarCloud-Security-Hotspots
Apr 9, 2026
Merged

fix: FTRS-371 Add KMS key configuration for SNS topic encryption and …#1088
michal-jarecki merged 19 commits intomainfrom
task/FTRS-371-Fix-SonarCloud-Security-Hotspots

Conversation

@michal-jarecki
Copy link
Copy Markdown
Contributor

…update related modules

Description

Context


Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

  • I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds KMS encryption configuration for the Shield DDoS alerts SNS topic (via the Shield module) and updates related Terraform stacks and GitHub Actions workflow dependencies.

Changes:

  • Add kms_key_id input to the Shield module and apply it to SNS topic encryption (kms_master_key_id).
  • Introduce aws_kms_key lookups for the SNS KMS key in UI, read-only-viewer, and domain_name stacks and pass through to the Shield module.
  • Pin several GitHub Actions to commit SHAs and adjust the Allure installer download command.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
infrastructure/stacks/ui/shield.tf Passes SNS KMS key ARN into Shield module.
infrastructure/stacks/ui/data.tf Adds SNS KMS key data lookup (us-east-1) for UI stack.
infrastructure/stacks/read_only_viewer/shield.tf Passes SNS KMS key ARN into Shield module.
infrastructure/stacks/read_only_viewer/data.tf Adds SNS KMS key data lookup (us-east-1) for read-only-viewer stack.
infrastructure/stacks/domain_name/shield.tf Passes SNS KMS key ARN into Shield module for Route53 protections.
infrastructure/stacks/domain_name/data.tf Adds SNS KMS key data lookup (us-east-1) for domain_name stack.
infrastructure/modules/shield/variables.tf Introduces kms_key_id module input.
infrastructure/modules/shield/sns.tf Enables SNS topic encryption using kms_master_key_id.
.github/workflows/service-automation-test.yaml Pins asdf actions to a commit SHA.
.github/workflows/quality-checks.yaml Pins Checkov and asdf actions to commit SHAs.
.github/workflows/pipeline-truncate-workflow-history.yaml Pins delete-workflow-runs action to a commit SHA.
.github/workflows/pipeline-deploy-architecture-pages.yaml Pins likec4 action to a commit SHA.
.github/workflows/manage-dynamodb-data.yaml Pins asdf actions to a commit SHA.
.github/workflows/build-sandbox-images.yaml Pins asdf setup action to a commit SHA (also changes version).
.github/workflows/build-project.yaml Pins asdf actions to a commit SHA.
.github/actions/install-allure/action.yaml Adds wget redirect limit for Allure download.

Comment thread infrastructure/modules/shield/sns.tf Outdated
Comment thread .github/workflows/build-sandbox-images.yaml
Comment thread infrastructure/stacks/domain_name/shield.tf Outdated
Comment thread infrastructure/stacks/domain_name/data.tf
ri-nhs
ri-nhs previously approved these changes Mar 27, 2026
Comment thread infrastructure/stacks/domain_name/data.tf
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 2 comments.

Comment thread infrastructure/stacks/domain_name/cloudwatch.tf Outdated
Comment thread infrastructure/modules/cloudwatch-monitoring/templates/shield/config.json Outdated
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 2 comments.

Comment thread infrastructure/stacks/domain_name/data.tf
Comment thread infrastructure/modules/cloudwatch-monitoring/templates/shield/config.json Outdated
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated 2 comments.

Comment thread infrastructure/modules/cloudwatch-monitoring/sns.tf
Comment thread infrastructure/modules/cloudwatch-monitoring/variables.tf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants