Merge pull request #557 from agiledigital/issue-540-serverless-v3

Multiple fixes

Author: NoxHarmonium

.github/workflows/nodejs.yml

@@ -17,7 +17,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [12.x, 14.x, 16.x]
+        node-version: [14.x, 16.x, 18.x]
 
     steps:
       - uses: actions/checkout@v2

README.md

@@ -49,7 +49,7 @@ functions:
           batchSize: 2 # Optional - default value is 10
           maximumBatchingWindowInSeconds: 10 # optional - default is 0 (no batch window)
           maxRetryCount: 2 # Optional - default value is 5
-          kmsMasterKeyId: alias/aws/sqs # optional - default is none (no encryption)
+          kmsMasterKeyId: !GetAtt SQSQueueKey.Arn # optional - default is none (no encryption) - see Notes on Encryption section below
           kmsDataKeyReusePeriodSeconds: 600 # optional - AWS default is 300 seconds
           deadLetterMessageRetentionPeriodSeconds: 1209600 # optional - AWS default is 345600 secs (4 days)
           visibilityTimeout: 120 # optional (in seconds) - AWS default is 30 secs
@@ -104,6 +104,58 @@ This would be set to 'true' by default if this was the first version of the plug
 
 See also: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html
 
+### Notes on Encryption
+
+If you choose to encrypt your SQS queue, the SNS topic will not be able to send it any messages if you use a managed key (alias/aws/sqs). This is due to an AWS limitation.
+
+See: https://aws.amazon.com/premiumsupport/knowledge-center/sns-topic-sqs-queue-sse-kms-key-policy/
+
+You will need to create a CMK like the following:
+
+```yaml
+# To allow SNS to push messages to an encrypted queue, a CMK must be used
+SQSQueueCMK:
+  Type: AWS::KMS::Key
+  Properties:
+    KeyPolicy:
+      Version: "2012-10-17"
+      Id: key-default-1
+      Statement:
+        - Sid: Enable IAM User Permissions
+          Effect: Allow
+          Principal:
+            AWS: !Join
+              - ""
+              - - "arn:aws:iam::"
+                - !Ref "AWS::AccountId"
+                - ":root"
+          Action: "kms:*"
+          Resource: "*"
+        - Sid: Allow SNS publish to SQS
+          Effect: Allow
+          Principal:
+            Service: sns.amazonaws.com
+          Action:
+            - kms:GenerateDataKey
+            - kms:Decrypt
+          Resource: "*"
+```
+
+and then reference it in the `snsSqs` config with the `kmsMasterKeyId` attribute.
+
+```yaml
+functions:
+  processEvent:
+    handler: handler.handler
+    events:
+      - snsSqs:
+          # ...
+          kmsMasterKeyId: !GetAtt SQSQueueKey.Arn
+          # ...
+```
+
+`kmsMasterKeyId` can either be a key ID (simple string) or an ARN or reference to to ARN. Using !Ref on a key will return a key ID and is invalid, so you'll need to use GetAtt and reference the Arn property.
+
 ### CloudFormation Overrides
 
 If you would like to override a part of the CloudFormation template

example-service/package.json

@@ -11,6 +11,6 @@
   "license": "ISC",
   "devDependencies": {
     "@agiledigital/serverless-sns-sqs-lambda": "file:../",
-    "serverless": "^2.19.0"
+    "serverless": "^3.16.0"
   }
 }

example-service/serverless.yml

@@ -1,9 +1,7 @@
 service: sns-sqs-service
-# Opt-in to the strict config validation that will be default in v3
-# See: https://www.serverless.com/framework/docs/deprecations/#new-variables-resolver
-variablesResolutionMode: 20210219
 # Ensure validation issues are treated as errors
 configValidationMode: error
+frameworkVersion: "3"
 
 provider:
   name: aws
@@ -25,7 +23,7 @@ functions:
           batchSize: 2
           maximumBatchingWindowInSeconds: 30
           maxRetryCount: 2
-          kmsMasterKeyId: alias/aws/sqs
+          kmsMasterKeyId: !GetAtt SQSQueueKey.Arn
           kmsDataKeyReusePeriodSeconds: 600
           visibilityTimeout: 120
           rawMessageDelivery: true
@@ -56,6 +54,32 @@ resources:
       Type: AWS::SNS::Topic
       Properties:
         TopicName: TestTopic
+    # To allow SNS to push messages to an encrypted queue, a CMK must be used
+    SQSQueueKey:
+      Type: AWS::KMS::Key
+      Properties:
+        KeyPolicy:
+          Version: "2012-10-17"
+          Id: key-default-1
+          Statement:
+            - Sid: Enable IAM User Permissions
+              Effect: Allow
+              Principal:
+                AWS: !Join
+                  - ""
+                  - - "arn:aws:iam::"
+                    - !Ref "AWS::AccountId"
+                    - ":root"
+              Action: "kms:*"
+              Resource: "*"
+            - Sid: Allow SNS publish to SQS
+              Effect: Allow
+              Principal:
+                Service: sns.amazonaws.com
+              Action:
+                - kms:GenerateDataKey
+                - kms:Decrypt
+              Resource: "*"
 
 plugins:
   - "@agiledigital/serverless-sns-sqs-lambda"