Step Functions State Machine

aws-step-functions

AWS Step Functions state machine (STANDARD or EXPRESS) with a least-privilege execution role, an explicitly managed CloudWatch log group, X-Ray tracing, and encryption at rest. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0.

The module stands up end-to-end with a single input (name): it ships a trivial single Pass-state Amazon States Language (ASL) definition so you get a working, verifiable state machine out of the box. Supply your own definition (and policy_json / policy_arns for the services your tasks call) for real workflows.

Secure defaults:

• Encryption at rest always on — AWS-owned key by default, or your own KMS key via encryption_type = "CUSTOMER_MANAGED_KMS_KEY" + kms_key_id.
• Execution logging on — a managed CloudWatch log group (30-day retention) with the role's CloudWatch Logs delivery permissions wired before the state machine is created (a missing-permissions create failure is the classic Step Functions footgun). Execution input/output payloads are excluded from logs by default (log_include_execution_data = false).
• X-Ray tracing on — free until executions emit traces; the created role gets only the X-Ray write permissions it needs.
• Least-privilege role — created automatically (unless you pass role_arn) with a confused-deputy guard (aws:SourceAccount) on the trust policy and no task permissions until you grant them.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).