From 2e504da99f363c45d410adbefce8a603fb77efb1 Mon Sep 17 00:00:00 2001 From: Ben Limmer Date: Sat, 3 Feb 2024 17:21:54 -0700 Subject: [PATCH 1/6] feat!(app-staging-synthesizer-alpha): use S3-Managed encryption by default --- .../app-staging-synthesizer-alpha/README.md | 6 +- .../lib/default-staging-stack.ts | 17 +- .../test/app-staging-synthesizer.test.ts | 10 +- ...-resourcesmax-ACCOUNT-REGION.template.json | 109 +-------- .../cdk.out | 2 +- .../integ.json | 2 +- ...efaultTestDeployAssert44C8D370.assets.json | 2 +- .../manifest.json | 40 +-- .../synthesize-default-resources.assets.json | 2 +- .../tree.json | 145 +---------- ...-resourcesmax-ACCOUNT-REGION.template.json | 109 ++++++++- .../cdk.out | 0 .../integ.json | 0 ...efaultTestDeployAssert44C8D370.assets.json | 0 ...aultTestDeployAssert44C8D370.template.json | 0 .../manifest.json | 12 + .../synthesize-default-encryption.assets.json | 0 ...ynthesize-default-encryption.template.json | 0 .../tree.json | 227 ++++++++++++++---- ...ption.ts => integ.synth-kms-encryption.ts} | 6 +- 20 files changed, 331 insertions(+), 358 deletions(-) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json (84%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/cdk.out (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/integ.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/integtestsDefaultTestDeployAssert44C8D370.assets.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/integtestsDefaultTestDeployAssert44C8D370.template.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/manifest.json (94%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/synthesize-default-encryption.assets.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/synthesize-default-encryption.template.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.js.snapshot => integ.synth-kms-encryption.js.snapshot}/tree.json (70%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-default-encryption.ts => integ.synth-kms-encryption.ts} (78%) diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md index 8664303213f26..20ee1d39c2e34 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md @@ -267,8 +267,8 @@ const app = new App({ ### Staging Bucket Encryption -By default, the staging resources will be stored in an S3 Bucket with KMS encryption. To use -SSE-S3, set `stagingBucketEncryption` to `BucketEncryption.S3_MANAGED`. +By default, the staging resources will be stored in an S3 Bucket with S3 Managed encryption. To use +SSE-KMS, set `stagingBucketEncryption` to `BucketEncryption.KMS`. ```ts import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; @@ -276,7 +276,7 @@ import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', - stagingBucketEncryption: BucketEncryption.S3_MANAGED, + stagingBucketEncryption: BucketEncryption.KMS, }), }); ``` diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts index 70d5cfd65fbe3..62120c3bf5c1d 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts @@ -64,7 +64,7 @@ export interface DefaultStagingStackOptions { /** * Encryption type for staging bucket * - * @default - s3.BucketEncryption.KMS + * @default - s3.BucketEncryption.S3_MANAGED */ readonly stagingBucketEncryption?: s3.BucketEncryption; @@ -226,7 +226,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { private readonly appId: string; private readonly stagingBucketName?: string; - private stagingBucketEncryption?: s3.BucketEncryption; + private stagingBucketEncryption: s3.BucketEncryption; /** * File publish role ARN in asset manifest format @@ -267,7 +267,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { this.deployRoleArn = props.deployRoleArn; this.stagingBucketName = props.stagingBucketName; - this.stagingBucketEncryption = props.stagingBucketEncryption; + this.stagingBucketEncryption = props.stagingBucketEncryption ?? s3.BucketEncryption.S3_MANAGED; const specializer = new StringSpecializer(this, props.qualifier); this.providedFileRole = props.fileAssetPublishingRole?._specialize(specializer); @@ -368,15 +368,6 @@ export class DefaultStagingStack extends Stack implements IStagingResources { this.ensureFileRole(); - let key = undefined; - if (this.stagingBucketEncryption === s3.BucketEncryption.KMS || this.stagingBucketEncryption === undefined) { - if (this.stagingBucketEncryption === undefined) { - // default is KMS as an AWS best practice, and for backwards compatibility - this.stagingBucketEncryption = s3.BucketEncryption.KMS; - } - key = this.createBucketKey(); - } - // Create the bucket once the dependencies have been created const bucket = new s3.Bucket(this, bucketId, { bucketName: stagingBucketName, @@ -387,7 +378,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { removalPolicy: RemovalPolicy.RETAIN, }), encryption: this.stagingBucketEncryption, - encryptionKey: key, + encryptionKey: this.stagingBucketEncryption === s3.BucketEncryption.KMS ? this.createBucketKey() : undefined, // Many AWS account safety checkers will complain when buckets aren't versioned versioned: true, diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts index 9b0b502a967b1..c15f3faff972e 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts @@ -277,12 +277,12 @@ describe(AppStagingSynthesizer, () => { Status: 'Enabled', }]), }, - // When stagingBucketEncryption is not specified, it should be KMS for backwards compatibility + // When stagingBucketEncryption is not specified, it should be S3_MANAGED BucketEncryption: { ServerSideEncryptionConfiguration: [ { ServerSideEncryptionByDefault: { - SSEAlgorithm: 'aws:kms', + SSEAlgorithm: 'AES256', }, }, ], @@ -290,13 +290,13 @@ describe(AppStagingSynthesizer, () => { }); }); - test('staging bucket with SSE-S3 encryption', () => { + test('staging bucket with SSE-KMS encryption', () => { // GIVEN app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, deployTimeFileAssetLifetime: Duration.days(1), - stagingBucketEncryption: BucketEncryption.S3_MANAGED, + stagingBucketEncryption: BucketEncryption.KMS, }), }); stack = new Stack(app, 'Stack', { @@ -318,7 +318,7 @@ describe(AppStagingSynthesizer, () => { ServerSideEncryptionConfiguration: [ { ServerSideEncryptionByDefault: { - SSEAlgorithm: 'AES256', + SSEAlgorithm: 'aws:kms', }, }, ], diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json index 4e2a7ddfdf99c..952f7fb10adcb 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json @@ -85,22 +85,6 @@ ] } ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } } ], "Version": "2012-10-17" @@ -113,91 +97,6 @@ ] } }, - "BucketKey7092080A": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:CancelKeyDeletion", - "kms:Create*", - "kms:Delete*", - "kms:Describe*", - "kms:Disable*", - "kms:Enable*", - "kms:Get*", - "kms:List*", - "kms:Put*", - "kms:Revoke*", - "kms:ScheduleKeyDeletion", - "kms:TagResource", - "kms:UntagResource", - "kms:Update*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "BucketKeyAlias69A0886F": { - "Type": "AWS::KMS::Alias", - "Properties": { - "AliasName": "alias/cdk-default-resourcesmax-staging", - "TargetKeyId": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } - } - }, "CdkStagingBucket1636058C": { "Type": "AWS::S3::Bucket", "Properties": { @@ -205,13 +104,7 @@ "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { - "KMSMasterKeyID": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - }, - "SSEAlgorithm": "aws:kms" + "SSEAlgorithm": "AES256" } } ] diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/cdk.out b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/cdk.out index c5cb2e5de6344..1f0068d32659a 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/cdk.out +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"35.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integ.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integ.json index 4000c99e6da28..a6814ac222f55 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integ.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.0", "testCases": { "integ-tests/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json index 5c520eaba3f94..50121024f8d99 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/manifest.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/manifest.json index 04aceb69e51d6..656a674bb8c37 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/manifest.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.0", "artifacts": { "synthesize-default-resources.assets": { "type": "cdk:asset-manifest", @@ -95,18 +95,6 @@ "data": "CdkFileRoleDefaultPolicy621C7E5B" } ], - "/StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "BucketKey7092080A" - } - ], - "/StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "BucketKeyAlias69A0886F" - } - ], "/StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/Resource": [ { "type": "aws:cdk:logicalId", @@ -161,37 +149,19 @@ "data": "defaultresourcesmaxecrasset2904B88A7" } ], - "defaultresourcesmaxecrasset1AutoDeleteImagesCustomResource0FD7F0F5": [ - { - "type": "aws:cdk:logicalId", - "data": "defaultresourcesmaxecrasset1AutoDeleteImagesCustomResource0FD7F0F5", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } - ], - "CustomECRAutoDeleteImagesCustomResourceProviderRole665F2773": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomECRAutoDeleteImagesCustomResourceProviderRole665F2773", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } - ], - "CustomECRAutoDeleteImagesCustomResourceProviderHandler8D89C030": [ + "BucketKey7092080A": [ { "type": "aws:cdk:logicalId", - "data": "CustomECRAutoDeleteImagesCustomResourceProviderHandler8D89C030", + "data": "BucketKey7092080A", "trace": [ "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" ] } ], - "defaultresourcesmaxecrasset2AutoDeleteImagesCustomResource708714C1": [ + "BucketKeyAlias69A0886F": [ { "type": "aws:cdk:logicalId", - "data": "defaultresourcesmaxecrasset2AutoDeleteImagesCustomResource708714C1", + "data": "BucketKeyAlias69A0886F", "trace": [ "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" ] diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/synthesize-default-resources.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/synthesize-default-resources.assets.json index 07e6912263a9c..9d7431524f2cc 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/synthesize-default-resources.assets.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/synthesize-default-resources.assets.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.0", "files": { "68539effc3f7ad46fff9765606c2a01b7f7965833643ab37e62799f19a37f650": { "source": { diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/tree.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/tree.json index 4aee681c070e0..d16285819999c 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/tree.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/tree.json @@ -493,22 +493,6 @@ ] } ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } } ], "Version": "2012-10-17" @@ -538,125 +522,6 @@ "version": "0.0.0" } }, - "BucketKey": { - "id": "BucketKey", - "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey", - "children": { - "Resource": { - "id": "Resource", - "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Key", - "aws:cdk:cloudformation:props": { - "keyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:CancelKeyDeletion", - "kms:Create*", - "kms:Delete*", - "kms:Describe*", - "kms:Disable*", - "kms:Enable*", - "kms:Get*", - "kms:List*", - "kms:Put*", - "kms:Revoke*", - "kms:ScheduleKeyDeletion", - "kms:TagResource", - "kms:UntagResource", - "kms:Update*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnKey", - "version": "0.0.0" - } - }, - "Alias": { - "id": "Alias", - "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias", - "children": { - "Resource": { - "id": "Resource", - "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Alias", - "aws:cdk:cloudformation:props": { - "aliasName": "alias/cdk-default-resourcesmax-staging", - "targetKeyId": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnAlias", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Alias", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Key", - "version": "0.0.0" - } - }, "CdkStagingBucket": { "id": "CdkStagingBucket", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket", @@ -671,13 +536,7 @@ "serverSideEncryptionConfiguration": [ { "serverSideEncryptionByDefault": { - "sseAlgorithm": "aws:kms", - "kmsMasterKeyId": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } + "sseAlgorithm": "AES256" } } ] @@ -933,7 +792,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.CustomResourceProvider", + "fqn": "aws-cdk-lib.CustomResourceProviderBase", "version": "0.0.0" } }, diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json similarity index 84% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json index 94b5eb207a2e0..c8510eb0b2281 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json @@ -85,6 +85,22 @@ ] } ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } } ], "Version": "2012-10-17" @@ -97,6 +113,91 @@ ] } }, + "BucketKey7092080A": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:CancelKeyDeletion", + "kms:Create*", + "kms:Delete*", + "kms:Describe*", + "kms:Disable*", + "kms:Enable*", + "kms:Get*", + "kms:List*", + "kms:Put*", + "kms:Revoke*", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "kms:Update*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "BucketKeyAlias69A0886F": { + "Type": "AWS::KMS::Alias", + "Properties": { + "AliasName": "alias/cdk-default-resourcesmax-staging", + "TargetKeyId": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } + } + }, "CdkStagingBucket1636058C": { "Type": "AWS::S3::Bucket", "Properties": { @@ -104,7 +205,13 @@ "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { - "SSEAlgorithm": "AES256" + "KMSMasterKeyID": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + }, + "SSEAlgorithm": "aws:kms" } } ] diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/cdk.out b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/cdk.out similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/cdk.out rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/cdk.out diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integ.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integ.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integ.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integ.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/manifest.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/manifest.json similarity index 94% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/manifest.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/manifest.json index 675984ebcad5b..62df22203480a 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/manifest.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/manifest.json @@ -57,6 +57,18 @@ "data": "CdkFileRoleDefaultPolicy621C7E5B" } ], + "/StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "BucketKey7092080A" + } + ], + "/StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "BucketKeyAlias69A0886F" + } + ], "/StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/Resource": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/synthesize-default-encryption.assets.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.assets.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/synthesize-default-encryption.assets.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/synthesize-default-encryption.template.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.template.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/synthesize-default-encryption.template.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/tree.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/tree.json similarity index 70% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/tree.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/tree.json index 871e7830afede..4c45484e156df 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/tree.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/tree.json @@ -12,14 +12,14 @@ "id": "UsingAppStagingSynthesizer--synthesize-default-encryption", "path": "synthesize-default-encryption/UsingAppStagingSynthesizer--synthesize-default-encryption", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "@aws-cdk/app-staging-synthesizer-alpha.UsingAppStagingSynthesizer", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" } }, "StagingStack-default-resourcesmax-ACCOUNT-REGION": { @@ -34,8 +34,8 @@ "id": "ImportCdkFileRole", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkFileRole/ImportCdkFileRole", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Resource": { @@ -85,8 +85,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" } }, "DefaultPolicy": { @@ -137,6 +137,22 @@ ] } ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } } ], "Version": "2012-10-17" @@ -150,20 +166,139 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "BucketKey": { + "id": "BucketKey", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey", + "children": { + "Resource": { + "id": "Resource", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:CancelKeyDeletion", + "kms:Create*", + "kms:Delete*", + "kms:Describe*", + "kms:Disable*", + "kms:Enable*", + "kms:Get*", + "kms:List*", + "kms:Put*", + "kms:Revoke*", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "kms:Update*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnKey", + "version": "0.0.0" + } + }, + "Alias": { + "id": "Alias", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias", + "children": { + "Resource": { + "id": "Resource", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Alias", + "aws:cdk:cloudformation:props": { + "aliasName": "alias/cdk-default-resourcesmax-staging", + "targetKeyId": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnAlias", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Alias", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Key", + "version": "0.0.0" } }, "CdkStagingBucket": { @@ -180,7 +315,13 @@ "serverSideEncryptionConfiguration": [ { "serverSideEncryptionByDefault": { - "sseAlgorithm": "AES256" + "sseAlgorithm": "aws:kms", + "kmsMasterKeyId": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } } } ] @@ -221,8 +362,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_s3.CfnBucket", + "version": "0.0.0" } }, "Policy": { @@ -374,14 +515,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", + "version": "0.0.0" } }, "AutoDeleteObjectsCustomResource": { @@ -392,20 +533,20 @@ "id": "Default", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/AutoDeleteObjectsCustomResource/Default", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnResource", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CustomResource", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_s3.Bucket", + "version": "0.0.0" } }, "Custom::S3AutoDeleteObjectsCustomResourceProvider": { @@ -416,28 +557,28 @@ "id": "Role", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnResource", + "version": "0.0.0" } }, "Handler": { "id": "Handler", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnResource", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CustomResourceProviderBase", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "@aws-cdk/app-staging-synthesizer-alpha.DefaultStagingStack", + "version": "0.0.0" } }, "integ-tests": { @@ -464,22 +605,22 @@ "id": "BootstrapVersion", "path": "integ-tests/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "integ-tests/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" } } }, @@ -504,8 +645,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.ts similarity index 78% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.ts rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.ts index b094351f94938..f73aae359ac95 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.ts @@ -10,10 +10,10 @@ const app = new App({ }, }); -const stackDefaultEncryption = new Stack(app, 'synthesize-default-encryption', { +const stackKmsEncryption = new Stack(app, 'synthesize-default-encryption', { synthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID_MAX, // this has implications on the overall template size - stagingBucketEncryption: BucketEncryption.S3_MANAGED, + stagingBucketEncryption: BucketEncryption.KMS, }), }); @@ -23,7 +23,7 @@ if (!defaultStagingStack) { } new integ.IntegTest(app, 'integ-tests', { - testCases: [defaultStagingStack, stackDefaultEncryption], + testCases: [defaultStagingStack, stackKmsEncryption], }); app.synth(); From 192611a4a1c530d91597b83e43d4a8001a64950b Mon Sep 17 00:00:00 2001 From: Ben Limmer Date: Sat, 10 Feb 2024 10:06:42 -0700 Subject: [PATCH 2/6] Revert "feat!(app-staging-synthesizer-alpha): use S3-Managed encryption by default" This reverts commit 2e504da99f363c45d410adbefce8a603fb77efb1. --- .../app-staging-synthesizer-alpha/README.md | 6 +- .../lib/default-staging-stack.ts | 17 +- .../test/app-staging-synthesizer.test.ts | 10 +- ...-resourcesmax-ACCOUNT-REGION.template.json | 109 +-------- .../cdk.out | 0 .../integ.json | 0 ...efaultTestDeployAssert44C8D370.assets.json | 0 ...aultTestDeployAssert44C8D370.template.json | 0 .../manifest.json | 12 - .../synthesize-default-encryption.assets.json | 0 ...ynthesize-default-encryption.template.json | 0 .../tree.json | 227 ++++-------------- ...n.ts => integ.synth-default-encryption.ts} | 6 +- ...-resourcesmax-ACCOUNT-REGION.template.json | 109 ++++++++- .../cdk.out | 2 +- .../integ.json | 2 +- ...efaultTestDeployAssert44C8D370.assets.json | 2 +- .../manifest.json | 40 ++- .../synthesize-default-resources.assets.json | 2 +- .../tree.json | 145 ++++++++++- 20 files changed, 358 insertions(+), 331 deletions(-) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-kms-encryption.js.snapshot => integ.synth-default-encryption.js.snapshot}/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json (84%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-kms-encryption.js.snapshot => integ.synth-default-encryption.js.snapshot}/cdk.out (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-kms-encryption.js.snapshot => integ.synth-default-encryption.js.snapshot}/integ.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-kms-encryption.js.snapshot => integ.synth-default-encryption.js.snapshot}/integtestsDefaultTestDeployAssert44C8D370.assets.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-kms-encryption.js.snapshot => integ.synth-default-encryption.js.snapshot}/integtestsDefaultTestDeployAssert44C8D370.template.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-kms-encryption.js.snapshot => integ.synth-default-encryption.js.snapshot}/manifest.json (94%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-kms-encryption.js.snapshot => integ.synth-default-encryption.js.snapshot}/synthesize-default-encryption.assets.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-kms-encryption.js.snapshot => integ.synth-default-encryption.js.snapshot}/synthesize-default-encryption.template.json (100%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-kms-encryption.js.snapshot => integ.synth-default-encryption.js.snapshot}/tree.json (70%) rename packages/@aws-cdk/app-staging-synthesizer-alpha/test/{integ.synth-kms-encryption.ts => integ.synth-default-encryption.ts} (78%) diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md index 20ee1d39c2e34..8664303213f26 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md @@ -267,8 +267,8 @@ const app = new App({ ### Staging Bucket Encryption -By default, the staging resources will be stored in an S3 Bucket with S3 Managed encryption. To use -SSE-KMS, set `stagingBucketEncryption` to `BucketEncryption.KMS`. +By default, the staging resources will be stored in an S3 Bucket with KMS encryption. To use +SSE-S3, set `stagingBucketEncryption` to `BucketEncryption.S3_MANAGED`. ```ts import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; @@ -276,7 +276,7 @@ import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', - stagingBucketEncryption: BucketEncryption.KMS, + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); ``` diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts index 62120c3bf5c1d..70d5cfd65fbe3 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts @@ -64,7 +64,7 @@ export interface DefaultStagingStackOptions { /** * Encryption type for staging bucket * - * @default - s3.BucketEncryption.S3_MANAGED + * @default - s3.BucketEncryption.KMS */ readonly stagingBucketEncryption?: s3.BucketEncryption; @@ -226,7 +226,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { private readonly appId: string; private readonly stagingBucketName?: string; - private stagingBucketEncryption: s3.BucketEncryption; + private stagingBucketEncryption?: s3.BucketEncryption; /** * File publish role ARN in asset manifest format @@ -267,7 +267,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { this.deployRoleArn = props.deployRoleArn; this.stagingBucketName = props.stagingBucketName; - this.stagingBucketEncryption = props.stagingBucketEncryption ?? s3.BucketEncryption.S3_MANAGED; + this.stagingBucketEncryption = props.stagingBucketEncryption; const specializer = new StringSpecializer(this, props.qualifier); this.providedFileRole = props.fileAssetPublishingRole?._specialize(specializer); @@ -368,6 +368,15 @@ export class DefaultStagingStack extends Stack implements IStagingResources { this.ensureFileRole(); + let key = undefined; + if (this.stagingBucketEncryption === s3.BucketEncryption.KMS || this.stagingBucketEncryption === undefined) { + if (this.stagingBucketEncryption === undefined) { + // default is KMS as an AWS best practice, and for backwards compatibility + this.stagingBucketEncryption = s3.BucketEncryption.KMS; + } + key = this.createBucketKey(); + } + // Create the bucket once the dependencies have been created const bucket = new s3.Bucket(this, bucketId, { bucketName: stagingBucketName, @@ -378,7 +387,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { removalPolicy: RemovalPolicy.RETAIN, }), encryption: this.stagingBucketEncryption, - encryptionKey: this.stagingBucketEncryption === s3.BucketEncryption.KMS ? this.createBucketKey() : undefined, + encryptionKey: key, // Many AWS account safety checkers will complain when buckets aren't versioned versioned: true, diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts index c15f3faff972e..9b0b502a967b1 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts @@ -277,12 +277,12 @@ describe(AppStagingSynthesizer, () => { Status: 'Enabled', }]), }, - // When stagingBucketEncryption is not specified, it should be S3_MANAGED + // When stagingBucketEncryption is not specified, it should be KMS for backwards compatibility BucketEncryption: { ServerSideEncryptionConfiguration: [ { ServerSideEncryptionByDefault: { - SSEAlgorithm: 'AES256', + SSEAlgorithm: 'aws:kms', }, }, ], @@ -290,13 +290,13 @@ describe(AppStagingSynthesizer, () => { }); }); - test('staging bucket with SSE-KMS encryption', () => { + test('staging bucket with SSE-S3 encryption', () => { // GIVEN app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, deployTimeFileAssetLifetime: Duration.days(1), - stagingBucketEncryption: BucketEncryption.KMS, + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); stack = new Stack(app, 'Stack', { @@ -318,7 +318,7 @@ describe(AppStagingSynthesizer, () => { ServerSideEncryptionConfiguration: [ { ServerSideEncryptionByDefault: { - SSEAlgorithm: 'aws:kms', + SSEAlgorithm: 'AES256', }, }, ], diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json similarity index 84% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json index c8510eb0b2281..94b5eb207a2e0 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json @@ -85,22 +85,6 @@ ] } ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } } ], "Version": "2012-10-17" @@ -113,91 +97,6 @@ ] } }, - "BucketKey7092080A": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:CancelKeyDeletion", - "kms:Create*", - "kms:Delete*", - "kms:Describe*", - "kms:Disable*", - "kms:Enable*", - "kms:Get*", - "kms:List*", - "kms:Put*", - "kms:Revoke*", - "kms:ScheduleKeyDeletion", - "kms:TagResource", - "kms:UntagResource", - "kms:Update*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "BucketKeyAlias69A0886F": { - "Type": "AWS::KMS::Alias", - "Properties": { - "AliasName": "alias/cdk-default-resourcesmax-staging", - "TargetKeyId": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } - } - }, "CdkStagingBucket1636058C": { "Type": "AWS::S3::Bucket", "Properties": { @@ -205,13 +104,7 @@ "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { - "KMSMasterKeyID": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - }, - "SSEAlgorithm": "aws:kms" + "SSEAlgorithm": "AES256" } } ] diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/cdk.out b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/cdk.out similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/cdk.out rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/cdk.out diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integ.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integ.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integ.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integ.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/manifest.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/manifest.json similarity index 94% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/manifest.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/manifest.json index 62df22203480a..675984ebcad5b 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/manifest.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/manifest.json @@ -57,18 +57,6 @@ "data": "CdkFileRoleDefaultPolicy621C7E5B" } ], - "/StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "BucketKey7092080A" - } - ], - "/StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "BucketKeyAlias69A0886F" - } - ], "/StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/Resource": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/synthesize-default-encryption.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.assets.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/synthesize-default-encryption.assets.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.assets.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/synthesize-default-encryption.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.template.json similarity index 100% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/synthesize-default-encryption.template.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.template.json diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/tree.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/tree.json similarity index 70% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/tree.json rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/tree.json index 4c45484e156df..871e7830afede 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.js.snapshot/tree.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/tree.json @@ -12,14 +12,14 @@ "id": "UsingAppStagingSynthesizer--synthesize-default-encryption", "path": "synthesize-default-encryption/UsingAppStagingSynthesizer--synthesize-default-encryption", "constructInfo": { - "fqn": "@aws-cdk/app-staging-synthesizer-alpha.UsingAppStagingSynthesizer", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "StagingStack-default-resourcesmax-ACCOUNT-REGION": { @@ -34,8 +34,8 @@ "id": "ImportCdkFileRole", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkFileRole/ImportCdkFileRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -85,8 +85,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "DefaultPolicy": { @@ -137,22 +137,6 @@ ] } ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } } ], "Version": "2012-10-17" @@ -166,139 +150,20 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "BucketKey": { - "id": "BucketKey", - "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey", - "children": { - "Resource": { - "id": "Resource", - "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Key", - "aws:cdk:cloudformation:props": { - "keyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:CancelKeyDeletion", - "kms:Create*", - "kms:Delete*", - "kms:Describe*", - "kms:Disable*", - "kms:Enable*", - "kms:Get*", - "kms:List*", - "kms:Put*", - "kms:Revoke*", - "kms:ScheduleKeyDeletion", - "kms:TagResource", - "kms:UntagResource", - "kms:Update*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnKey", - "version": "0.0.0" - } - }, - "Alias": { - "id": "Alias", - "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias", - "children": { - "Resource": { - "id": "Resource", - "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Alias", - "aws:cdk:cloudformation:props": { - "aliasName": "alias/cdk-default-resourcesmax-staging", - "targetKeyId": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnAlias", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Alias", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Key", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "CdkStagingBucket": { @@ -315,13 +180,7 @@ "serverSideEncryptionConfiguration": [ { "serverSideEncryptionByDefault": { - "sseAlgorithm": "aws:kms", - "kmsMasterKeyId": { - "Fn::GetAtt": [ - "BucketKey7092080A", - "Arn" - ] - } + "sseAlgorithm": "AES256" } } ] @@ -362,8 +221,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Policy": { @@ -515,14 +374,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "AutoDeleteObjectsCustomResource": { @@ -533,20 +392,20 @@ "id": "Default", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/AutoDeleteObjectsCustomResource/Default", "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.CustomResource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Custom::S3AutoDeleteObjectsCustomResourceProvider": { @@ -557,28 +416,28 @@ "id": "Role", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role", "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Handler": { "id": "Handler", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler", "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.CustomResourceProviderBase", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/app-staging-synthesizer-alpha.DefaultStagingStack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "integ-tests": { @@ -605,22 +464,22 @@ "id": "BootstrapVersion", "path": "integ-tests/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "integ-tests/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, @@ -645,8 +504,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.ts similarity index 78% rename from packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.ts rename to packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.ts index f73aae359ac95..b094351f94938 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-kms-encryption.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.ts @@ -10,10 +10,10 @@ const app = new App({ }, }); -const stackKmsEncryption = new Stack(app, 'synthesize-default-encryption', { +const stackDefaultEncryption = new Stack(app, 'synthesize-default-encryption', { synthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID_MAX, // this has implications on the overall template size - stagingBucketEncryption: BucketEncryption.KMS, + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); @@ -23,7 +23,7 @@ if (!defaultStagingStack) { } new integ.IntegTest(app, 'integ-tests', { - testCases: [defaultStagingStack, stackKmsEncryption], + testCases: [defaultStagingStack, stackDefaultEncryption], }); app.synth(); diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json index 952f7fb10adcb..4e2a7ddfdf99c 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json @@ -85,6 +85,22 @@ ] } ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } } ], "Version": "2012-10-17" @@ -97,6 +113,91 @@ ] } }, + "BucketKey7092080A": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:CancelKeyDeletion", + "kms:Create*", + "kms:Delete*", + "kms:Describe*", + "kms:Disable*", + "kms:Enable*", + "kms:Get*", + "kms:List*", + "kms:Put*", + "kms:Revoke*", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "kms:Update*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "BucketKeyAlias69A0886F": { + "Type": "AWS::KMS::Alias", + "Properties": { + "AliasName": "alias/cdk-default-resourcesmax-staging", + "TargetKeyId": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } + } + }, "CdkStagingBucket1636058C": { "Type": "AWS::S3::Bucket", "Properties": { @@ -104,7 +205,13 @@ "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { - "SSEAlgorithm": "AES256" + "KMSMasterKeyID": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + }, + "SSEAlgorithm": "aws:kms" } } ] diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/cdk.out b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/cdk.out index 1f0068d32659a..c5cb2e5de6344 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/cdk.out +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"35.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integ.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integ.json index a6814ac222f55..4000c99e6da28 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integ.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "35.0.0", "testCases": { "integ-tests/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json index 50121024f8d99..5c520eaba3f94 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "35.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/manifest.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/manifest.json index 656a674bb8c37..04aceb69e51d6 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/manifest.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "35.0.0", "artifacts": { "synthesize-default-resources.assets": { "type": "cdk:asset-manifest", @@ -95,6 +95,18 @@ "data": "CdkFileRoleDefaultPolicy621C7E5B" } ], + "/StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "BucketKey7092080A" + } + ], + "/StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "BucketKeyAlias69A0886F" + } + ], "/StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/Resource": [ { "type": "aws:cdk:logicalId", @@ -149,19 +161,37 @@ "data": "defaultresourcesmaxecrasset2904B88A7" } ], - "BucketKey7092080A": [ + "defaultresourcesmaxecrasset1AutoDeleteImagesCustomResource0FD7F0F5": [ + { + "type": "aws:cdk:logicalId", + "data": "defaultresourcesmaxecrasset1AutoDeleteImagesCustomResource0FD7F0F5", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } + ], + "CustomECRAutoDeleteImagesCustomResourceProviderRole665F2773": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomECRAutoDeleteImagesCustomResourceProviderRole665F2773", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } + ], + "CustomECRAutoDeleteImagesCustomResourceProviderHandler8D89C030": [ { "type": "aws:cdk:logicalId", - "data": "BucketKey7092080A", + "data": "CustomECRAutoDeleteImagesCustomResourceProviderHandler8D89C030", "trace": [ "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" ] } ], - "BucketKeyAlias69A0886F": [ + "defaultresourcesmaxecrasset2AutoDeleteImagesCustomResource708714C1": [ { "type": "aws:cdk:logicalId", - "data": "BucketKeyAlias69A0886F", + "data": "defaultresourcesmaxecrasset2AutoDeleteImagesCustomResource708714C1", "trace": [ "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" ] diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/synthesize-default-resources.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/synthesize-default-resources.assets.json index 9d7431524f2cc..07e6912263a9c 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/synthesize-default-resources.assets.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/synthesize-default-resources.assets.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "35.0.0", "files": { "68539effc3f7ad46fff9765606c2a01b7f7965833643ab37e62799f19a37f650": { "source": { diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/tree.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/tree.json index d16285819999c..4aee681c070e0 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/tree.json +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/tree.json @@ -493,6 +493,22 @@ ] } ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } } ], "Version": "2012-10-17" @@ -522,6 +538,125 @@ "version": "0.0.0" } }, + "BucketKey": { + "id": "BucketKey", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey", + "children": { + "Resource": { + "id": "Resource", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:CancelKeyDeletion", + "kms:Create*", + "kms:Delete*", + "kms:Describe*", + "kms:Disable*", + "kms:Enable*", + "kms:Get*", + "kms:List*", + "kms:Put*", + "kms:Revoke*", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "kms:Update*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnKey", + "version": "0.0.0" + } + }, + "Alias": { + "id": "Alias", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias", + "children": { + "Resource": { + "id": "Resource", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/BucketKey/Alias/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Alias", + "aws:cdk:cloudformation:props": { + "aliasName": "alias/cdk-default-resourcesmax-staging", + "targetKeyId": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnAlias", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Alias", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Key", + "version": "0.0.0" + } + }, "CdkStagingBucket": { "id": "CdkStagingBucket", "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket", @@ -536,7 +671,13 @@ "serverSideEncryptionConfiguration": [ { "serverSideEncryptionByDefault": { - "sseAlgorithm": "AES256" + "sseAlgorithm": "aws:kms", + "kmsMasterKeyId": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } } } ] @@ -792,7 +933,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.CustomResourceProviderBase", + "fqn": "aws-cdk-lib.CustomResourceProvider", "version": "0.0.0" } }, From 9249e1cf15c065046966d95e1948395321d2cebe Mon Sep 17 00:00:00 2001 From: Ben Limmer Date: Sat, 10 Feb 2024 10:24:42 -0700 Subject: [PATCH 3/6] feat!(app-staging-synthesizer-alpha): make stagingBucketEncryption a required property --- .../app-staging-synthesizer-alpha/README.md | 23 +++++++++-------- .../lib/default-staging-stack.ts | 25 +++++++++++++------ .../test/app-staging-synthesizer.test.ts | 10 +++++--- .../test/bootstrap-roles.test.ts | 11 +++++++- .../test/default-staging-stack.test.ts | 7 +++++- .../test/integ.synth-default-resources.ts | 2 ++ .../test/per-env-staging-factory.test.ts | 4 +++ 7 files changed, 58 insertions(+), 24 deletions(-) diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md index 8664303213f26..fd7326cc63066 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md @@ -267,19 +267,20 @@ const app = new App({ ### Staging Bucket Encryption -By default, the staging resources will be stored in an S3 Bucket with KMS encryption. To use -SSE-S3, set `stagingBucketEncryption` to `BucketEncryption.S3_MANAGED`. +You must explicitly specify the encryption type for the staging bucket via the `stagingBucketEncryption` property. In +future versions of this package, the default will be `BucketEncryption.S3_MANAGED`. -```ts -import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; +In previous versions of this package, the default was to use KMS encryption for the staging bucket. KMS keys cost +$1/month, which could result in unexpected costs for users who are not aware of this. As we stabilize this module +we intend to make the default S3-managed encryption, which is free. However, the migration path from KMS to S3 +managed encryption for existing buckets is not straightforward. Therefore, for now, this property is required. -const app = new App({ - defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ - appId: 'my-app-id', - stagingBucketEncryption: BucketEncryption.S3_MANAGED, - }), -}); -``` +If you have an existing staging bucket encrypted with a KMS key, you will likely want to set this property to +`BucketEncryption.KMS`. If you are creating a new staging bucket, you can set this property to +`BucketEncryption.S3_MANAGED` to avoid the cost of a KMS key. + +You can learn more about choosing a bucket encryption type in the +[S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html). ## Using a Custom Staging Stack per Environment diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts index 70d5cfd65fbe3..e91910750cf3e 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts @@ -64,9 +64,18 @@ export interface DefaultStagingStackOptions { /** * Encryption type for staging bucket * - * @default - s3.BucketEncryption.KMS + * In future versions of this package, the default will be BucketEncryption.S3_MANAGED. + * + * In previous versions of this package, the default was to use KMS encryption for the staging bucket. KMS keys cost + * $1/month, which could result in unexpected costs for users who are not aware of this. As we stabilize this module + * we intend to make the default S3-managed encryption, which is free. However, the migration path from KMS to S3 + * managed encryption for existing buckets is not straightforward. Therefore, for now, this property is required. + * + * If you have an existing staging bucket encrypted with a KMS key, you will likely want to set this property to + * BucketEncryption.KMS. If you are creating a new staging bucket, you can set this property to + * BucketEncryption.S3_MANAGED to avoid the cost of a KMS key. */ - readonly stagingBucketEncryption?: s3.BucketEncryption; + readonly stagingBucketEncryption: s3.BucketEncryption; /** * Pass in an existing role to be used as the file publishing role. @@ -226,7 +235,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { private readonly appId: string; private readonly stagingBucketName?: string; - private stagingBucketEncryption?: s3.BucketEncryption; + private stagingBucketEncryption: s3.BucketEncryption; /** * File publish role ARN in asset manifest format @@ -267,7 +276,11 @@ export class DefaultStagingStack extends Stack implements IStagingResources { this.deployRoleArn = props.deployRoleArn; this.stagingBucketName = props.stagingBucketName; + + // FIXME: when stabilizing this module, we should make `stagingBucketEncryption` optional, defaulting to S3_MANAGED. + // See https://github.com/aws/aws-cdk/pull/28978#issuecomment-1930007176 for details on this decision. this.stagingBucketEncryption = props.stagingBucketEncryption; + const specializer = new StringSpecializer(this, props.qualifier); this.providedFileRole = props.fileAssetPublishingRole?._specialize(specializer); @@ -369,11 +382,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { this.ensureFileRole(); let key = undefined; - if (this.stagingBucketEncryption === s3.BucketEncryption.KMS || this.stagingBucketEncryption === undefined) { - if (this.stagingBucketEncryption === undefined) { - // default is KMS as an AWS best practice, and for backwards compatibility - this.stagingBucketEncryption = s3.BucketEncryption.KMS; - } + if (this.stagingBucketEncryption === s3.BucketEncryption.KMS) { key = this.createBucketKey(); } diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts index 9b0b502a967b1..8e9f389b2c191 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts @@ -16,7 +16,7 @@ describe(AppStagingSynthesizer, () => { beforeEach(() => { app = new App({ - defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID }), + defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, stagingBucketEncryption: BucketEncryption.S3_MANAGED }), }); stack = new Stack(app, 'Stack', { env: { @@ -63,7 +63,7 @@ describe(AppStagingSynthesizer, () => { test('stack template is in the asset manifest - environment tokens', () => { const app2 = new App({ - defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID }), + defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, stagingBucketEncryption: BucketEncryption.S3_MANAGED }), }); const accountToken = Token.asString('111111111111'); const regionToken = Token.asString('us-east-2'); @@ -253,6 +253,7 @@ describe(AppStagingSynthesizer, () => { defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, deployTimeFileAssetLifetime: Duration.days(1), + stagingBucketEncryption: BucketEncryption.KMS, }), }); stack = new Stack(app, 'Stack', { @@ -277,7 +278,6 @@ describe(AppStagingSynthesizer, () => { Status: 'Enabled', }]), }, - // When stagingBucketEncryption is not specified, it should be KMS for backwards compatibility BucketEncryption: { ServerSideEncryptionConfiguration: [ { @@ -470,6 +470,7 @@ describe(AppStagingSynthesizer, () => { defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, imageAssetVersionCount: 1, + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); stack = new Stack(app, 'Stack', { @@ -513,6 +514,7 @@ describe(AppStagingSynthesizer, () => { defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, autoDeleteStagingAssets: false, + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); stack = new Stack(app, 'Stack', { @@ -544,6 +546,7 @@ describe(AppStagingSynthesizer, () => { defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, stagingStackNamePrefix: prefix, + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); stack = new Stack(app, 'Stack', { @@ -573,6 +576,7 @@ describe(AppStagingSynthesizer, () => { expect(() => new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: Lazy.string({ produce: () => 'appId' }), + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), })).toThrowError(/AppStagingSynthesizer property 'appId' may not contain tokens;/); }); diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/bootstrap-roles.test.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/bootstrap-roles.test.ts index 63ff52e77e3fe..022e4a2cb603a 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/bootstrap-roles.test.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/bootstrap-roles.test.ts @@ -1,5 +1,6 @@ import * as fs from 'fs'; import { App, Stack, CfnResource } from 'aws-cdk-lib'; +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; import * as cxschema from 'aws-cdk-lib/cloud-assembly-schema'; import { APP_ID, isAssetManifest } from './util'; import { AppStagingSynthesizer, BootstrapRole, DeploymentIdentities } from '../lib'; @@ -14,6 +15,7 @@ describe('Boostrap Roles', () => { const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'super long app id that needs to be cut', + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); const stack = new Stack(app, 'Stack', { @@ -47,6 +49,7 @@ describe('Boostrap Roles', () => { lookupRole: BootstrapRole.fromRoleArn(LOOKUP_ROLE), deploymentRole: BootstrapRole.fromRoleArn(DEPLOY_ACTION_ROLE), }), + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); const stack = new Stack(app, 'Stack', { @@ -79,6 +82,7 @@ describe('Boostrap Roles', () => { deploymentIdentities: DeploymentIdentities.defaultBootstrapRoles({ bootstrapRegion: 'us-west-2', }), + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); @@ -100,6 +104,7 @@ describe('Boostrap Roles', () => { deploymentIdentities: DeploymentIdentities.defaultBootstrapRoles({ bootstrapRegion: 'us-west-2', }), + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); @@ -118,6 +123,7 @@ describe('Boostrap Roles', () => { defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, fileAssetPublishingRole: BootstrapRole.fromRoleArn('arn:aws:iam::123456789012:role/S3Access'), + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); const stack = new Stack(app, 'Stack', { @@ -148,6 +154,7 @@ describe('Boostrap Roles', () => { defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, imageAssetPublishingRole: BootstrapRole.fromRoleArn('arn:aws:iam::123456789012:role/ECRAccess'), + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); const stack = new Stack(app, 'Stack', { @@ -180,6 +187,7 @@ describe('Boostrap Roles', () => { defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, deploymentIdentities: DeploymentIdentities.cliCredentials(), + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); const stack = new Stack(app, 'Stack', { @@ -209,6 +217,7 @@ describe('Boostrap Roles', () => { defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ bootstrapQualifier: 'abcdef', appId: APP_ID, + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); new Stack(app, 'Stack', { @@ -245,4 +254,4 @@ function synthStack(app: App) { // THEN return asm.getStackArtifact('Stack'); -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/default-staging-stack.test.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/default-staging-stack.test.ts index ffb00dd7b1259..f2df4b2a671b4 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/default-staging-stack.test.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/default-staging-stack.test.ts @@ -1,4 +1,5 @@ import { App } from 'aws-cdk-lib'; +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; import { testWithXRepos } from './util'; import { DefaultStagingStack } from '../lib'; @@ -16,6 +17,7 @@ describe('default staging stack', () => { expect(() => new DefaultStagingStack(app, 'stack', { appId: 'a'.repeat(21), qualifier: 'qualifier', + stagingBucketEncryption: BucketEncryption.S3_MANAGED, })).toThrowError(/appId expected no more than 20 characters but got 21 characters./); }); @@ -24,6 +26,7 @@ describe('default staging stack', () => { expect(() => new DefaultStagingStack(app, 'stack', { appId: 'ABCDEF', qualifier: 'qualifier', + stagingBucketEncryption: BucketEncryption.S3_MANAGED, })).toThrowError(/appId only accepts lowercase characters./); }); @@ -32,6 +35,7 @@ describe('default staging stack', () => { expect(() => new DefaultStagingStack(app, 'stack', { appId: 'ca$h', qualifier: 'qualifier', + stagingBucketEncryption: BucketEncryption.S3_MANAGED, })).toThrowError(/appId expects only letters, numbers, and dashes \('-'\)/); }); @@ -41,6 +45,7 @@ describe('default staging stack', () => { expect(() => new DefaultStagingStack(app, 'stack', { appId, qualifier: 'qualifier', + stagingBucketEncryption: BucketEncryption.S3_MANAGED, })).toThrowError([ `appId ${appId} has errors:`, 'appId expected no more than 20 characters but got 40 characters.', @@ -49,4 +54,4 @@ describe('default staging stack', () => { ].join('\n')); }); }); -}); \ No newline at end of file +}); diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.ts index 37bfa697f2794..5e21a52cf1464 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.ts @@ -2,6 +2,7 @@ import * as path from 'path'; import * as integ from '@aws-cdk/integ-tests-alpha'; import { App, Stack } from 'aws-cdk-lib'; import * as lambda from 'aws-cdk-lib/aws-lambda'; +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; import { APP_ID_MAX } from './util'; import { AppStagingSynthesizer } from '../lib'; @@ -17,6 +18,7 @@ const app = new App({ const stack = new Stack(app, 'synthesize-default-resources', { synthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID_MAX, // this has implications on the overall template size + stagingBucketEncryption: BucketEncryption.KMS, }), }); diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/per-env-staging-factory.test.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/per-env-staging-factory.test.ts index a5001aaa9f2f4..d865f86637b00 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/per-env-staging-factory.test.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/per-env-staging-factory.test.ts @@ -1,4 +1,5 @@ import { App, Stack } from 'aws-cdk-lib'; +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; import { APP_ID } from './util'; import { AppStagingSynthesizer } from '../lib'; @@ -8,6 +9,7 @@ describe('per environment cache', () => { const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); new Stack(app, 'Stack1', { @@ -36,6 +38,7 @@ describe('per environment cache', () => { const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); new Stack(app, 'Stack1', { @@ -64,6 +67,7 @@ describe('per environment cache', () => { const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: APP_ID, + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); new Stack(app, 'Stack1', { From d9c0b7a3673f4a1bec4a9aa2270855f037ebb506 Mon Sep 17 00:00:00 2001 From: Ben Limmer Date: Sat, 10 Feb 2024 11:11:27 -0700 Subject: [PATCH 4/6] fix: readme --- .../app-staging-synthesizer-alpha/README.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md index fd7326cc63066..a679aaeac916b 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md @@ -35,6 +35,7 @@ To get started, update your CDK App with a new `defaultStackSynthesizer`: const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', // put a unique id here + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), }); ``` @@ -97,6 +98,7 @@ its staging resources. To use this kind of synthesizer, use `AppStagingSynthesiz const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', + stagingBucketEncryption: BucketEncryption.S3_MANAGED, // The following line is optional. By default it is assumed you have bootstrapped in the same // region(s) as the stack(s) you are deploying. @@ -118,7 +120,10 @@ used to upload the asset to S3. ```ts const app = new App({ - defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id' }), + defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ + appId: 'my-app-id', + stagingBucketEncryption: BucketEncryption.S3_MANAGED + }), }); const stack = new Stack(app, 'my-stack'); @@ -141,6 +146,7 @@ if all you need is to supply custom roles (and not change anything else in the ` const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', + stagingBucketEncryption: BucketEncryption.S3_MANAGED, deploymentIdentities: DeploymentIdentities.specifyRoles({ cloudFormationExecutionRole: BootstrapRole.fromRoleArn('arn:aws:iam::123456789012:role/Execute'), deploymentRole: BootstrapRole.fromRoleArn('arn:aws:iam::123456789012:role/Deploy'), @@ -161,6 +167,7 @@ and `CloudFormationExecutionRole` in the const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', + stagingBucketEncryption: BucketEncryption.S3_MANAGED, deploymentIdentities: DeploymentIdentities.cliCredentials(), }), }); @@ -174,6 +181,7 @@ assumable by the deployment role. You can also specify an existing IAM role for const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', + stagingBucketEncryption: BucketEncryption.S3_MANAGED, fileAssetPublishingRole: BootstrapRole.fromRoleArn('arn:aws:iam::123456789012:role/S3Access'), imageAssetPublishingRole: BootstrapRole.fromRoleArn('arn:aws:iam::123456789012:role/ECRAccess'), }), @@ -226,6 +234,7 @@ template, without rebuilding and republishing assets. const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', + stagingBucketEncryption: BucketEncryption.S3_MANAGED, deployTimeFileAssetLifetime: Duration.days(100), }), }); @@ -244,6 +253,7 @@ To change the number of revisions stored, use `imageAssetVersionCount`: const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', + stagingBucketEncryption: BucketEncryption.S3_MANAGED, imageAssetVersionCount: 10, }), }); @@ -260,6 +270,7 @@ cleanup. To turn this off, specify `autoDeleteStagingAssets: false`. const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', + stagingBucketEncryption: BucketEncryption.S3_MANAGED, autoDeleteStagingAssets: false, }), }); From 1cbf73773f206d1229ecf91388eefa934e8b37a2 Mon Sep 17 00:00:00 2001 From: Ben Limmer Date: Sat, 10 Feb 2024 14:47:51 -0700 Subject: [PATCH 5/6] more fixes --- .../app-staging-synthesizer-alpha/README.md | 18 ++++++++++++++++++ .../lib/default-staging-stack.ts | 3 ++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md index a679aaeac916b..d66ab51d30a7b 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md @@ -32,6 +32,8 @@ are as follows: To get started, update your CDK App with a new `defaultStackSynthesizer`: ```ts +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; + const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', // put a unique id here @@ -95,6 +97,8 @@ synthesizer will create a new Staging Stack in each environment the CDK App is d its staging resources. To use this kind of synthesizer, use `AppStagingSynthesizer.defaultResources()`. ```ts +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; + const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', @@ -119,6 +123,8 @@ source code. As part of the `DefaultStagingStack`, an S3 bucket and IAM role wil used to upload the asset to S3. ```ts +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; + const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', @@ -143,6 +149,8 @@ You can customize some or all of the roles you'd like to use in the synthesizer if all you need is to supply custom roles (and not change anything else in the `DefaultStagingStack`): ```ts +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; + const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', @@ -164,6 +172,8 @@ and `CloudFormationExecutionRole` in the [bootstrap template](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml). ```ts +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; + const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', @@ -178,6 +188,8 @@ assumable by the deployment role. You can also specify an existing IAM role for `fileAssetPublishingRole` or `imageAssetPublishingRole`: ```ts +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; + const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', @@ -231,6 +243,8 @@ to a previous version of an application just by doing a CloudFormation deploymen template, without rebuilding and republishing assets. ```ts +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; + const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', @@ -250,6 +264,8 @@ purged. To change the number of revisions stored, use `imageAssetVersionCount`: ```ts +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; + const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', @@ -267,6 +283,8 @@ or `emptyOnDelete` turned on. This creates custom resources under the hood to fa cleanup. To turn this off, specify `autoDeleteStagingAssets: false`. ```ts +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; + const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts index e91910750cf3e..bd7f07936e0a9 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts @@ -164,7 +164,8 @@ export interface DefaultStagingStackProps extends DefaultStagingStackOptions, St * A default Staging Stack that implements IStagingResources. * * @example - * const defaultStagingStack = DefaultStagingStack.factory({ appId: 'my-app-id' }); + * import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; + * const defaultStagingStack = DefaultStagingStack.factory({ appId: 'my-app-id', stagingBucketEncryption: BucketEncryption.S3_MANAGED }); */ export class DefaultStagingStack extends Stack implements IStagingResources { /** From a03399383ffec085755ea8daf084dca5bce45546 Mon Sep 17 00:00:00 2001 From: Kaizen Conroy <36202692+kaizencc@users.noreply.github.com> Date: Tue, 13 Feb 2024 16:10:48 -0500 Subject: [PATCH 6/6] Apply suggestions from code review --- packages/@aws-cdk/app-staging-synthesizer-alpha/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md index d66ab51d30a7b..1e45d14d5a2f7 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md @@ -128,7 +128,7 @@ import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; const app = new App({ defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ appId: 'my-app-id', - stagingBucketEncryption: BucketEncryption.S3_MANAGED + stagingBucketEncryption: BucketEncryption.S3_MANAGED, }), });