chore(kms): prefer new aliasArn to keyArn for getting arn of an alias (#28197)

rafaelrcamargo · web-flow · commit 6126413bc6bb · 2023-12-05T17:21:16.000Z
**Motivation:** The current implementation of `keyArn` within the AWS CDK AWS KMS module returns the Key ARN for a key and an alias, which causes confusion for users expecting the Alias ARN. This PR aims to alleviate this confusion by providing clearer access to the Alias ARN. **Changes:** Introducing a new attribute `aliasArn` that mirrors the value from `keyArn` specifically for aliases to explicitly retrieve the Alias ARN. ```typescript /** * The ARN of the alias. * * @Attribute * @deprecated use `aliasArn` instead */ public get keyArn(): string { return Stack.of(this).formatArn({ service: 'kms', // aliasName already contains the '/' resource: this.aliasName, }); } /** * The ARN of the alias. * * @Attribute */ public get aliasArn(): string { return this.keyArn; } ``` **Query:** Should we deprecate the existing `keyArn` and mirror it in `aliasArn` or change the logic within `keyArn` to `aliasArn` and use the `keyArn` as the mirror? > Your feedback on the preferred approach would be greatly appreciated! Closes #28105. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-kms/lib/alias.ts b/packages/aws-cdk-lib/aws-kms/lib/alias.ts
@@ -59,6 +59,12 @@ abstract class AliasBase extends Resource implements IAlias {
 
   public abstract readonly aliasTargetKey: IKey;
 
+  /**
+   * The ARN of the alias.
+   *
+   * @attribute
+   * @deprecated use `aliasArn` instead
+   */
   public get keyArn(): string {
     return Stack.of(this).formatArn({
       service: 'kms',
@@ -67,6 +73,19 @@ abstract class AliasBase extends Resource implements IAlias {
     });
   }
 
+  /**
+   * The ARN of the alias.
+   *
+   * @attribute
+   */
+  public get aliasArn(): string {
+    return Stack.of(this).formatArn({
+      service: 'kms',
+      // aliasName already contains the '/'
+      resource: this.aliasName,
+    });
+  }
+
   public get keyId(): string {
     return this.aliasName;
   }
diff --git a/packages/aws-cdk-lib/aws-kms/test/alias.test.ts b/packages/aws-cdk-lib/aws-kms/test/alias.test.ts
@@ -2,7 +2,7 @@ import { Construct } from 'constructs';
 import { Template } from '../../assertions';
 import * as iam from '../../aws-iam';
 import { ArnPrincipal, PolicyStatement } from '../../aws-iam';
-import { App, Aws, CfnOutput, Stack } from '../../core';
+import { App, Arn, Aws, CfnOutput, Stack } from '../../core';
 import { KMS_ALIAS_NAME_REF } from '../../cx-api';
 import { Alias } from '../lib/alias';
 import { IKey, Key } from '../lib/key';
@@ -357,6 +357,30 @@ test('does not add alias if starts with token', () => {
   });
 });
 
+test('aliasArn and keyArn from alias should match', () => {
+  const app = new App();
+  const stack = new Stack(app, 'Test');
+  const key = new Key(stack, 'Key');
+
+  const alias = new Alias(stack, 'Alias', { targetKey: key, aliasName: 'alias/foo' });
+
+  expect(alias.aliasArn).toEqual(alias.keyArn);
+});
+
+test('aliasArn should be a valid ARN', () => {
+  const app = new App();
+  const stack = new Stack(app, 'Test');
+  const key = new Key(stack, 'Key');
+
+  const alias = new Alias(stack, 'Alias', { targetKey: key, aliasName: 'alias/foo' });
+
+  expect(alias.aliasArn).toEqual(Arn.format({
+    service: 'kms',
+    // aliasName already contains the '/'
+    resource: alias.aliasName,
+  }, stack));
+});
+
 class AliasOutputsConstruct extends Construct {
   constructor(scope: Construct, id: string, key: IKey) {
     super(scope, id);
