Skip to content

Commit b60876f

Browse files
hussainakhussainak
authored
feat(codepipeline-actions): add KMSEncryptionKeyARN for S3DeployAction (#24536)
Add KMSEncryptionKeyARN for S3DeployAction Closes #24535. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent de8fb8f commit b60876f

File tree

10 files changed

+555
-199
lines changed

10 files changed

+555
-199
lines changed

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.assets.json

+2-2
Original file line numberDiff line numberDiff line change
@@ -14,15 +14,15 @@
1414
}
1515
}
1616
},
17-
"c77c225bf996813c66f962ac8da785aa5fa677d3c2a632c3743e4075e07a194e": {
17+
"0e8ab65ec77f46df122d00ad20da666bb3461c6aee65675b4a7a64b8b284c5a9": {
1818
"source": {
1919
"path": "aws-cdk-codepipeline-s3-deploy.template.json",
2020
"packaging": "file"
2121
},
2222
"destinations": {
2323
"current_account-current_region": {
2424
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
25-
"objectKey": "c77c225bf996813c66f962ac8da785aa5fa677d3c2a632c3743e4075e07a194e.json",
25+
"objectKey": "0e8ab65ec77f46df122d00ad20da666bb3461c6aee65675b4a7a64b8b284c5a9.json",
2626
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
2727
}
2828
}

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.template.json

+136-9
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,59 @@
11
{
22
"Resources": {
3+
"EnvVarEncryptKey1A7CABDB": {
4+
"Type": "AWS::KMS::Key",
5+
"Properties": {
6+
"KeyPolicy": {
7+
"Statement": [
8+
{
9+
"Action": "kms:*",
10+
"Effect": "Allow",
11+
"Principal": {
12+
"AWS": {
13+
"Fn::Join": [
14+
"",
15+
[
16+
"arn:",
17+
{
18+
"Ref": "AWS::Partition"
19+
},
20+
":iam::",
21+
{
22+
"Ref": "AWS::AccountId"
23+
},
24+
":root"
25+
]
26+
]
27+
}
28+
},
29+
"Resource": "*"
30+
}
31+
],
32+
"Version": "2012-10-17"
33+
},
34+
"Description": "sample key"
35+
},
36+
"UpdateReplacePolicy": "Retain",
37+
"DeletionPolicy": "Retain"
38+
},
339
"PipelineBucketB967BD35": {
440
"Type": "AWS::S3::Bucket",
541
"Properties": {
42+
"BucketEncryption": {
43+
"ServerSideEncryptionConfiguration": [
44+
{
45+
"ServerSideEncryptionByDefault": {
46+
"KMSMasterKeyID": {
47+
"Fn::GetAtt": [
48+
"EnvVarEncryptKey1A7CABDB",
49+
"Arn"
50+
]
51+
},
52+
"SSEAlgorithm": "aws:kms"
53+
}
54+
}
55+
]
56+
},
657
"Tags": [
758
{
859
"Key": "aws-cdk:auto-delete-objects",
@@ -369,6 +420,22 @@
369420
}
370421
]
371422
},
423+
{
424+
"Action": [
425+
"kms:Decrypt",
426+
"kms:DescribeKey",
427+
"kms:Encrypt",
428+
"kms:GenerateDataKey*",
429+
"kms:ReEncrypt*"
430+
],
431+
"Effect": "Allow",
432+
"Resource": {
433+
"Fn::GetAtt": [
434+
"EnvVarEncryptKey1A7CABDB",
435+
"Arn"
436+
]
437+
}
438+
},
372439
{
373440
"Action": "sts:AssumeRole",
374441
"Effect": "Allow",
@@ -462,7 +529,13 @@
462529
"Extract": "false",
463530
"ObjectKey": "key",
464531
"CannedACL": "private",
465-
"CacheControl": "public, max-age=43200"
532+
"CacheControl": "public, max-age=43200",
533+
"KMSEncryptionKeyARN": {
534+
"Fn::GetAtt": [
535+
"EnvVarEncryptKey1A7CABDB",
536+
"Arn"
537+
]
538+
}
466539
},
467540
"InputArtifacts": [
468541
{
@@ -515,6 +588,15 @@
515588
}
516589
],
517590
"ArtifactStore": {
591+
"EncryptionKey": {
592+
"Id": {
593+
"Fn::GetAtt": [
594+
"EnvVarEncryptKey1A7CABDB",
595+
"Arn"
596+
]
597+
},
598+
"Type": "KMS"
599+
},
518600
"Location": {
519601
"Ref": "PipelineBucketB967BD35"
520602
},
@@ -599,6 +681,22 @@
599681
}
600682
]
601683
},
684+
{
685+
"Action": [
686+
"kms:Decrypt",
687+
"kms:DescribeKey",
688+
"kms:Encrypt",
689+
"kms:GenerateDataKey*",
690+
"kms:ReEncrypt*"
691+
],
692+
"Effect": "Allow",
693+
"Resource": {
694+
"Fn::GetAtt": [
695+
"EnvVarEncryptKey1A7CABDB",
696+
"Arn"
697+
]
698+
}
699+
},
602700
{
603701
"Action": [
604702
"s3:Abort*",
@@ -765,6 +863,22 @@
765863
]
766864
}
767865
]
866+
},
867+
{
868+
"Action": [
869+
"kms:Decrypt",
870+
"kms:DescribeKey",
871+
"kms:Encrypt",
872+
"kms:GenerateDataKey*",
873+
"kms:ReEncrypt*"
874+
],
875+
"Effect": "Allow",
876+
"Resource": {
877+
"Fn::GetAtt": [
878+
"EnvVarEncryptKey1A7CABDB",
879+
"Arn"
880+
]
881+
}
768882
}
769883
],
770884
"Version": "2012-10-17"
@@ -877,6 +991,19 @@
877991
]
878992
}
879993
]
994+
},
995+
{
996+
"Action": [
997+
"kms:Decrypt",
998+
"kms:DescribeKey"
999+
],
1000+
"Effect": "Allow",
1001+
"Resource": {
1002+
"Fn::GetAtt": [
1003+
"EnvVarEncryptKey1A7CABDB",
1004+
"Arn"
1005+
]
1006+
}
8801007
}
8811008
],
8821009
"Version": "2012-10-17"
@@ -994,6 +1121,14 @@
9941121
}
9951122
},
9961123
"Outputs": {
1124+
"ExportsOutputRefDeployBucket67E2C076D8DEC04D": {
1125+
"Value": {
1126+
"Ref": "DeployBucket67E2C076"
1127+
},
1128+
"Export": {
1129+
"Name": "aws-cdk-codepipeline-s3-deploy:ExportsOutputRefDeployBucket67E2C076D8DEC04D"
1130+
}
1131+
},
9971132
"ExportsOutputRefPipelineBucketB967BD35BAE6E881": {
9981133
"Value": {
9991134
"Ref": "PipelineBucketB967BD35"
@@ -1009,14 +1144,6 @@
10091144
"Export": {
10101145
"Name": "aws-cdk-codepipeline-s3-deploy:ExportsOutputRefPipelineC660917DEB540586"
10111146
}
1012-
},
1013-
"ExportsOutputRefDeployBucket67E2C076D8DEC04D": {
1014-
"Value": {
1015-
"Ref": "DeployBucket67E2C076"
1016-
},
1017-
"Export": {
1018-
"Name": "aws-cdk-codepipeline-s3-deploy:ExportsOutputRefDeployBucket67E2C076D8DEC04D"
1019-
}
10201147
}
10211148
},
10221149
"Parameters": {

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/manifest.json

+34-28
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@
1717
"validateOnSynth": false,
1818
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
1919
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
20-
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c77c225bf996813c66f962ac8da785aa5fa677d3c2a632c3743e4075e07a194e.json",
20+
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0e8ab65ec77f46df122d00ad20da666bb3461c6aee65675b4a7a64b8b284c5a9.json",
2121
"requiresBootstrapStackVersion": 6,
2222
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
2323
"additionalDependencies": [
@@ -33,6 +33,12 @@
3333
"aws-cdk-codepipeline-s3-deploy.assets"
3434
],
3535
"metadata": {
36+
"/aws-cdk-codepipeline-s3-deploy/EnvVarEncryptKey/Resource": [
37+
{
38+
"type": "aws:cdk:logicalId",
39+
"data": "EnvVarEncryptKey1A7CABDB"
40+
}
41+
],
3642
"/aws-cdk-codepipeline-s3-deploy/PipelineBucket/Resource": [
3743
{
3844
"type": "aws:cdk:logicalId",
@@ -159,22 +165,22 @@
159165
"data": "PipelineDisabledDisabledDeployActionCodePipelineActionRoleDefaultPolicyB1AF629C"
160166
}
161167
],
162-
"/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"PipelineBucketB967BD35\"}": [
168+
"/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"DeployBucket67E2C076\"}": [
163169
{
164170
"type": "aws:cdk:logicalId",
165-
"data": "ExportsOutputRefPipelineBucketB967BD35BAE6E881"
171+
"data": "ExportsOutputRefDeployBucket67E2C076D8DEC04D"
166172
}
167173
],
168-
"/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"PipelineC660917D\"}": [
174+
"/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"PipelineBucketB967BD35\"}": [
169175
{
170176
"type": "aws:cdk:logicalId",
171-
"data": "ExportsOutputRefPipelineC660917DEB540586"
177+
"data": "ExportsOutputRefPipelineBucketB967BD35BAE6E881"
172178
}
173179
],
174-
"/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"DeployBucket67E2C076\"}": [
180+
"/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"PipelineC660917D\"}": [
175181
{
176182
"type": "aws:cdk:logicalId",
177-
"data": "ExportsOutputRefDeployBucket67E2C076D8DEC04D"
183+
"data": "ExportsOutputRefPipelineC660917DEB540586"
178184
}
179185
],
180186
"/aws-cdk-codepipeline-s3-deploy/BootstrapVersion": [
@@ -208,7 +214,7 @@
208214
"validateOnSynth": false,
209215
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
210216
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
211-
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/2a0db37afe84ae5c439012506dfdee1493ab05d9cc40f507fa44ff0ed8d2dfab.json",
217+
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a5e87b4a3b1576f59ec7c5aeb8238a7899b624959515db8b64d69c9b7111fb75.json",
212218
"requiresBootstrapStackVersion": 6,
213219
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
214220
"additionalDependencies": [
@@ -225,10 +231,10 @@
225231
"s3deploytestDefaultTestDeployAssert6BC61647.assets"
226232
],
227233
"metadata": {
228-
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObject/Default/Default": [
234+
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330/Default/Default": [
229235
{
230236
"type": "aws:cdk:logicalId",
231-
"data": "AwsApiCallS3putObject"
237+
"data": "AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330"
232238
}
233239
],
234240
"/s3-deploy-test/DefaultTest/DeployAssert/SingletonFunction1488541a7b23466481b69b4408076b81/Role": [
@@ -243,40 +249,46 @@
243249
"data": "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F"
244250
}
245251
],
246-
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/Default/Default": [
252+
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d/Default/Default": [
253+
{
254+
"type": "aws:cdk:logicalId",
255+
"data": "AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d"
256+
}
257+
],
258+
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/Default/Default": [
247259
{
248260
"type": "aws:cdk:logicalId",
249-
"data": "AwsApiCallCodePipelinegetPipelineState"
261+
"data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e"
250262
}
251263
],
252-
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/IsCompleteProvider/Invoke": [
264+
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/IsCompleteProvider/Invoke": [
253265
{
254266
"type": "aws:cdk:logicalId",
255-
"data": "AwsApiCallCodePipelinegetPipelineStateWaitForIsCompleteProviderInvokeB83E9F2C"
267+
"data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForIsCompleteProviderInvoke821ABA06"
256268
}
257269
],
258-
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/TimeoutProvider/Invoke": [
270+
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/TimeoutProvider/Invoke": [
259271
{
260272
"type": "aws:cdk:logicalId",
261-
"data": "AwsApiCallCodePipelinegetPipelineStateWaitForTimeoutProviderInvoke96D2C126"
273+
"data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForTimeoutProviderInvoke2F043504"
262274
}
263275
],
264-
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/Role": [
276+
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/Role": [
265277
{
266278
"type": "aws:cdk:logicalId",
267-
"data": "AwsApiCallCodePipelinegetPipelineStateWaitForRoleDF2D0D47"
279+
"data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForRole44AD3905"
268280
}
269281
],
270-
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/Resource": [
282+
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/Resource": [
271283
{
272284
"type": "aws:cdk:logicalId",
273-
"data": "AwsApiCallCodePipelinegetPipelineStateWaitFor68BABF78"
285+
"data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForC3FB32C5"
274286
}
275287
],
276-
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/AssertionResults": [
288+
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/AssertionResults": [
277289
{
278290
"type": "aws:cdk:logicalId",
279-
"data": "AssertionResultsAwsApiCallCodePipelinegetPipelineState"
291+
"data": "AssertionResultsAwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e"
280292
}
281293
],
282294
"/s3-deploy-test/DefaultTest/DeployAssert/SingletonFunction76b3e830a873425f8453eddd85c86925/Role": [
@@ -303,12 +315,6 @@
303315
"data": "SingletonFunction5c1898e096fb4e3e95d5f6c67f3ce41aHandlerADF3E6EA"
304316
}
305317
],
306-
"/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject/Default/Default": [
307-
{
308-
"type": "aws:cdk:logicalId",
309-
"data": "AwsApiCallS3getObject"
310-
}
311-
],
312318
"/s3-deploy-test/DefaultTest/DeployAssert/BootstrapVersion": [
313319
{
314320
"type": "aws:cdk:logicalId",

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/s3deploytestDefaultTestDeployAssert6BC61647.assets.json

+2-2
Original file line numberDiff line numberDiff line change
@@ -14,15 +14,15 @@
1414
}
1515
}
1616
},
17-
"2a0db37afe84ae5c439012506dfdee1493ab05d9cc40f507fa44ff0ed8d2dfab": {
17+
"a5e87b4a3b1576f59ec7c5aeb8238a7899b624959515db8b64d69c9b7111fb75": {
1818
"source": {
1919
"path": "s3deploytestDefaultTestDeployAssert6BC61647.template.json",
2020
"packaging": "file"
2121
},
2222
"destinations": {
2323
"current_account-current_region": {
2424
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
25-
"objectKey": "2a0db37afe84ae5c439012506dfdee1493ab05d9cc40f507fa44ff0ed8d2dfab.json",
25+
"objectKey": "a5e87b4a3b1576f59ec7c5aeb8238a7899b624959515db8b64d69c9b7111fb75.json",
2626
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
2727
}
2828
}

0 commit comments

Comments
 (0)