fix(rds): allow cluster from snapshot to enable encrypted storage (#19175)

relm923 · web-flow · commit bd4141d86461 · 2022-03-02T17:48:28.000Z
Closes #17241 Tested by: ```typescript // 1. Create original cluster with unencrypted storage new DatabaseCluster(stack, 'Database', { engine: DatabaseClusterEngine.AURORA, instanceProps: { vpc }, }); // 2. Take snapshot of cluster (mySnapshot) // 3. Create cluster from snapshot with encrypted storage new DatabaseClusterFromSnapshot(stack, 'Database', { engine: DatabaseClusterEngine.AURORA, instanceProps: { vpc }, snapshotIdentifier: 'mySnapshot', storageEncryptionKey: new kms.Key(stack, 'Key'), }); // 4. Verify new cluster has encrypted storage ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-rds/lib/cluster.ts b/packages/@aws-cdk/aws-rds/lib/cluster.ts
@@ -250,6 +250,21 @@ interface DatabaseClusterBaseProps {
    * @default false
    */
   readonly iamAuthentication?: boolean;
+
+  /**
+   * Whether to enable storage encryption.
+   *
+   * @default - true if storageEncryptionKey is provided, false otherwise
+   */
+  readonly storageEncrypted?: boolean
+
+  /**
+  * The KMS key for storage encryption.
+  * If specified, {@link storageEncrypted} will be set to `true`.
+  *
+  * @default - if storageEncrypted is true then the default master key, no key otherwise
+  */
+  readonly storageEncryptionKey?: kms.IKey;
 }
 
 /**
@@ -402,6 +417,9 @@ abstract class DatabaseClusterNew extends DatabaseClusterBase {
       preferredMaintenanceWindow: props.preferredMaintenanceWindow,
       databaseName: props.defaultDatabaseName,
       enableCloudwatchLogsExports: props.cloudwatchLogsExports,
+      // Encryption
+      kmsKeyId: props.storageEncryptionKey?.keyArn,
+      storageEncrypted: props.storageEncryptionKey ? true : props.storageEncrypted,
     };
   }
 }
@@ -479,21 +497,6 @@ export interface DatabaseClusterProps extends DatabaseClusterBaseProps {
    */
   readonly credentials?: Credentials;
 
-  /**
-   * Whether to enable storage encryption.
-   *
-   * @default - true if storageEncryptionKey is provided, false otherwise
-   */
-  readonly storageEncrypted?: boolean
-
-  /**
-   * The KMS key for storage encryption.
-   * If specified, {@link storageEncrypted} will be set to `true`.
-   *
-   * @default - if storageEncrypted is true then the default master key, no key otherwise
-   */
-  readonly storageEncryptionKey?: kms.IKey;
-
   /**
    * Whether to copy tags to the snapshot when a snapshot is created.
    *
@@ -550,9 +553,7 @@ export class DatabaseCluster extends DatabaseClusterNew {
       // Admin
       masterUsername: credentials.username,
       masterUserPassword: credentials.password?.toString(),
-      // Encryption
-      kmsKeyId: props.storageEncryptionKey?.keyArn,
-      storageEncrypted: props.storageEncryptionKey ? true : props.storageEncrypted,
+      // Tags
       copyTagsToSnapshot: props.copyTagsToSnapshot ?? true,
     });
 
diff --git a/packages/@aws-cdk/aws-rds/test/cluster.test.ts b/packages/@aws-cdk/aws-rds/test/cluster.test.ts
@@ -1974,6 +1974,27 @@ describe('cluster', () => {
     });
   });
 
+  test('create a cluster from a snapshot with encrypted storage', () => {
+    const stack = testStack();
+    const vpc = new ec2.Vpc(stack, 'VPC');
+
+    // WHEN
+    new DatabaseClusterFromSnapshot(stack, 'Database', {
+      engine: DatabaseClusterEngine.aurora({ version: AuroraEngineVersion.VER_1_22_2 }),
+      instanceProps: {
+        vpc,
+      },
+      snapshotIdentifier: 'mySnapshot',
+      storageEncryptionKey: kms.Key.fromKeyArn(stack, 'Key', 'arn:aws:kms:us-east-1:456:key/my-key'),
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::RDS::DBCluster', {
+      KmsKeyId: 'arn:aws:kms:us-east-1:456:key/my-key',
+      StorageEncrypted: true,
+    });
+  });
+
   test('reuse an existing subnet group', () => {
     // GIVEN
     const stack = testStack();
