feat(codepipeline-actions): add KMSEncryptionKeyARN for S3DeployAction (

#24536) Add KMSEncryptionKeyARN for S3DeployAction Closes #24535. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · May 18, 2023 · b60876f · b60876f
1 parent de8fb8f
commit b60876f
Show file tree

Hide file tree

Showing 10 changed files with 555 additions and 199 deletions.
diff --git a/...ions/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.assets.json b/...ions/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.assets.json
@@ -14,15 +14,15 @@
         }
       }
     },
-    "c77c225bf996813c66f962ac8da785aa5fa677d3c2a632c3743e4075e07a194e": {
+    "0e8ab65ec77f46df122d00ad20da666bb3461c6aee65675b4a7a64b8b284c5a9": {
       "source": {
         "path": "aws-cdk-codepipeline-s3-deploy.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "c77c225bf996813c66f962ac8da785aa5fa677d3c2a632c3743e4075e07a194e.json",
+          "objectKey": "0e8ab65ec77f46df122d00ad20da666bb3461c6aee65675b4a7a64b8b284c5a9.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...ns/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.template.json b/...ns/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.template.json
@@ -1,8 +1,59 @@
 {
  "Resources": {
+  "EnvVarEncryptKey1A7CABDB": {
+   "Type": "AWS::KMS::Key",
+   "Properties": {
+    "KeyPolicy": {
+     "Statement": [
+      {
+       "Action": "kms:*",
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       },
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "Description": "sample key"
+   },
+   "UpdateReplacePolicy": "Retain",
+   "DeletionPolicy": "Retain"
+  },
   "PipelineBucketB967BD35": {
    "Type": "AWS::S3::Bucket",
    "Properties": {
+    "BucketEncryption": {
+     "ServerSideEncryptionConfiguration": [
+      {
+       "ServerSideEncryptionByDefault": {
+        "KMSMasterKeyID": {
+         "Fn::GetAtt": [
+          "EnvVarEncryptKey1A7CABDB",
+          "Arn"
+         ]
+        },
+        "SSEAlgorithm": "aws:kms"
+       }
+      }
+     ]
+    },
     "Tags": [
      {
       "Key": "aws-cdk:auto-delete-objects",
@@ -369,6 +420,22 @@
         }
        ]
       },
+      {
+       "Action": [
+        "kms:Decrypt",
+        "kms:DescribeKey",
+        "kms:Encrypt",
+        "kms:GenerateDataKey*",
+        "kms:ReEncrypt*"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::GetAtt": [
+         "EnvVarEncryptKey1A7CABDB",
+         "Arn"
+        ]
+       }
+      },
       {
        "Action": "sts:AssumeRole",
        "Effect": "Allow",
@@ -462,7 +529,13 @@
          "Extract": "false",
          "ObjectKey": "key",
          "CannedACL": "private",
-         "CacheControl": "public, max-age=43200"
+         "CacheControl": "public, max-age=43200",
+         "KMSEncryptionKeyARN": {
+          "Fn::GetAtt": [
+           "EnvVarEncryptKey1A7CABDB",
+           "Arn"
+          ]
+         }
         },
         "InputArtifacts": [
          {
@@ -515,6 +588,15 @@
      }
     ],
     "ArtifactStore": {
+     "EncryptionKey": {
+      "Id": {
+       "Fn::GetAtt": [
+        "EnvVarEncryptKey1A7CABDB",
+        "Arn"
+       ]
+      },
+      "Type": "KMS"
+     },
      "Location": {
       "Ref": "PipelineBucketB967BD35"
      },
@@ -599,6 +681,22 @@
         }
        ]
       },
+      {
+       "Action": [
+        "kms:Decrypt",
+        "kms:DescribeKey",
+        "kms:Encrypt",
+        "kms:GenerateDataKey*",
+        "kms:ReEncrypt*"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::GetAtt": [
+         "EnvVarEncryptKey1A7CABDB",
+         "Arn"
+        ]
+       }
+      },
       {
        "Action": [
         "s3:Abort*",
@@ -765,6 +863,22 @@
          ]
         }
        ]
+      },
+      {
+       "Action": [
+        "kms:Decrypt",
+        "kms:DescribeKey",
+        "kms:Encrypt",
+        "kms:GenerateDataKey*",
+        "kms:ReEncrypt*"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::GetAtt": [
+         "EnvVarEncryptKey1A7CABDB",
+         "Arn"
+        ]
+       }
       }
      ],
      "Version": "2012-10-17"
@@ -877,6 +991,19 @@
          ]
         }
        ]
+      },
+      {
+       "Action": [
+        "kms:Decrypt",
+        "kms:DescribeKey"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::GetAtt": [
+         "EnvVarEncryptKey1A7CABDB",
+         "Arn"
+        ]
+       }
       }
      ],
      "Version": "2012-10-17"
@@ -994,6 +1121,14 @@
   }
  },
  "Outputs": {
+  "ExportsOutputRefDeployBucket67E2C076D8DEC04D": {
+   "Value": {
+    "Ref": "DeployBucket67E2C076"
+   },
+   "Export": {
+    "Name": "aws-cdk-codepipeline-s3-deploy:ExportsOutputRefDeployBucket67E2C076D8DEC04D"
+   }
+  },
   "ExportsOutputRefPipelineBucketB967BD35BAE6E881": {
    "Value": {
     "Ref": "PipelineBucketB967BD35"
@@ -1009,14 +1144,6 @@
    "Export": {
     "Name": "aws-cdk-codepipeline-s3-deploy:ExportsOutputRefPipelineC660917DEB540586"
    }
-  },
-  "ExportsOutputRefDeployBucket67E2C076D8DEC04D": {
-   "Value": {
-    "Ref": "DeployBucket67E2C076"
-   },
-   "Export": {
-    "Name": "aws-cdk-codepipeline-s3-deploy:ExportsOutputRefDeployBucket67E2C076D8DEC04D"
-   }
   }
  },
  "Parameters": {

diff --git a/...teg/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/manifest.json b/...teg/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/manifest.json
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c77c225bf996813c66f962ac8da785aa5fa677d3c2a632c3743e4075e07a194e.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0e8ab65ec77f46df122d00ad20da666bb3461c6aee65675b4a7a64b8b284c5a9.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -33,6 +33,12 @@
         "aws-cdk-codepipeline-s3-deploy.assets"
       ],
       "metadata": {
+        "/aws-cdk-codepipeline-s3-deploy/EnvVarEncryptKey/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "EnvVarEncryptKey1A7CABDB"
+          }
+        ],
         "/aws-cdk-codepipeline-s3-deploy/PipelineBucket/Resource": [
           {
             "type": "aws:cdk:logicalId",
@@ -159,22 +165,22 @@
             "data": "PipelineDisabledDisabledDeployActionCodePipelineActionRoleDefaultPolicyB1AF629C"
           }
         ],
-        "/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"PipelineBucketB967BD35\"}": [
+        "/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"DeployBucket67E2C076\"}": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "ExportsOutputRefPipelineBucketB967BD35BAE6E881"
+            "data": "ExportsOutputRefDeployBucket67E2C076D8DEC04D"
           }
         ],
-        "/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"PipelineC660917D\"}": [
+        "/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"PipelineBucketB967BD35\"}": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "ExportsOutputRefPipelineC660917DEB540586"
+            "data": "ExportsOutputRefPipelineBucketB967BD35BAE6E881"
           }
         ],
-        "/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"DeployBucket67E2C076\"}": [
+        "/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"PipelineC660917D\"}": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "ExportsOutputRefDeployBucket67E2C076D8DEC04D"
+            "data": "ExportsOutputRefPipelineC660917DEB540586"
           }
         ],
         "/aws-cdk-codepipeline-s3-deploy/BootstrapVersion": [
@@ -208,7 +214,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/2a0db37afe84ae5c439012506dfdee1493ab05d9cc40f507fa44ff0ed8d2dfab.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a5e87b4a3b1576f59ec7c5aeb8238a7899b624959515db8b64d69c9b7111fb75.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -225,10 +231,10 @@
         "s3deploytestDefaultTestDeployAssert6BC61647.assets"
       ],
       "metadata": {
-        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObject/Default/Default": [
+        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330/Default/Default": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "AwsApiCallS3putObject"
+            "data": "AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330"
           }
         ],
         "/s3-deploy-test/DefaultTest/DeployAssert/SingletonFunction1488541a7b23466481b69b4408076b81/Role": [
@@ -243,40 +249,46 @@
             "data": "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F"
           }
         ],
-        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/Default/Default": [
+        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d/Default/Default": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d"
+          }
+        ],
+        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/Default/Default": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "AwsApiCallCodePipelinegetPipelineState"
+            "data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e"
           }
         ],
-        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/IsCompleteProvider/Invoke": [
+        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/IsCompleteProvider/Invoke": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "AwsApiCallCodePipelinegetPipelineStateWaitForIsCompleteProviderInvokeB83E9F2C"
+            "data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForIsCompleteProviderInvoke821ABA06"
           }
         ],
-        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/TimeoutProvider/Invoke": [
+        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/TimeoutProvider/Invoke": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "AwsApiCallCodePipelinegetPipelineStateWaitForTimeoutProviderInvoke96D2C126"
+            "data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForTimeoutProviderInvoke2F043504"
           }
         ],
-        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/Role": [
+        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/Role": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "AwsApiCallCodePipelinegetPipelineStateWaitForRoleDF2D0D47"
+            "data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForRole44AD3905"
           }
         ],
-        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/Resource": [
+        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/Resource": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "AwsApiCallCodePipelinegetPipelineStateWaitFor68BABF78"
+            "data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForC3FB32C5"
           }
         ],
-        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/AssertionResults": [
+        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/AssertionResults": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "AssertionResultsAwsApiCallCodePipelinegetPipelineState"
+            "data": "AssertionResultsAwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e"
           }
         ],
         "/s3-deploy-test/DefaultTest/DeployAssert/SingletonFunction76b3e830a873425f8453eddd85c86925/Role": [
@@ -303,12 +315,6 @@
             "data": "SingletonFunction5c1898e096fb4e3e95d5f6c67f3ce41aHandlerADF3E6EA"
           }
         ],
-        "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject/Default/Default": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "AwsApiCallS3getObject"
-          }
-        ],
         "/s3-deploy-test/DefaultTest/DeployAssert/BootstrapVersion": [
           {
             "type": "aws:cdk:logicalId",

diff --git a/...eg.pipeline-s3-deploy.js.snapshot/s3deploytestDefaultTestDeployAssert6BC61647.assets.json b/...eg.pipeline-s3-deploy.js.snapshot/s3deploytestDefaultTestDeployAssert6BC61647.assets.json
@@ -14,15 +14,15 @@
         }
       }
     },
-    "2a0db37afe84ae5c439012506dfdee1493ab05d9cc40f507fa44ff0ed8d2dfab": {
+    "a5e87b4a3b1576f59ec7c5aeb8238a7899b624959515db8b64d69c9b7111fb75": {
       "source": {
         "path": "s3deploytestDefaultTestDeployAssert6BC61647.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "2a0db37afe84ae5c439012506dfdee1493ab05d9cc40f507fa44ff0ed8d2dfab.json",
+          "objectKey": "a5e87b4a3b1576f59ec7c5aeb8238a7899b624959515db8b64d69c9b7111fb75.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }