Skip to content

feat(appconfig): support customer managed key for hosted configuration #34256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat(appconfig): support customer managed key for hosted configuration #34256

wants to merge 6 commits into from
+452 −0

Conversation

mazyu36
Copy link
Contributor

@mazyu36 mazyu36 commented Apr 25, 2025

Issue # (if applicable)

N/A

Reason for this change

Missing property.

Description of changes

Add kmsKey property to AppConfig Hosted Configuration

Describe any new or updated permissions being added

N/A

Description of how you validated changes

Add a unit test and an integ test.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the p2 label Apr 25, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team April 25, 2025 12:55
@github-actions github-actions bot added the distinguished-contributor [Pilot] contributed 50+ PRs to the CDK label Apr 25, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Apr 25, 2025
badmintoncryer
badmintoncryer approved these changes Apr 25, 2025
View reviewed changes
Copy link
Contributor

@badmintoncryer badmintoncryer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution! I've added only a nit comment.

@aws-cdk-automation aws-cdk-automation added pr/needs-maintainer-review This PR needs a review from a Core Team Member and removed pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Apr 25, 2025
@badmintoncryer
Copy link
Contributor

@mazyu36 I'm curious that is it unnecessary to set a key policy for CMK?
In the documentation, there was an introduction to resource policy settings with some Role as a Principal, but I couldn't understand what role it was.

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Sid": "Allow use of the key",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::account_ID:role/role_name" // this
        },
        "Action": [
            "kms:Decrypt",
            "kms:GenerateDataKey"
            ],
        "Resource": "*"
        }
 ]

@mazyu36 @badmintoncryer
Update configuration.ts
0b5e43b 
Co-authored-by: Kazuho Cryer-Shinozuka <[email protected]>
@mazyu36
Copy link
Contributor Author

mazyu36 commented Apr 25, 2025

@badmintoncryer
In my understanding, for roles that use Hosted Configuration with CMK, it is necessary to grant permission for the CMK in the key policy.

Hosted Configuration itself does not have roles.

@github-actions github-actions bot mentioned this pull request May 1, 2025
Open
QuantumNeuralCoder
QuantumNeuralCoder requested changes May 9, 2025
View reviewed changes
packages/aws-cdk-lib/aws-appconfig/lib/configuration.ts
@@ -442,6 +449,7 @@ export class HostedConfiguration extends ConfigurationBase {
description: this.description,
type: this.type,
validators: this.validators,
kmsKeyIdentifier: props.kmsKey?.keyArn,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if props is undefined.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The kmsKeyIdentifier is set to undefined.
In that case, the configuration is encrypted by AWS Managed Key.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need to do this instead props?.kmsKey?.keyArn

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is not needed because props is required.

aws-cdk/packages/aws-cdk-lib/aws-appconfig/lib/configuration.ts

Line 442 in 29a0329

constructor(scope: Construct, id: string, props: HostedConfigurationProps) {

The other properties are same.

aws-cdk/packages/aws-cdk-lib/aws-appconfig/lib/configuration.ts

Line 462 in 29a0329

this.content = props.content.content;

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label May 9, 2025
QuantumNeuralCoder
QuantumNeuralCoder previously requested changes May 13, 2025
View reviewed changes
Copy link
Contributor

@QuantumNeuralCoder QuantumNeuralCoder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comment added above

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@mergify mergify bot dismissed QuantumNeuralCoder’s stale review May 27, 2025 05:25

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. Note that PRs with failing linting check or builds are not reviewed, please ensure your build is passing

To prevent automatic closure:

  • Resume work on the PR
  • OR request an exemption by adding a comment containing 'Exemption Request' with justification e.x "Exemption Request: "
  • OR request clarification by adding a comment containing 'Clarification Request' with a question e.x "Clarification Request: "

This PR will automatically close in 14 days if no action is taken.

@mazyu36
Copy link
Contributor Author

mazyu36 commented May 31, 2025

Exemption Request: I'm waiting for the maintainer's response.

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label May 31, 2025
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 8ec0760
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@badmintoncryer badmintoncryer badmintoncryer approved these changes

@QuantumNeuralCoder QuantumNeuralCoder Awaiting requested review from QuantumNeuralCoder

At least 1 approving review is required to merge this pull request.

Assignees

@QuantumNeuralCoder QuantumNeuralCoder

Labels
distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2 pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mazyu36 @badmintoncryer @aws-cdk-automation @QuantumNeuralCoder