Skip to content

Commit

Permalink
Update feature flag naming
Browse files Browse the repository at this point in the history
  • Loading branch information
GavinZZ committed Mar 14, 2024
1 parent 9c79ad7 commit 0cb1ba9
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 20 deletions.
4 changes: 2 additions & 2 deletions packages/aws-cdk-lib/aws-kms/lib/key.ts
Original file line number Diff line number Diff line change
Expand Up @@ -263,7 +263,7 @@ abstract class KeyBase extends Resource implements IKey {
const bucketStack = Stack.of(this);
const identityStack = Stack.of(grantee.grantPrincipal);

if (FeatureFlags.of(this).isEnabled(cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY)) {
if (FeatureFlags.of(this).isEnabled(cxapi.KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE)) {
// if two compared stacks have the same region, this should return 'false' since it's from the
// same region; if two stacks have different region, then compare env.region
return bucketStack.region !== identityStack.region && this.env.region !== identityStack.region;
Expand All @@ -278,7 +278,7 @@ abstract class KeyBase extends Resource implements IKey {
const bucketStack = Stack.of(this);
const identityStack = Stack.of(grantee.grantPrincipal);

if (FeatureFlags.of(this).isEnabled(cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY)) {
if (FeatureFlags.of(this).isEnabled(cxapi.KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE)) {
// if two compared stacks have the same region, this should return 'false' since it's from the
// same region; if two stacks have different region, then compare env.account
return bucketStack.account !== identityStack.account && this.env.account !== identityStack.account;
Expand Down
4 changes: 2 additions & 2 deletions packages/aws-cdk-lib/aws-kms/test/key.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ describe('key policies', () => {
});

test('cross region key with iam role grant', () => {
const app = new cdk.App({ context: { [cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY]: true } });
const app = new cdk.App({ context: { [cxapi.KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE]: true } });
const stack = new cdk.Stack(app, 'test-stack', { env: { account: '000000000000', region: 'us-west-2' } });
const key = kms.Key.fromKeyArn(
stack,
Expand Down Expand Up @@ -113,7 +113,7 @@ describe('key policies', () => {
});

test('cross region key with iam role grant when feature flag is disabled', () => {
const app = new cdk.App({ context: { [cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY]: false } });
const app = new cdk.App({ context: { [cxapi.KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE]: false } });
const stack = new cdk.Stack(app, 'test-stack', { env: { account: '000000000000', region: 'us-west-2' } });
const key = kms.Key.fromKeyArn(
stack,
Expand Down
12 changes: 6 additions & 6 deletions packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ Flags come in three types:
| [@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction](#aws-cdkaws-cloudwatch-actionschangelambdapermissionlogicalidforlambdaaction) | When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID. | 2.124.0 | (fix) |
| [@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse](#aws-cdkaws-codepipelinecrossaccountkeysdefaultvaluetofalse) | Enables Pipeline to set the default value for crossAccountKeys to false. | 2.127.0 | (default) |
| [@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2](#aws-cdkaws-codepipelinedefaultpipelinetypetov2) | Enables Pipeline to set the default pipeline type to V2. | V2NEXT | (default) |
| [@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy](#aws-cdkaws-kmscrossaccountregionkmskeypolicy) | When enabled, KMS key grant should create policy with only one resource. | V2NEXT | (fix) |
| [@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope](#aws-cdkaws-kmsreducecrossaccountregionpolicyscope) | When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only. | V2NEXT | (fix) |

<!-- END table -->

Expand Down Expand Up @@ -124,7 +124,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou
"@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
"@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
"@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
"@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy": true
"@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true
}
}
```
Expand Down Expand Up @@ -1251,12 +1251,12 @@ construct, the construct automatically defaults the value of this property to `P
**Compatibility with old behavior:** Pass `pipelineType: PipelineType.V1` to `Pipeline` construct to restore the previous behavior.


### @aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy
### @aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope

*When enabled, KMS key grant should create policy with only one resource.* (fix)
*When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only.* (fix)

When this feature flag is enabled and calling KMS key grant method, the created IAM policy should correctly resolve to this
granting KMS key instead of a * resource property.
When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from
'*' to this specific granting KMS key.


| Since | Default | Recommended |
Expand Down
10 changes: 5 additions & 5 deletions packages/aws-cdk-lib/cx-api/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -293,19 +293,19 @@ _cdk.json_
}
```

* `@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy`
* `@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope`

Enables KMS key grant to correctly set 'Resoruce' property of IAM policy to the key itself.
Reduce resource scope of the IAM Policy created from KMS key grant to granting key only.

When this feature flag is enabled and calling KMS key grant method, the created IAM policy should correctly resolve to this
granting KMS key instead of a * resource property.
When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from
'*' to this specific granting KMS key.

_cdk.json_

```json
{
"context": {
"@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy": true
"@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true
}
}
```
10 changes: 5 additions & 5 deletions packages/aws-cdk-lib/cx-api/lib/features.ts
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ export const CODECOMMIT_SOURCE_ACTION_DEFAULT_BRANCH_NAME = '@aws-cdk/aws-codepi
export const LAMBDA_PERMISSION_LOGICAL_ID_FOR_LAMBDA_ACTION = '@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction';
export const CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE = '@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse';
export const CODEPIPELINE_DEFAULT_PIPELINE_TYPE_TO_V2 = '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2';
export const KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY = '@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy';
export const KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE = '@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope';

export const FLAGS: Record<string, FlagInfo> = {
//////////////////////////////////////////////////////////////////////
Expand Down Expand Up @@ -1024,12 +1024,12 @@ export const FLAGS: Record<string, FlagInfo> = {
},

//////////////////////////////////////////////////////////////////////
[KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY]: {
[KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE]: {
type: FlagType.BugFix,
summary: 'When enabled, KMS key grant should create policy with only one resource.',
summary: 'When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only.',
detailsMd: `
When this feature flag is enabled and calling KMS key grant method, the created IAM policy should correctly resolve to this
granting KMS key instead of a * resource property.
When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from
'*' to this specific granting KMS key.
`,
introducedIn: { v2: 'V2NEXT' },
recommendedValue: true,
Expand Down

0 comments on commit 0cb1ba9

Please sign in to comment.