Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(efs): cannot use encryption key imported from another account #11524

Merged
merged 5 commits into from
Nov 17, 2020
Merged

fix(efs): cannot use encryption key imported from another account #11524

merged 5 commits into from
Nov 17, 2020

Conversation

shivlaks
Copy link
Contributor

the keyId property supports using the ARN or the key ID.
this change uses the ARN as it's more robust and allows usage of
a key which is cross-account.

It currently fails as the ID is looked up within the same account
and not found.

Closes #7641

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@shivlaks
revert: "feat(stepfunctions-tasks): support overriding all properties…
11a70dd 
… of CodeBuild StartBuild integration (#10356)"

This reverts commit 58efbad.
@shivlaks
Merge branch 'master' of https://github.com/aws/aws-cdk
2bfed96
@shivlaks
Merge branch 'master' of https://github.com/aws/aws-cdk
343e5ed
@shivlaks
fix(efs): cannot use encryption key imported from another account
b7dcd18 
the `keyId` property supports using the ARN or the key ID.
this change uses the ARN as it's more robust and allows usage of
a key which is cross-account.

It currently fails as the ID is looked up within the same account
and not found.

Closes #7641
@shivlaks shivlaks added the @aws-cdk/aws-efs Related to Amazon Elastic File System label Nov 17, 2020
@shivlaks shivlaks requested a review from a team November 17, 2020 19:14
@shivlaks shivlaks self-assigned this Nov 17, 2020
@gitpod-io
Copy link

gitpod-io bot commented Nov 17, 2020
edited
Loading

@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Nov 17, 2020
@mergify
Copy link
Contributor

mergify bot commented Nov 17, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 328d19b
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Nov 17, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 3578d84 into master Nov 17, 2020
@mergify mergify bot deleted the shivlaks/efs-key-fix branch November 17, 2020 23:18
@ddneilson
Copy link
Contributor

@shivlaks @NetaNir
This was a breaking change that was not marked as one.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html#cfn-efs-filesystem-kmskeyid

"Update requires: Replacement"

Anyone doing a redeploy of a pre-1.75.0 EFS will lose any data that they have in the filesystem.

@shivlaks shivlaks mentioned this pull request Nov 27, 2020
Merged
mergify bot pushed a commit that referenced this pull request Nov 27, 2020
@shivlaks
chore: CHANGELOG is missing a breaking change entry for efs (#11745)
2f9e72d 
The change made in #11524 which switched from using the `keyId` to `keyArn` 
is a BREAKING change as an update requires replacement:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html#cfn-efs-filesystem-kmskeyid

The `efs` module is experimental and this was a capability that needed to be fixed ahead
of moving to developer preview. It was missed that an update to the keyId replaces the 
filesystem. Amending the CHANGELOG to indicate that the filesystem will be replaced.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NetaNir NetaNir NetaNir approved these changes

Assignees

@shivlaks shivlaks

Labels
@aws-cdk/aws-efs Related to Amazon Elastic File System contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

EFS : kmsKey issue when using CMK from another account
4 participants
@shivlaks @aws-cdk-automation @ddneilson @NetaNir