feat(pipeline): allow enabling KMS key rotation for cross-region Stacks

packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json

@@ -792,4 +792,4 @@
       }
     }
   }
-}
+}

packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json

@@ -1622,4 +1622,4 @@
       }
     }
   }
-}
+}

packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json

@@ -788,4 +788,4 @@
       ]
     }
   }
-}
+}

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.expected.json

@@ -393,4 +393,4 @@
       }
     }
   }
-}
+}

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-cfn.expected.json

@@ -731,4 +731,4 @@
       }
     }
   }
-}
+}

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json

@@ -815,4 +815,4 @@
       }
     }
   }
-}
+}

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json

@@ -545,4 +545,4 @@
       }
     }
   }
-}
+}

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json

@@ -842,4 +842,4 @@
       }
     }
   }
-}
+}

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.expected.json

@@ -540,4 +540,4 @@
       "DeletionPolicy": "Retain"
     }
   }
-}
+}

packages/@aws-cdk/aws-codepipeline/README.md

@@ -45,6 +45,17 @@ const pipeline = new codepipeline.Pipeline(this, 'MyFirstPipeline', {
 });
 ```
 
+If you want to enable key rotation for the generated KMS keys,
+you can configure it by passing `enableKeyRotation: true` when creating the pipeline.
+Note that key rotation will incur an additional cost of **$1/month**.
+
+```ts
+const pipeline = new codepipeline.Pipeline(this, 'MyFirstPipeline', {
+  // ...
+  enableKeyRotation: true,
+});
+```
+
 ## Stages
 
 You can provide Stages when creating the Pipeline:

packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts

@@ -111,7 +111,7 @@ export interface PipelineProps {
   readonly stages?: StageProps[];
 
   /**
-   * Create KMS keys for cross-account deployments
+   * Create KMS keys for cross-account deployments.
    *
    * This controls whether the pipeline is enabled for cross-account deployments.
    *
@@ -126,6 +126,16 @@ export interface PipelineProps {
    * @default true
    */
   readonly crossAccountKeys?: boolean;
+
+  /**
+   * Enable KMS key rotation for the generated KMS keys.
+   *
+   * By default KMS key rotation is disabled, but will add an additional $1/month
+   * for each year the key exists when enabled.
+   *
+   * @default - false (key rotation is disabled)
+   */
+  readonly enableKeyRotation?: boolean;
 }
 
 abstract class PipelineBase extends Resource implements IPipeline {
@@ -317,6 +327,7 @@ export class Pipeline extends PipelineBase {
   private readonly _crossRegionSupport: { [region: string]: CrossRegionSupport } = {};
   private readonly _crossAccountSupport: { [account: string]: Stack } = {};
   private readonly crossAccountKeys: boolean;
+  private readonly enableKeyRotation?: boolean;
 
   constructor(scope: Construct, id: string, props: PipelineProps = {}) {
     super(scope, id, {
@@ -330,9 +341,14 @@ export class Pipeline extends PipelineBase {
       throw new Error('Only one of artifactBucket and crossRegionReplicationBuckets can be specified!');
     }
 
-
     // @deprecated(v2): switch to default false
     this.crossAccountKeys = props.crossAccountKeys ?? true;
+    this.enableKeyRotation = props.enableKeyRotation;
+
+    // Cross account keys must be set for key rotation to be enabled
+    if (this.enableKeyRotation && !this.crossAccountKeys) {
+      throw new Error("Setting 'enableKeyRotation' to true also requires 'crossAccountKeys' to be enabled");
+    }
 
     // If a bucket has been provided, use it - otherwise, create a bucket.
     let propsBucket = this.getArtifactBucketFromProps(props);
@@ -345,6 +361,7 @@ export class Pipeline extends PipelineBase {
           // remove the key - there is a grace period of a few days before it's gone for good,
           // that should be enough for any emergency access to the bucket artifacts
           removalPolicy: RemovalPolicy.DESTROY,
+          enableKeyRotation: this.enableKeyRotation,
         });
         // add an alias to make finding the key in the console easier
         new kms.Alias(this, 'ArtifactsBucketEncryptionKeyAlias', {
@@ -573,8 +590,7 @@ export class Pipeline extends PipelineBase {
     return crossRegionSupport;
   }
 
-  private createSupportResourcesForRegion(otherStack: Stack | undefined, actionRegion: string):
-  CrossRegionSupport {
+  private createSupportResourcesForRegion(otherStack: Stack | undefined, actionRegion: string): CrossRegionSupport {
     // if we have a stack from the resource passed - use that!
     if (otherStack) {
       // check if the stack doesn't have this magic construct already
@@ -583,6 +599,7 @@ export class Pipeline extends PipelineBase {
       if (!crossRegionSupportConstruct) {
         crossRegionSupportConstruct = new CrossRegionSupportConstruct(otherStack, id, {
           createKmsKey: this.crossAccountKeys,
+          enableKeyRotation: this.enableKeyRotation,
         });
       }
 
@@ -609,6 +626,7 @@ export class Pipeline extends PipelineBase {
         account: pipelineAccount,
         synthesizer: this.getCrossRegionSupportSynthesizer(),
         createKmsKey: this.crossAccountKeys,
+        enableKeyRotation: this.enableKeyRotation,
       });
     }
 

packages/@aws-cdk/aws-codepipeline/lib/private/cross-region-support-stack.ts

@@ -44,6 +44,13 @@ export interface CrossRegionSupportConstructProps {
    * @default true
    */
   readonly createKmsKey?: boolean;
+
+  /**
+   * Enables KMS key rotation for cross-account keys.
+   *
+   * @default - false (key rotation is disabled)
+   */
+  readonly enableKeyRotation?: boolean;
 }
 
 export class CrossRegionSupportConstruct extends Construct {
@@ -58,6 +65,7 @@ export class CrossRegionSupportConstruct extends Construct {
     if (createKmsKey) {
       const encryptionKey = new kms.Key(this, 'CrossRegionCodePipelineReplicationBucketEncryptionKey', {
         removalPolicy: cdk.RemovalPolicy.DESTROY,
+        enableKeyRotation: props.enableKeyRotation,
       });
       encryptionAlias = new AliasWithShorterGeneratedName(this, 'CrossRegionCodePipelineReplicationBucketEncryptionAlias', {
         targetKey: encryptionKey,
@@ -106,6 +114,13 @@ export interface CrossRegionSupportStackProps {
    * @default true
    */
   readonly createKmsKey?: boolean;
+
+  /**
+   * Enables KMS key rotation for cross-account keys.
+   *
+   * @default - false (key rotation is disabled)
+   */
+  readonly enableKeyRotation?: boolean;
 }
 
 /**
@@ -130,6 +145,7 @@ export class CrossRegionSupportStack extends cdk.Stack {
 
     const crossRegionSupportConstruct = new CrossRegionSupportConstruct(this, 'Default', {
       createKmsKey: props.createKmsKey,
+      enableKeyRotation: props.enableKeyRotation,
     });
     this.replicationBucket = crossRegionSupportConstruct.replicationBucket;
   }

packages/@aws-cdk/aws-codepipeline/test/pipeline.test.ts

@@ -389,6 +389,41 @@ describe('', () => {
 
 
       });
+
+      test('does not allow enabling key rotation if cross account keys have been disabled', () => {
+        const app = new cdk.App();
+        const stack = new cdk.Stack(app, 'PipelineStack');
+
+        expect(() => {
+          new codepipeline.Pipeline(stack, 'Pipeline', {
+            crossAccountKeys: false,
+            enableKeyRotation: true,
+          });
+        }).toThrow("Setting 'enableKeyRotation' to true also requires 'crossAccountKeys' to be enabled");
+      });
+
+      test("enabling key rotation sets 'EnableKeyRotation' to 'true' in the main generated KMS key", () => {
+        const app = new cdk.App();
+        const stack = new cdk.Stack(app, 'PipelineStack');
+        const sourceOutput = new codepipeline.Artifact();
+        new codepipeline.Pipeline(stack, 'Pipeline', {
+          enableKeyRotation: true,
+          stages: [
+            {
+              stageName: 'Source',
+              actions: [new FakeSourceAction({ actionName: 'Source', output: sourceOutput })],
+            },
+            {
+              stageName: 'Build',
+              actions: [new FakeBuildAction({ actionName: 'Build', input: sourceOutput })],
+            },
+          ],
+        });
+
+        expect(stack).toHaveResourceLike('AWS::KMS::Key', {
+          'EnableKeyRotation': true,
+        });
+      });
     });
   });
 });

packages/@aws-cdk/pipelines/lib/legacy/pipeline.ts

@@ -87,6 +87,19 @@ export interface CdkPipelineProps {
   readonly crossAccountKeys?: boolean;
   // @deprecated(v2): switch to default false
 
+
+  /**
+   * Enables KMS key rotation for cross-account keys.
+   *
+   * Cannot be set if `crossAccountKeys` was set to `false`.
+   *
+   * Key rotation costs $1/month when enabled.
+   *
+   * @default - false (key rotation is disabled)
+   */
+  readonly enableKeyRotation?: boolean;
+
+
   /**
    * CDK CLI version to use in pipeline
    *
@@ -221,12 +234,16 @@ export class CdkPipeline extends CoreConstruct {
       if (props.crossAccountKeys !== undefined) {
         throw new Error('Cannot set \'crossAccountKeys\' if an existing CodePipeline is given using \'codePipeline\'');
       }
+      if (props.enableKeyRotation !== undefined) {
+        throw new Error('Cannot set \'enableKeyRotation\' if an existing CodePipeline is given using \'codePipeline\'');
+      }
 
       this._pipeline = props.codePipeline;
     } else {
       this._pipeline = new codepipeline.Pipeline(this, 'Pipeline', {
         pipelineName: props.pipelineName,
         crossAccountKeys: props.crossAccountKeys,
+        enableKeyRotation: props.enableKeyRotation,
         restartExecutionOnUpdate: true,
       });
     }

packages/@aws-cdk/pipelines/test/codepipeline/codepipeline-existing.test.ts

@@ -0,0 +1,45 @@
+import * as codePipeline from '@aws-cdk/aws-codepipeline';
+import * as cdk from '@aws-cdk/core';
+import * as cdkp from '../../lib';
+
+test('Does not allow setting a pipelineName if an existing CodePipeline is given', () => {
+  const app = new cdk.App();
+  const stack = new cdk.Stack(app, 'PipelineStack');
+  const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline');
+
+  expect(() => {
+    new cdkp.CdkPipeline(stack, 'CDKPipeline', {
+      pipelineName: 'CustomPipelineName',
+      codePipeline: existingCodePipeline,
+      cloudAssemblyArtifact: new codePipeline.Artifact(),
+    });
+  }).toThrow("Cannot set 'pipelineName' if an existing CodePipeline is given using 'codePipeline'");
+});
+
+test('Does not allow enabling crossAccountKeys if an existing CodePipeline is given', () => {
+  const app = new cdk.App();
+  const stack = new cdk.Stack(app, 'PipelineStack');
+  const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline');
+
+  expect(() => {
+    new cdkp.CdkPipeline(stack, 'CDKPipeline', {
+      crossAccountKeys: true,
+      codePipeline: existingCodePipeline,
+      cloudAssemblyArtifact: new codePipeline.Artifact(),
+    });
+  }).toThrow("Cannot set 'crossAccountKeys' if an existing CodePipeline is given using 'codePipeline'");
+});
+
+test('Does not allow enabling key rotation if an existing CodePipeline is given', () => {
+  const app = new cdk.App();
+  const stack = new cdk.Stack(app, 'PipelineStack');
+  const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline');
+
+  expect(() => {
+    new cdkp.CdkPipeline(stack, 'CDKPipeline', {
+      enableKeyRotation: true,
+      codePipeline: existingCodePipeline,
+      cloudAssemblyArtifact: new codePipeline.Artifact(),
+    });
+  }).toThrow("Cannot set 'enableKeyRotation' if an existing CodePipeline is given using 'codePipeline'");
+});