Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(stepfunctions): add support for EncryptionConfiguration #30959

Merged
merged 47 commits into from
Sep 20, 2024
Merged
Show file tree
Hide file tree
Changes from 21 commits
Commits
Show all changes
47 commits
Select commit Hold shift + click to select a range
3e29f48
Basic implementation for EncryptionConfiguration
Jul 15, 2024
4d63917
Merge branch 'aws:main' into main
VaidSaraswat Jul 18, 2024
f9b5d7a
Merge branch 'aws:main' into main
VaidSaraswat Jul 26, 2024
971290d
Adding support for KMS in StateMachine and Activity resources
Aug 1, 2024
a44a3e0
Update packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts
VaidSaraswat Aug 8, 2024
ec8865a
Update packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts
VaidSaraswat Aug 8, 2024
c1d25e9
Update packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts
VaidSaraswat Aug 8, 2024
61b69e1
Addressing second round of feedback
Aug 9, 2024
25521c4
Removed redunant optional chaining and created encryptionConfiguratio…
Aug 9, 2024
2373d5a
Adding integrations key policy & non-null assertion for kms key in util
Aug 9, 2024
8d605fe
Removing condition from KMS key policy for CWL encryption
Aug 11, 2024
b2dc0e9
Updating CWL encryption example to provide KMS key as prop
Aug 11, 2024
89a56ce
Adding back encryption context and updating CWL Log Group to use sepa…
Aug 12, 2024
5ab6f60
Adding ActivityProps type as accepted type for constructEncryptionCon…
Aug 13, 2024
ce62bb7
Update packages/aws-cdk-lib/aws-stepfunctions/lib/activity.ts
VaidSaraswat Aug 14, 2024
e57602a
Update packages/aws-cdk-lib/aws-stepfunctions/lib/util.ts
VaidSaraswat Aug 14, 2024
20bf8e5
Update packages/aws-cdk-lib/aws-stepfunctions/lib/util.ts
VaidSaraswat Aug 14, 2024
94a1783
Addressing third round of feedback
Aug 16, 2024
7f52d32
Adding assertions to snapshot tests
Aug 16, 2024
de3bbc4
Merge branch 'main' into feat-encryption-configuration
shivlaks Aug 17, 2024
d668d9b
LogGroup key uses narrower permissions in key policy && updating snap…
Aug 20, 2024
6042f32
Update packages/aws-cdk-lib/aws-stepfunctions/README.md
VaidSaraswat Aug 22, 2024
db31000
Update packages/aws-cdk-lib/aws-stepfunctions/README.md
VaidSaraswat Aug 22, 2024
1099973
- Add back unit tests for validating encryption configuration
Aug 26, 2024
1c3a816
Update packages/aws-cdk-lib/aws-stepfunctions/README.md
VaidSaraswat Aug 27, 2024
d6d5f0c
Update packages/aws-cdk-lib/aws-stepfunctions/README.md
VaidSaraswat Aug 27, 2024
aca062a
Update packages/aws-cdk-lib/aws-stepfunctions/README.md
VaidSaraswat Aug 27, 2024
e8c2808
Update packages/aws-cdk-lib/aws-stepfunctions/lib/activity.ts
VaidSaraswat Aug 27, 2024
e39dc89
- Updating README to include ts and fixed indentation
Aug 27, 2024
57483ac
Adding dependency imports for README examples
Aug 27, 2024
2aca3aa
- Fix indentation in code sample for README
Aug 27, 2024
8b3a07e
Rename aws-cdk-lib/kms to 'aws-cdk-lib/aws-kms'
Aug 28, 2024
b25b069
Removing unnecessary kms:Decrypt permissions for execution role when …
Aug 28, 2024
2868c02
Update packages/aws-cdk-lib/aws-stepfunctions/lib/util.ts
VaidSaraswat Aug 28, 2024
581739d
- Use stronger assertion Match.objectEquals
Aug 28, 2024
0a5b065
Removing unnecessary KMS:Decrypt permissions on Activity key for Send…
Aug 28, 2024
43d3dad
Update packages/aws-cdk-lib/aws-stepfunctions/README.md
VaidSaraswat Aug 29, 2024
b0b5674
- Use new EncryptionConfiguration object for customers who want to us…
Aug 30, 2024
fedf070
Adding missing comma
Aug 30, 2024
4c062d8
Update packages/aws-cdk-lib/aws-stepfunctions/README.md
VaidSaraswat Sep 2, 2024
f5f2396
Update packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts
VaidSaraswat Sep 2, 2024
130cd1f
- Created new abstract EncryptionConfiguration class which CustomerMa…
Sep 4, 2024
1ebeafe
Merge branch 'main' into feat-encryption-configuration
paulhcsun Sep 4, 2024
3d44c34
- Added new lines to files that didn't have them
Sep 6, 2024
74cd4fb
Update packages/aws-cdk-lib/aws-stepfunctions/README.md
VaidSaraswat Sep 19, 2024
339aa82
Update packages/aws-cdk-lib/aws-stepfunctions/README.md
VaidSaraswat Sep 19, 2024
17641e4
Merge branch 'main' into feat-encryption-configuration
paulhcsun Sep 20, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
@@ -0,0 +1,235 @@
{
"Resources": {
"Key961B73FD": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Statement": [
{
"Action": "kms:*",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Resource": "*"
},
{
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:states:stateMachineArn": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":states:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":stateMachine/StateMachineWithCMKEncryptionConfiguration"
]
]
}
}
},
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
},
"Resource": "*"
},
{
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:states:activityArn": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":states:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":activity/ActivityWithCMKEncryptionConfiguration"
]
]
}
}
},
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
},
"Resource": "*"
}
],
"Version": "2012-10-17"
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain"
},
"StateMachineWithCMKEncryptionConfigurationRoleA49EBB18": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"StateMachineWithCMKEncryptionConfigurationRoleDefaultPolicy55B46C35": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Key961B73FD",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "StateMachineWithCMKEncryptionConfigurationRoleDefaultPolicy55B46C35",
"Roles": [
{
"Ref": "StateMachineWithCMKEncryptionConfigurationRoleA49EBB18"
}
]
}
},
"StateMachineWithCMKEncryptionConfiguration10773462": {
"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"DefinitionString": "{\"StartAt\":\"Pass\",\"States\":{\"Pass\":{\"Type\":\"Pass\",\"End\":true}}}",
"EncryptionConfiguration": {
"KmsDataKeyReusePeriodSeconds": 75,
"KmsKeyId": {
"Fn::GetAtt": [
"Key961B73FD",
"Arn"
]
},
"Type": "CUSTOMER_MANAGED_KMS_KEY"
},
"RoleArn": {
"Fn::GetAtt": [
"StateMachineWithCMKEncryptionConfigurationRoleA49EBB18",
"Arn"
]
},
"StateMachineName": "StateMachineWithCMKEncryptionConfiguration",
"StateMachineType": "STANDARD"
},
"DependsOn": [
"StateMachineWithCMKEncryptionConfigurationRoleDefaultPolicy55B46C35",
"StateMachineWithCMKEncryptionConfigurationRoleA49EBB18"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"ActivityWithCMKEncryptionConfiguration3D01813A": {
"Type": "AWS::StepFunctions::Activity",
"Properties": {
"EncryptionConfiguration": {
"KmsDataKeyReusePeriodSeconds": 75,
"KmsKeyId": {
"Fn::GetAtt": [
"Key961B73FD",
"Arn"
]
},
"Type": "CUSTOMER_MANAGED_KMS_KEY"
},
"Name": "ActivityWithCMKEncryptionConfiguration"
}
}
},
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading