From 5b663ca17713bdaf3f27aa568a6c4242ef2ceb61 Mon Sep 17 00:00:00 2001 From: Daniel Neilson <53624638+ddneilson@users.noreply.github.com> Date: Fri, 9 Oct 2020 10:37:40 -0500 Subject: [PATCH] fix(core): Remove encryption on lifecycle SNS Topic (#163) Fixes: #162 --- .../aws-rfdk/lib/core/lib/staticip-server.ts | 13 ----- .../lib/core/test/staticip-server.test.ts | 54 ------------------- 2 files changed, 67 deletions(-) diff --git a/packages/aws-rfdk/lib/core/lib/staticip-server.ts b/packages/aws-rfdk/lib/core/lib/staticip-server.ts index b3a5dfc08..32fe70722 100644 --- a/packages/aws-rfdk/lib/core/lib/staticip-server.ts +++ b/packages/aws-rfdk/lib/core/lib/staticip-server.ts @@ -32,7 +32,6 @@ import { Role, ServicePrincipal, } from '@aws-cdk/aws-iam'; -import {Key} from '@aws-cdk/aws-kms'; import { Code, Function as LambdaFunction, @@ -52,7 +51,6 @@ import { Construct, Duration, Lazy, - RemovalPolicy, Stack, Tags, } from '@aws-cdk/core'; @@ -403,21 +401,10 @@ export class StaticPrivateIpServer extends Construct implements IConnectable, IG assumedBy: new ServicePrincipal('autoscaling.amazonaws.com'), }); - const notificationTopicEncryptKeyUniqueId = 'SNSEncryptionKey' + this.removeHyphens('255e9e52-ad03-4ddf-8ff8-274bc10d63d1'); - const notificationTopicEncryptKey = new Key(stack, notificationTopicEncryptKeyUniqueId, { - description: `This key is used to encrypt SNS messages for ${notificationTopicUniqueId}.`, - enableKeyRotation: true, - removalPolicy: RemovalPolicy.DESTROY, - trustAccountIdentities: true, - }); - notificationTopic = new Topic(stack, notificationTopicUniqueId, { displayName: `For RFDK instance-launch notifications for stack '${stack.stackName}'`, - masterKey: notificationTopicEncryptKey, }); - notificationTopicEncryptKey.grant(notificationRole, 'kms:Decrypt', 'kms:GenerateDataKey'); - notificationTopic.addSubscription(new LambdaSubscription(lambdaHandler)); notificationTopic.grantPublish(notificationRole); } else { diff --git a/packages/aws-rfdk/lib/core/test/staticip-server.test.ts b/packages/aws-rfdk/lib/core/test/staticip-server.test.ts index 701aebc7a..8fe615b27 100644 --- a/packages/aws-rfdk/lib/core/test/staticip-server.test.ts +++ b/packages/aws-rfdk/lib/core/test/staticip-server.test.ts @@ -8,7 +8,6 @@ import { countResources, countResourcesLike, expect as cdkExpect, - expect as expectCDK, haveResourceLike, objectLike, ResourcePart, @@ -93,48 +92,8 @@ describe('Test StaticIpServer', () => { Description: 'Created by RFDK StaticPrivateIpServer to process instance launch lifecycle events in stack \'StackName\'. This lambda attaches an ENI to newly launched instances.', })); - expectCDK(stack).to(haveResourceLike('AWS::KMS::Key', { - UpdateReplacePolicy: 'Delete', - DeletionPolicy: 'Delete', - }, ResourcePart.CompleteDefinition)); - expectCDK(stack).to(haveResourceLike('AWS::KMS::Key', { - KeyPolicy: { - Statement: [ - { - Action: 'kms:*', - Effect: 'Allow', - Principal: { - AWS: { - 'Fn::Join': [ - '', - [ - 'arn:', - { - Ref: 'AWS::Partition', - }, - ':iam::', - { - Ref: 'AWS::AccountId', - }, - ':root', - ], - ], - }, - }, - Resource: '*', - }, - ], - }, - EnableKeyRotation: true, - })); cdkExpect(stack).to(haveResourceLike('AWS::SNS::Topic', { DisplayName: 'For RFDK instance-launch notifications for stack \'StackName\'', - KmsMasterKeyId: { - 'Fn::GetAtt': [ - 'SNSEncryptionKey255e9e52ad034ddf8ff8274bc10d63d1EDF79FFE', - 'Arn', - ], - }, })); cdkExpect(stack).to(haveResourceLike('AWS::SNS::Subscription', { @@ -214,19 +173,6 @@ describe('Test StaticIpServer', () => { cdkExpect(stack).to(countResourcesLike('AWS::IAM::Policy', 1, { PolicyDocument: { Statement: [ - { - Action: [ - 'kms:Decrypt', - 'kms:GenerateDataKey', - ], - Effect: 'Allow', - Resource: { - 'Fn::GetAtt': [ - 'SNSEncryptionKey255e9e52ad034ddf8ff8274bc10d63d1EDF79FFE', - 'Arn', - ], - }, - }, { Action: 'sns:Publish', Effect: 'Allow',