fix(redshift): cluster uses key ARN instead of key ID (aws#17108)

Field was incorrectly using key arn instead of id. Fixes aws#17032 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
TikiTDO · Feb 21, 2022 · f4dd4fc · f4dd4fc
1 parent 1b10021
commit f4dd4fc
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 5 deletions.
diff --git a/packages/@aws-cdk/aws-redshift/lib/cluster.ts b/packages/@aws-cdk/aws-redshift/lib/cluster.ts
@@ -483,7 +483,7 @@ export class Cluster extends ClusterBase {
  dbName: props.defaultDatabaseName || 'default_db',
  publiclyAccessible: props.publiclyAccessible || false,
  // Encryption
- kmsKeyId: props.encryptionKey && props.encryptionKey.keyArn,
+ kmsKeyId: props.encryptionKey?.keyId,
  encrypted: props.encrypted ?? true,
  });
 

diff --git a/packages/@aws-cdk/aws-redshift/test/cluster.test.ts b/packages/@aws-cdk/aws-redshift/test/cluster.test.ts
@@ -249,10 +249,7 @@ test('create an encrypted cluster with custom KMS key', () => {
  // THEN
  Template.fromStack(stack).hasResourceProperties('AWS::Redshift::Cluster', {
  KmsKeyId: {
- 'Fn::GetAtt': [
- 'Key961B73FD',
- 'Arn',
- ],
+ Ref: 'Key961B73FD',
  },
  });
 });

diff --git a/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json b/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json
@@ -580,6 +580,41 @@
  "UpdateReplacePolicy": "Delete",
  "DeletionPolicy": "Delete"
  },
+ "customkmskey377C6F9A": {
+ "Type": "AWS::KMS::Key",
+ "Properties": {
+ "KeyPolicy": {
+ "Statement": [
+ {
+ "Action": "kms:*",
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": {
+ "Fn::Join": [
+ "",
+ [
+ "arn:",
+ {
+ "Ref": "AWS::Partition"
+ },
+ ":iam::",
+ {
+ "Ref": "AWS::AccountId"
+ },
+ ":root"
+ ]
+ ]
+ }
+ },
+ "Resource": "*"
+ }
+ ],
+ "Version": "2012-10-17"
+ }
+ },
+ "UpdateReplacePolicy": "Delete",
+ "DeletionPolicy": "Delete"
+ },
  "ClusterSubnetsDCFA5CB7": {
  "Type": "AWS::Redshift::ClusterSubnetGroup",
  "Properties": {
@@ -680,6 +715,9 @@
  "Ref": "ClusterSubnetsDCFA5CB7"
  },
  "Encrypted": true,
+ "KmsKeyId": {
+ "Ref": "customkmskey377C6F9A"
+ },
  "NumberOfNodes": 2,
  "PubliclyAccessible": true,
  "VpcSecurityGroupIds": [

diff --git a/packages/@aws-cdk/aws-redshift/test/integ.database.ts b/packages/@aws-cdk/aws-redshift/test/integ.database.ts
@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 /// !cdk-integ pragma:ignore-assets
 import * as ec2 from '@aws-cdk/aws-ec2';
+import * as kms from '@aws-cdk/aws-kms';
 import * as cdk from '@aws-cdk/core';
 import * as constructs from 'constructs';
 import * as redshift from '../lib';
@@ -28,6 +29,7 @@ const cluster = new redshift.Cluster(stack, 'Cluster', {
  },
  defaultDatabaseName: databaseName,
  publiclyAccessible: true,
+ encryptionKey: new kms.Key(stack, 'custom-kms-key'),
 });
 
 const databaseOptions = {