fix(bootstrap): no longer creates KMS master key by default (#10365)

The modern bootstrap stack used to unconditionally create a KMS Customer
Master Key (CMK) for users. This incurs a $1/month charge for every user
of the CDK for every region and account they want to deploy in, which is
not acceptable if we're going to make this the default bootstrapping
experience in the future.

This PR switches off the creation of the CMK by default for new
bootstrap stacks. Bootstrap stacks that already exist can remove the
existing CMK by running:

```
cdk bootstrap --bootstrap-customer-key=false [aws://...]
```

This change is backwards compatible: updates to existing (modern)
bootstrap stacks will leave the current KMS key in place. To achieve
this, the new default is encoded into the CLI, not into the template.

Fixes #10115.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rix0rrr

packages/aws-cdk/bin/cdk.ts

@@ -69,7 +69,8 @@ async function parseCommandLineArguments() {
       .option('exclusively', { type: 'boolean', alias: 'e', desc: 'Only synthesize requested stacks, don\'t include dependencies' }))
     .command('bootstrap [ENVIRONMENTS..]', 'Deploys the CDK toolkit stack into an AWS environment', yargs => yargs
       .option('bootstrap-bucket-name', { type: 'string', alias: ['b', 'toolkit-bucket-name'], desc: 'The name of the CDK toolkit bucket; bucket will be created and must not exist', default: undefined })
-      .option('bootstrap-kms-key-id', { type: 'string', desc: 'AWS KMS master key ID used for the SSE-KMS encryption', default: undefined })
+      .option('bootstrap-kms-key-id', { type: 'string', desc: 'AWS KMS master key ID used for the SSE-KMS encryption', default: undefined, conflicts: 'bootstrap-customer-key' })
+      .option('bootstrap-customer-key', { type: 'boolean', desc: 'Create a Customer Master Key (CMK) for the bootstrap bucket (you will be charged but can customize permissions, modern bootstrapping only)', default: undefined, conflicts: 'bootstrap-kms-key-id' })
       .option('qualifier', { type: 'string', desc: 'Unique string to distinguish multiple bootstrap stacks', default: undefined })
       .option('public-access-block-configuration', { type: 'boolean', desc: 'Block public access configuration on CDK toolkit bucket (enabled by default) ', default: undefined })
       .option('tags', { type: 'array', alias: 't', desc: 'Tags to add for the stack (KEY=VALUE)', nargs: 1, requiresArg: true, default: [] })
@@ -271,6 +272,7 @@ async function initCommandLine() {
           parameters: {
             bucketName: configuration.settings.get(['toolkitBucket', 'bucketName']),
             kmsKeyId: configuration.settings.get(['toolkitBucket', 'kmsKeyId']),
+            createCustomerMasterKey: args.bootstrapCustomerKey,
             qualifier: args.qualifier,
             publicAccessBlockConfiguration: args.publicAccessBlockConfiguration,
             trustedAccounts: arrayFromYargs(args.trust),

packages/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts

@@ -25,7 +25,7 @@ export class Bootstrapper {
       case 'legacy':
         return this.legacyBootstrap(environment, sdkProvider, options);
       case 'default':
-        return this.defaultBootstrap(environment, sdkProvider, options);
+        return this.modernBootstrap(environment, sdkProvider, options);
       case 'custom':
         return this.customBootstrap(environment, sdkProvider, options);
     }
@@ -45,13 +45,16 @@ export class Bootstrapper {
     const params = options.parameters ?? {};
 
     if (params.trustedAccounts?.length) {
-      throw new Error('--trust can only be passed for the new bootstrap experience.');
+      throw new Error('--trust can only be passed for the modern bootstrap experience.');
     }
     if (params.cloudFormationExecutionPolicies?.length) {
-      throw new Error('--cloudformation-execution-policies can only be passed for the new bootstrap experience.');
+      throw new Error('--cloudformation-execution-policies can only be passed for the modern bootstrap experience.');
+    }
+    if (params.createCustomerMasterKey !== undefined) {
+      throw new Error('--bootstrap-customer-key can only be passed for the modern bootstrap experience.');
     }
     if (params.qualifier) {
-      throw new Error('--qualifier can only be passed for the new bootstrap experience.');
+      throw new Error('--qualifier can only be passed for the modern bootstrap experience.');
     }
 
     const current = await BootstrapStack.lookup(sdkProvider, environment, options.toolkitStackName);
@@ -66,7 +69,7 @@ export class Bootstrapper {
    *
    * @experimental
    */
-  private async defaultBootstrap(
+  private async modernBootstrap(
     environment: cxapi.Environment,
     sdkProvider: SdkProvider,
     options: BootstrapEnvironmentOptions = {}): Promise<DeployStackResult> {
@@ -77,6 +80,10 @@ export class Bootstrapper {
 
     const current = await BootstrapStack.lookup(sdkProvider, environment, options.toolkitStackName);
 
+    if (params.createCustomerMasterKey !== undefined && params.kmsKeyId) {
+      throw new Error('You cannot pass \'--bootstrap-kms-key-id\' and \'--bootstrap-customer-key\' together. Specify one or the other');
+    }
+
     // If people re-bootstrap, existing parameter values are reused so that people don't accidentally change the configuration
     // on their bootstrap stack (this happens automatically in deployStack). However, to do proper validation on the
     // combined arguments (such that if --trust has been given, --cloudformation-execution-policies is necessary as well)
@@ -93,15 +100,28 @@ export class Bootstrapper {
     if (cloudFormationExecutionPolicies.length === 0) {
       throw new Error('Please pass \'--cloudformation-execution-policies\' to specify deployment permissions. Try a managed policy of the form \'arn:aws:iam::aws:policy/<PolicyName>\'.');
     }
-    // Remind people what the current settings are
+
+    // * If an ARN is given, that ARN. Otherwise:
+    //   * '-' if customerKey = false
+    //   * '' if customerKey = true
+    //   * if customerKey is also not given
+    //     * undefined if we already had a value in place (reusing what we had)
+    //     * '-' if this is the first time we're deploying this stack (or upgrading from old to new bootstrap)
+    const currentKmsKeyId = current.parameters.FileAssetsBucketKmsKeyId;
+    const kmsKeyId = params.kmsKeyId ??
+      (params.createCustomerMasterKey === true ? CREATE_NEW_KEY :
+        params.createCustomerMasterKey === false || currentKmsKeyId === undefined ? USE_AWS_MANAGED_KEY :
+          undefined);
+
+    // Remind people what we settled on
     info(`Trusted accounts:   ${trustedAccounts.length > 0 ? trustedAccounts.join(', ') : '(none)'}`);
     info(`Execution policies: ${cloudFormationExecutionPolicies.join(', ')}`);
 
     return current.update(
       bootstrapTemplate,
       {
         FileAssetsBucketName: params.bucketName,
-        FileAssetsBucketKmsKeyId: params.kmsKeyId,
+        FileAssetsBucketKmsKeyId: kmsKeyId,
         // Empty array becomes empty string
         TrustedAccounts: trustedAccounts.join(','),
         CloudFormationExecutionPolicies: cloudFormationExecutionPolicies.join(','),
@@ -124,7 +144,7 @@ export class Bootstrapper {
     if (version === 0) {
       return this.legacyBootstrap(environment, sdkProvider, options);
     } else {
-      return this.defaultBootstrap(environment, sdkProvider, options);
+      return this.modernBootstrap(environment, sdkProvider, options);
     }
   }
 
@@ -139,3 +159,13 @@ export class Bootstrapper {
     }
   }
 }
+
+/**
+ * Magic parameter value that will cause the bootstrap-template.yml to NOT create a CMK but use the default keyo
+ */
+const USE_AWS_MANAGED_KEY = 'AWS_MANAGED_KEY';
+
+/**
+ * Magic parameter value that will cause the bootstrap-template.yml to create a CMK
+ */
+const CREATE_NEW_KEY = '';

packages/aws-cdk/lib/api/bootstrap/bootstrap-props.ts

@@ -55,10 +55,20 @@ export interface BootstrappingParameters {
   /**
    * The ID of an existing KMS key to be used for encrypting items in the bucket.
    *
-   * @default - the default KMS key for S3 will be used.
+   * @default - use the default KMS key or create a custom one
    */
   readonly kmsKeyId?: string;
 
+  /**
+   * Whether or not to create a new customer master key (CMK)
+   *
+   * Only applies to modern bootstrapping. Legacy bootstrapping will never create
+   * a CMK, only use the default S3 key.
+   *
+   * @default false
+   */
+  readonly createCustomerMasterKey?: boolean;
+
   /**
    * The list of AWS account IDs that are trusted to deploy into the environment being bootstrapped.
    *

packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

@@ -16,8 +16,8 @@ Parameters:
     Default: ''
     Type: String
   FileAssetsBucketKmsKeyId:
-    Description: Custom KMS key ID to use for encrypting file assets (by default a
-      KMS key will be automatically defined)
+    Description: Empty to create a new key (default), 'AWS_MANAGED_KEY' to use a managed
+      S3 key, or the ID/ARN of an existing key.
     Default: ''
     Type: String
   ContainerAssetsRepositoryName:
@@ -61,6 +61,10 @@ Conditions:
     Fn::Equals:
       - ''
       - Ref: FileAssetsBucketKmsKeyId
+  UseAwsManagedKey:
+    Fn::Equals:
+      - 'AWS_MANAGED_KEY'
+      - Ref: FileAssetsBucketKmsKeyId
   HasCustomContainerAssetsRepositoryName:
     Fn::Not:
       - Fn::Equals:
@@ -150,7 +154,10 @@ Resources:
                 Fn::If:
                   - CreateNewKey
                   - Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}"
-                  - Fn::Sub: "${FileAssetsBucketKmsKeyId}"
+                  - Fn::If:
+                    - UseAwsManagedKey
+                    - Ref: AWS::NoValue
+                    - Fn::Sub: "${FileAssetsBucketKmsKeyId}"
       PublicAccessBlockConfiguration:
         Fn::If:
           - UsePublicAccessBlockConfiguration

packages/aws-cdk/lib/api/util/cloudformation.ts

@@ -377,7 +377,7 @@ export class StackParameters {
         this._changes = true;
       }
 
-      if (key in updates && updates[key]) {
+      if (key in updates && updates[key] !== undefined) {
         this.apiParameters.push({ ParameterKey: key, ParameterValue: updates[key] });
 
         // If the updated value is different than the current value, this will lead to a change

packages/aws-cdk/test/api/bootstrap.test.ts

@@ -158,7 +158,7 @@ test('passing trusted accounts to the old bootstrapping results in an error', as
     },
   }))
     .rejects
-    .toThrow('--trust can only be passed for the new bootstrap experience.');
+    .toThrow('--trust can only be passed for the modern bootstrap experience.');
 });
 
 test('passing CFN execution policies to the old bootstrapping results in an error', async () => {
@@ -169,7 +169,7 @@ test('passing CFN execution policies to the old bootstrapping results in an erro
     },
   }))
     .rejects
-    .toThrow('--cloudformation-execution-policies can only be passed for the new bootstrap experience.');
+    .toThrow('--cloudformation-execution-policies can only be passed for the modern bootstrap experience.');
 });
 
 test('even if the bootstrap stack is in a rollback state, can still retry bootstrapping it', async () => {