From 6126413bc6bbc700edf46509a6934ef615f8bbb1 Mon Sep 17 00:00:00 2001 From: "Rafael R. Camargo" <66796237+rafaelrcamargo@users.noreply.github.com> Date: Tue, 5 Dec 2023 14:21:16 -0300 Subject: [PATCH] chore(kms): prefer new `aliasArn` to `keyArn` for getting arn of an alias (#28197) **Motivation:** The current implementation of `keyArn` within the AWS CDK AWS KMS module returns the Key ARN for a key and an alias, which causes confusion for users expecting the Alias ARN. This PR aims to alleviate this confusion by providing clearer access to the Alias ARN. **Changes:** Introducing a new attribute `aliasArn` that mirrors the value from `keyArn` specifically for aliases to explicitly retrieve the Alias ARN. ```typescript /** * The ARN of the alias. * * @attribute * @deprecated use `aliasArn` instead */ public get keyArn(): string { return Stack.of(this).formatArn({ service: 'kms', // aliasName already contains the '/' resource: this.aliasName, }); } /** * The ARN of the alias. * * @attribute */ public get aliasArn(): string { return this.keyArn; } ``` **Query:** Should we deprecate the existing `keyArn` and mirror it in `aliasArn` or change the logic within `keyArn` to `aliasArn` and use the `keyArn` as the mirror? > Your feedback on the preferred approach would be greatly appreciated! Closes #28105. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk-lib/aws-kms/lib/alias.ts | 19 ++++++++++++++ .../aws-cdk-lib/aws-kms/test/alias.test.ts | 26 ++++++++++++++++++- 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-kms/lib/alias.ts b/packages/aws-cdk-lib/aws-kms/lib/alias.ts index cc77cc50ed420..0045866c3a8f8 100644 --- a/packages/aws-cdk-lib/aws-kms/lib/alias.ts +++ b/packages/aws-cdk-lib/aws-kms/lib/alias.ts @@ -59,6 +59,12 @@ abstract class AliasBase extends Resource implements IAlias { public abstract readonly aliasTargetKey: IKey; + /** + * The ARN of the alias. + * + * @attribute + * @deprecated use `aliasArn` instead + */ public get keyArn(): string { return Stack.of(this).formatArn({ service: 'kms', @@ -67,6 +73,19 @@ abstract class AliasBase extends Resource implements IAlias { }); } + /** + * The ARN of the alias. + * + * @attribute + */ + public get aliasArn(): string { + return Stack.of(this).formatArn({ + service: 'kms', + // aliasName already contains the '/' + resource: this.aliasName, + }); + } + public get keyId(): string { return this.aliasName; } diff --git a/packages/aws-cdk-lib/aws-kms/test/alias.test.ts b/packages/aws-cdk-lib/aws-kms/test/alias.test.ts index e629b46ec1744..6f44522e0ea8f 100644 --- a/packages/aws-cdk-lib/aws-kms/test/alias.test.ts +++ b/packages/aws-cdk-lib/aws-kms/test/alias.test.ts @@ -2,7 +2,7 @@ import { Construct } from 'constructs'; import { Template } from '../../assertions'; import * as iam from '../../aws-iam'; import { ArnPrincipal, PolicyStatement } from '../../aws-iam'; -import { App, Aws, CfnOutput, Stack } from '../../core'; +import { App, Arn, Aws, CfnOutput, Stack } from '../../core'; import { KMS_ALIAS_NAME_REF } from '../../cx-api'; import { Alias } from '../lib/alias'; import { IKey, Key } from '../lib/key'; @@ -357,6 +357,30 @@ test('does not add alias if starts with token', () => { }); }); +test('aliasArn and keyArn from alias should match', () => { + const app = new App(); + const stack = new Stack(app, 'Test'); + const key = new Key(stack, 'Key'); + + const alias = new Alias(stack, 'Alias', { targetKey: key, aliasName: 'alias/foo' }); + + expect(alias.aliasArn).toEqual(alias.keyArn); +}); + +test('aliasArn should be a valid ARN', () => { + const app = new App(); + const stack = new Stack(app, 'Test'); + const key = new Key(stack, 'Key'); + + const alias = new Alias(stack, 'Alias', { targetKey: key, aliasName: 'alias/foo' }); + + expect(alias.aliasArn).toEqual(Arn.format({ + service: 'kms', + // aliasName already contains the '/' + resource: alias.aliasName, + }, stack)); +}); + class AliasOutputsConstruct extends Construct { constructor(scope: Construct, id: string, key: IKey) { super(scope, id);