Merge branch 'master' of github.com:comcalvi/aws-cdk

packages/@aws-cdk/aws-rds/lib/cluster.ts

@@ -88,19 +88,19 @@ export interface DatabaseClusterProps {
   readonly defaultDatabaseName?: string;
 
   /**
-   * Whether to enable storage encryption
+   * Whether to enable storage encryption.
    *
-   * @default false
+   * @default - true if storageEncryptionKey is provided, false otherwise
    */
   readonly storageEncrypted?: boolean
 
   /**
-   * The KMS key for storage encryption. If specified `storageEncrypted`
-   * will be set to `true`.
+   * The KMS key for storage encryption.
+   * If specified, {@link storageEncrypted} will be set to `true`.
    *
-   * @default - default master key.
+   * @default - if storageEncrypted is true then the default master key, no key otherwise
    */
-  readonly kmsKey?: kms.IKey;
+  readonly storageEncryptionKey?: kms.IKey;
 
   /**
    * A preferred maintenance window day/time range. Should be specified as a range ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC).
@@ -369,7 +369,7 @@ export class DatabaseCluster extends DatabaseClusterBase {
     if (!props.masterUser.password) {
       secret = new DatabaseSecret(this, 'Secret', {
         username: props.masterUser.username,
-        encryptionKey: props.masterUser.kmsKey,
+        encryptionKey: props.masterUser.encryptionKey,
       });
     }
 
@@ -460,8 +460,8 @@ export class DatabaseCluster extends DatabaseClusterBase {
       preferredMaintenanceWindow: props.preferredMaintenanceWindow,
       databaseName: props.defaultDatabaseName,
       // Encryption
-      kmsKeyId: props.kmsKey && props.kmsKey.keyArn,
-      storageEncrypted: props.kmsKey ? true : props.storageEncrypted,
+      kmsKeyId: props.storageEncryptionKey && props.storageEncryptionKey.keyArn,
+      storageEncrypted: props.storageEncryptionKey ? true : props.storageEncrypted,
     });
 
     // if removalPolicy was not specified,

packages/@aws-cdk/aws-rds/lib/instance.ts

@@ -476,7 +476,7 @@ export interface DatabaseInstanceNewProps {
    *
    * @default - default master key
    */
-  readonly performanceInsightKmsKey?: kms.IKey;
+  readonly performanceInsightEncryptionKey?: kms.IKey;
 
   /**
    * The list of log types that need to be enabled for exporting to
@@ -624,7 +624,7 @@ abstract class DatabaseInstanceNew extends DatabaseInstanceBase implements IData
       multiAz: props.multiAz,
       optionGroupName: props.optionGroup && props.optionGroup.optionGroupName,
       performanceInsightsKmsKeyId: props.enablePerformanceInsights
-        ? props.performanceInsightKmsKey && props.performanceInsightKmsKey.keyArn
+        ? props.performanceInsightEncryptionKey && props.performanceInsightEncryptionKey.keyArn
         : undefined,
       performanceInsightsRetentionPeriod: props.enablePerformanceInsights
         ? (props.performanceInsightRetention || PerformanceInsightRetention.DEFAULT)
@@ -706,11 +706,11 @@ export interface DatabaseInstanceSourceProps extends DatabaseInstanceNewProps {
   readonly masterUserPassword?: SecretValue;
 
   /**
-   * The KMS key to use to encrypt the secret for the master user password.
+   * The KMS key used to encrypt the secret for the master user password.
    *
    * @default - default master key
    */
-  readonly secretKmsKey?: kms.IKey;
+  readonly masterUserPasswordEncryptionKey?: kms.IKey;
 
   /**
    * The name of the database.
@@ -832,16 +832,16 @@ export interface DatabaseInstanceProps extends DatabaseInstanceSourceProps {
   /**
    * Indicates whether the DB instance is encrypted.
    *
-   * @default false
+   * @default - true if storageEncryptionKey has been provided, false otherwise
    */
   readonly storageEncrypted?: boolean;
 
   /**
-   * The master key that's used to encrypt the DB instance.
+   * The KMS key that's used to encrypt the DB instance.
    *
-   * @default - default master key
+   * @default - default master key if storageEncrypted is true, no key otherwise
    */
-  readonly kmsKey?: kms.IKey;
+  readonly storageEncryptionKey?: kms.IKey;
 }
 
 /**
@@ -863,19 +863,19 @@ export class DatabaseInstance extends DatabaseInstanceSource implements IDatabas
     if (!props.masterUserPassword) {
       secret = new DatabaseSecret(this, 'Secret', {
         username: props.masterUsername,
-        encryptionKey: props.secretKmsKey,
+        encryptionKey: props.masterUserPasswordEncryptionKey,
       });
     }
 
     const instance = new CfnDBInstance(this, 'Resource', {
       ...this.sourceCfnProps,
       characterSetName: props.characterSetName,
-      kmsKeyId: props.kmsKey && props.kmsKey.keyArn,
+      kmsKeyId: props.storageEncryptionKey && props.storageEncryptionKey.keyArn,
       masterUsername: secret ? secret.secretValueFromJson('username').toString() : props.masterUsername,
       masterUserPassword: secret
         ? secret.secretValueFromJson('password').toString()
         : props.masterUserPassword && props.masterUserPassword.toString(),
-      storageEncrypted: props.kmsKey ? true : props.storageEncrypted,
+      storageEncrypted: props.storageEncryptionKey ? true : props.storageEncrypted,
     });
 
     this.instanceIdentifier = instance.ref;
@@ -958,7 +958,7 @@ export class DatabaseInstanceFromSnapshot extends DatabaseInstanceSource impleme
 
       secret = new DatabaseSecret(this, 'Secret', {
         username: props.masterUsername,
-        encryptionKey: props.secretKmsKey,
+        encryptionKey: props.masterUserPasswordEncryptionKey,
       });
     } else {
       if (props.masterUsername) { // It's not possible to change the master username of a RDS instance
@@ -1008,16 +1008,16 @@ export interface DatabaseInstanceReadReplicaProps extends DatabaseInstanceSource
   /**
    * Indicates whether the DB instance is encrypted.
    *
-   * @default false
+   * @default - true if storageEncryptionKey has been provided, false otherwise
    */
   readonly storageEncrypted?: boolean;
 
   /**
-   * The master key that's used to encrypt the DB instance.
+   * The KMS key that's used to encrypt the DB instance.
    *
-   * @default - default master key
+   * @default - default master key if storageEncrypted is true, no key otherwise
    */
-  readonly kmsKey?: kms.IKey;
+  readonly storageEncryptionKey?: kms.IKey;
 }
 
 /**
@@ -1038,8 +1038,8 @@ export class DatabaseInstanceReadReplica extends DatabaseInstanceNew implements
       ...this.newCfnProps,
       // this must be ARN, not ID, because of https://github.com/terraform-providers/terraform-provider-aws/issues/528#issuecomment-391169012
       sourceDbInstanceIdentifier: props.sourceDatabaseInstance.instanceArn,
-      kmsKeyId: props.kmsKey && props.kmsKey.keyArn,
-      storageEncrypted: props.kmsKey ? true : props.storageEncrypted,
+      kmsKeyId: props.storageEncryptionKey && props.storageEncryptionKey.keyArn,
+      storageEncrypted: props.storageEncryptionKey ? true : props.storageEncrypted,
     });
 
     this.instanceIdentifier = instance.ref;

packages/@aws-cdk/aws-rds/lib/props.ts

@@ -178,7 +178,7 @@ export interface Login {
    *
    * @default default master key
    */
-  readonly kmsKey?: kms.IKey;
+  readonly encryptionKey?: kms.IKey;
 }
 
 /**

packages/@aws-cdk/aws-rds/test/integ.cluster-s3.ts

@@ -25,7 +25,7 @@ const cluster = new DatabaseCluster(stack, 'Database', {
     vpcSubnets: { subnetType: ec2.SubnetType.PUBLIC },
     vpc,
   },
-  kmsKey,
+  storageEncryptionKey: kmsKey,
   s3ImportBuckets: [importBucket],
   s3ExportBuckets: [exportBucket],
 });

packages/@aws-cdk/aws-rds/test/integ.cluster.ts

@@ -31,7 +31,7 @@ const cluster = new DatabaseCluster(stack, 'Database', {
     vpc,
   },
   parameterGroup: params,
-  kmsKey,
+  storageEncryptionKey: kmsKey,
 });
 
 cluster.connections.allowDefaultPortFromAnyIpv4('Open to the world');

packages/@aws-cdk/aws-rds/test/test.cluster.ts

@@ -242,7 +242,7 @@ export = {
         instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL),
         vpc,
       },
-      kmsKey: new kms.Key(stack, 'Key'),
+      storageEncryptionKey: new kms.Key(stack, 'Key'),
     });
 
     // THEN