-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(servicecatalog): product stack asset bucket with forced encryption #26303
fix(servicecatalog): product stack asset bucket with forced encryption #26303
Conversation
~/apg/aws-cdk/packages/aws-cdk-lib/aws-servicecatalog/test/product-stack.test.ts - Warning:(25, 5) Comma expression - Warning:(184, 5) Comma expression ~/apg/aws-cdk/packages/aws-cdk-lib/aws-servicecatalog/lib/private/product-stack-synthesizer.ts - Warning:(55, 11) Local variable 'physicalName' is redundant
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
@Mergifyio refresh |
✅ Pull request refreshed |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws#26303) Clients account setup strictly required that every bucket is encrypted. It also forces Bucket Policy to deny any unencrypted PutObject actions. When suppling ProductStack with such a Bucket as assetBucket the deployment fails on Custom Resource Lambda not being able to synch asset files into assetBucket (Access Denied). Expected Behavior I would expect that assets will be encrypted when the asset bucket has encryption enabled. Current Behavior Under the hood ProductStack uses BucketDeployment construct without encryption which results in AccessDenied. I does not considers Bucket encryption settings. Possible Solution This PR is a possible solution in which user would provide additional property `serverSideEncryption` along with encryption key `serverSideEncryptionAwsKmsKeyId` which would turn on respectful options on BucketDeployment to enable encryption. This could also be implicitly learnt from assetBucket configuration but I feel it better to leave this decision to the user - but I am open to change implementation if you thing this is better approach. Closes aws#26302. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Clients account setup strictly required that every bucket is encrypted. It also forces Bucket Policy to deny any unencrypted PutObject actions. When suppling ProductStack with such a Bucket as assetBucket the deployment fails on Custom Resource Lambda not being able to synch asset files into assetBucket (Access Denied).
Expected Behavior
I would expect that assets will be encrypted when the asset bucket has encryption enabled.
Current Behavior
Under the hood ProductStack uses BucketDeployment construct without encryption which results in AccessDenied. I does not considers Bucket encryption settings.
Possible Solution
This PR is a possible solution in which user would provide additional property
serverSideEncryption
along with encryption keyserverSideEncryptionAwsKmsKeyId
which would turn on respectful options on BucketDeployment to enable encryption. This could also be implicitly learnt from assetBucket configuration but I feel it better to leave this decision to the user - but I am open to change implementation if you thing this is better approach.Closes #26302.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license