-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support encryption key in an ArtifactStore of CodePipeline when bucket is imported #3138
Comments
A workaround is:
|
Hi @kadishmal, Thank you for bringing this to our attention! We expect to get back to work on community PRs within a few weeks. |
Thanks for bringing this to our attention @kadishmal! I believe the solution is to add export interface BucketAttributes {
// old stuff
readonly bucketArn?: string;
readonly bucketName?: string;
readonly bucketDomainName?: string;
readonly bucketWebsiteUrl?: string;
readonly bucketRegionalDomainName?: string;
readonly bucketDualStackDomainName?: string;
readonly bucketWebsiteNewUrlFormat?: boolean;
// new
encryptionKey?: kms.Key;
} And then, if it has been passed, assign it to the |
This changes the scaffolding stack logic for the cross-region CodePipelines to include a KMS key and alias as part of it, which are required if an action is simultaneously cross-region and cross-account. We also change to use the KMS key ID instead of the key ARN when rendering the ArtifactStores property. We also add an alias to the default pipeline artifact bucket. This required a bunch of changes to the KMS and S3 modules: * Alias now implements IKey * Added the keyId property to IKey * Added removalPolicy property to Alias * Granting permissions to a key works if the principal belongs to a stack that is a dependent of the key stack * Allow specifying a key when importing a bucket Fixes #52 Concerns #1584 Fixes #2517 Fixes #2569 Concerns #3275 Fixes #3138 Fixes #3388
Currently it is not possible to set encryption key for an ArtifactStore of CodePipeline based on an imported S3 bucket. This is required for cross account code pipeline setup. For instance:
This generates the following CFN template.
Note that
ArtifactStore
doesn't have any encryption related properties.CDK should be able to detect automatically (or at least provide an option so that developers can indicate) that a bucket has default encryption set which uses the a custom KMS key.
The ideal definition for the second stack should have the following instead:
The text was updated successfully, but these errors were encountered: