Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(aws-ecr): support encryptionConfiguration for repository #15571

Closed
wants to merge 1 commit into from
Closed

feat(aws-ecr): support encryptionConfiguration for repository #15571

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions packages/@aws-cdk/aws-ecr/lib/repository.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -362,6 +362,14 @@ export interface RepositoryProps {
* @default TagMutability.MUTABLE
*/
readonly imageTagMutability?: TagMutability;

/**
* The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
*
* @default server side encryption with AES256 algorithm
*/
readonly encryptionConfiguration?: EncryptionConfigurationProperty;

}

export interface RepositoryAttributes {
Expand Down Expand Up @@ -488,6 +496,7 @@ export class Repository extends RepositoryBase {
scanOnPush: true,
},
imageTagMutability: props.imageTagMutability || undefined,
encryptionConfiguration: props.encryptionConfiguration || undefined,
});

resource.applyRemovalPolicy(props.removalPolicy);
Expand Down Expand Up @@ -662,3 +671,35 @@ export enum TagMutability {
IMMUTABLE = 'IMMUTABLE',

}

/**
* The encryption type for your repository.
*/
export enum EncryptionType {
/**
* AES256 encryption type.
*/
AES256 = 'AES256',

/**
* KMS encryption type.
*/
KMS = 'KMS'
}

/**
* The encryption configuration setting for your repository.
*/
export interface EncryptionConfigurationProperty {
/**
* The encryption type to use.
*/
readonly encryptionType: EncryptionType;

/**
* The CMK to use for encryption, if encryption type is KMS else ignored.
*
* @default - AWS managed CMK for Amazon ECR will be used.
*/
readonly kmsKey?: string;
}
17 changes: 16 additions & 1 deletion packages/@aws-cdk/aws-ecr/test/repository.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -329,7 +329,22 @@ describe('repository', () => {
// THEN
expect(() => app.synth()).toThrow(/A PolicyStatement used in a resource-based policy must specify at least one IAM principal/);
});

test('repository with encryptionConfiguration', () => {
// GIVEN
const stack = new cdk.Stack();
// WHEN
new ecr.Repository(stack, 'Repo', {
'encryptionConfiguration': {
'encryptionType': ecr.EncryptionType.AES256,
},
});
// THEN
expectCDK(stack).to(haveResource('AWS::ECR::Repository', {
'EncryptionConfiguration': {
'EncryptionType': ecr.EncryptionType.AES256,
},
}));
});
describe('events', () => {
test('onImagePushed without imageTag creates the correct event', () => {
const stack = new cdk.Stack();
Expand Down