fix: 1059 (#1060)

* chore: add test

* fix:  #1059

* chore: self mutation

Signed-off-by: github-actions <github-actions@github.com>

* fix: tests

---------

Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: github-actions <github-actions@github.com>

src/SopsSync.ts

@@ -332,6 +332,10 @@ export class SopsSync extends Construct {
         }
         if (props.secret) {
           props.secret.grantWrite(provider);
+          props.secret.encryptionKey?.grantEncryptDecrypt(provider);
+          if (props.secret?.encryptionKey !== undefined) {
+            props.secret.encryptionKey.grantEncryptDecrypt(provider);
+          }
         }
         if (props.parameterName) {
           provider.addToRolePolicy(
@@ -356,17 +360,6 @@ export class SopsSync extends Construct {
         if (sopsAsset !== undefined) {
           sopsAsset.bucket.grantRead(provider);
         }
-        /**
-         * fixes #234
-         * If the kms key for secrets encryption is an IKey
-         * there will be no permissions otherwise
-         */
-        if (
-          props.secret?.encryptionKey !== undefined &&
-          !(props.secret.encryptionKey instanceof Key)
-        ) {
-          props.secret.encryptionKey.grantEncryptDecrypt(provider);
-        }
       } else {
         Annotations.of(this).addWarning(
           `Please ensure proper permissions for the passed lambda function:\n  - write Access to the secret\n  - encrypt with the sopsKmsKey${

test/secret-asset.integ.snapshot/SecretIntegrationAsset.assets.json

@@ -1,15 +1,15 @@
 {
   "version": "36.0.0",
   "files": {
-    "27c6823c810b55a2fe61fc015017847a7bb214fd8e78fe443f8a7c5378ca1a8a": {
+    "7c8b0635fd73cb2b8c0561e8c05569b63a4f5bf5871d48f9f6ef8ac41cfd1698": {
       "source": {
-        "path": "asset.27c6823c810b55a2fe61fc015017847a7bb214fd8e78fe443f8a7c5378ca1a8a.zip",
+        "path": "asset.7c8b0635fd73cb2b8c0561e8c05569b63a4f5bf5871d48f9f6ef8ac41cfd1698.zip",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "27c6823c810b55a2fe61fc015017847a7bb214fd8e78fe443f8a7c5378ca1a8a.zip",
+          "objectKey": "7c8b0635fd73cb2b8c0561e8c05569b63a4f5bf5871d48f9f6ef8ac41cfd1698.zip",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
@@ -79,15 +79,15 @@
         }
       }
     },
-    "07df79f5546e9f1a14a130499e3af3184d27aef027596a70f511851537a9376c": {
+    "34059e673c4f895403c78fadd3d731f2a529d292225f60f77169c6275a38ec7a": {
       "source": {
         "path": "SecretIntegrationAsset.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "07df79f5546e9f1a14a130499e3af3184d27aef027596a70f511851537a9376c.json",
+          "objectKey": "34059e673c4f895403c78fadd3d731f2a529d292225f60f77169c6275a38ec7a.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

test/secret-asset.integ.snapshot/SecretIntegrationAsset.template.json

@@ -232,7 +232,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "27c6823c810b55a2fe61fc015017847a7bb214fd8e78fe443f8a7c5378ca1a8a.zip"
+     "S3Key": "7c8b0635fd73cb2b8c0561e8c05569b63a4f5bf5871d48f9f6ef8ac41cfd1698.zip"
     },
     "Environment": {
      "Variables": {

test/secret-asset.integ.ts

@@ -10,7 +10,7 @@ new SopsSecret(stack, 'SopsSecretJSON', {
   sopsFilePath: 'test-secrets/json/sopsfile.enc-age.json',
   uploadType: UploadType.ASSET,
   // see test-secrets/README.md for further information regarding the test file
-  sopsAgeKey: SecretValue.plainText(
+  sopsAgeKey: SecretValue.unsafePlainText(
     'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
   ),
 });
@@ -20,7 +20,7 @@ new SopsSecret(stack, 'SopsSecretYAML', {
   convertToJSON: false,
   uploadType: UploadType.ASSET,
   // see test-secrets/README.md for further information regarding the test file
-  sopsAgeKey: SecretValue.plainText(
+  sopsAgeKey: SecretValue.unsafePlainText(
     'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
   ),
 });
@@ -30,7 +30,7 @@ new SopsSecret(stack, 'SopsSecretYAMLasJSON', {
   convertToJSON: true,
   uploadType: UploadType.ASSET,
   // see test-secrets/README.md for further information regarding the test file
-  sopsAgeKey: SecretValue.plainText(
+  sopsAgeKey: SecretValue.unsafePlainText(
     'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
   ),
 });
@@ -40,7 +40,7 @@ new SopsSecret(stack, 'SopsComplexSecretJSON', {
   flatten: false,
   uploadType: UploadType.ASSET,
   // see test-secrets/README.md for further information regarding the test file
-  sopsAgeKey: SecretValue.plainText(
+  sopsAgeKey: SecretValue.unsafePlainText(
     'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
   ),
 });
@@ -53,7 +53,7 @@ const sopsComplexSecretJSONFlat = new SopsSecret(
     uploadType: UploadType.ASSET,
     flatten: true,
     // see test-secrets/README.md for further information regarding the test file
-    sopsAgeKey: SecretValue.plainText(
+    sopsAgeKey: SecretValue.unsafePlainText(
       'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
     ),
   },
@@ -65,7 +65,7 @@ new SopsSecret(stack, 'SopComplexSecretYAML', {
   uploadType: UploadType.ASSET,
   flatten: false,
   // see test-secrets/README.md for further information regarding the test file
-  sopsAgeKey: SecretValue.plainText(
+  sopsAgeKey: SecretValue.unsafePlainText(
     'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
   ),
 });
@@ -76,7 +76,7 @@ new SopsSecret(stack, 'SopComplexSecretYAMLFlat', {
   uploadType: UploadType.ASSET,
   flatten: true,
   // see test-secrets/README.md for further information regarding the test file
-  sopsAgeKey: SecretValue.plainText(
+  sopsAgeKey: SecretValue.unsafePlainText(
     'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
   ),
 });
@@ -87,7 +87,7 @@ new SopsSecret(stack, 'SopsComplexSecretYAMLasJSON', {
   uploadType: UploadType.ASSET,
   flatten: false,
   // see test-secrets/README.md for further information regarding the test file
-  sopsAgeKey: SecretValue.plainText(
+  sopsAgeKey: SecretValue.unsafePlainText(
     'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
   ),
 });
@@ -101,7 +101,7 @@ const sopsComplexSecretYAMLasJSONFlat = new SopsSecret(
     convertToJSON: true,
     flatten: true,
     // see test-secrets/README.md for further information regarding the test file
-    sopsAgeKey: SecretValue.plainText(
+    sopsAgeKey: SecretValue.unsafePlainText(
       'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
     ),
   },
@@ -111,7 +111,7 @@ new SopsSecret(stack, 'SopsBinaryAsBinary', {
   sopsFilePath: 'test-secrets/binary/sopsfile.enc-age.binary',
   uploadType: UploadType.ASSET,
   // see test-secrets/README.md for further information regarding the test file
-  sopsAgeKey: SecretValue.plainText(
+  sopsAgeKey: SecretValue.unsafePlainText(
     'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
   ),
 });

test/secret-inline.integ.snapshot/SecretIntegrationInline.assets.json

@@ -1,28 +1,28 @@
 {
   "version": "36.0.0",
   "files": {
-    "27c6823c810b55a2fe61fc015017847a7bb214fd8e78fe443f8a7c5378ca1a8a": {
+    "7c8b0635fd73cb2b8c0561e8c05569b63a4f5bf5871d48f9f6ef8ac41cfd1698": {
       "source": {
-        "path": "asset.27c6823c810b55a2fe61fc015017847a7bb214fd8e78fe443f8a7c5378ca1a8a.zip",
+        "path": "asset.7c8b0635fd73cb2b8c0561e8c05569b63a4f5bf5871d48f9f6ef8ac41cfd1698.zip",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "27c6823c810b55a2fe61fc015017847a7bb214fd8e78fe443f8a7c5378ca1a8a.zip",
+          "objectKey": "7c8b0635fd73cb2b8c0561e8c05569b63a4f5bf5871d48f9f6ef8ac41cfd1698.zip",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
     },
-    "c5578f04da40a9f75c6cf51d04340132d7704c019cebe530cef3e8f5b440ce44": {
+    "783025e56c99074fbc15a11b16b3f7258b3e8569e2e77e208130f9b4498e7c27": {
       "source": {
         "path": "SecretIntegrationInline.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "c5578f04da40a9f75c6cf51d04340132d7704c019cebe530cef3e8f5b440ce44.json",
+          "objectKey": "783025e56c99074fbc15a11b16b3f7258b3e8569e2e77e208130f9b4498e7c27.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

test/secret-inline.integ.snapshot/SecretIntegrationInline.template.json

@@ -199,7 +199,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "27c6823c810b55a2fe61fc015017847a7bb214fd8e78fe443f8a7c5378ca1a8a.zip"
+     "S3Key": "7c8b0635fd73cb2b8c0561e8c05569b63a4f5bf5871d48f9f6ef8ac41cfd1698.zip"
     },
     "Environment": {
      "Variables": {