Revert "feat!(app-staging-synthesizer-alpha): use S3-Managed encrypti…

…on by default" This reverts commit 2e504da.
aws · Feb 10, 2024 · 192611a · 192611a
1 parent 2e504da
commit 192611a
Show file tree

Hide file tree

Showing 20 changed files with 358 additions and 331 deletions.
diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md
@@ -267,16 +267,16 @@ const app = new App({
 
 ### Staging Bucket Encryption
 
-By default, the staging resources will be stored in an S3 Bucket with S3 Managed encryption. To use
-SSE-KMS, set `stagingBucketEncryption` to `BucketEncryption.KMS`.
+By default, the staging resources will be stored in an S3 Bucket with KMS encryption. To use
+SSE-S3, set `stagingBucketEncryption` to `BucketEncryption.S3_MANAGED`.
 
 ```ts
 import { BucketEncryption } from 'aws-cdk-lib/aws-s3';
 
 const app = new App({
   defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
     appId: 'my-app-id',
-    stagingBucketEncryption: BucketEncryption.KMS,
+    stagingBucketEncryption: BucketEncryption.S3_MANAGED,
   }),
 });
 ```

diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts
@@ -64,7 +64,7 @@ export interface DefaultStagingStackOptions {
   /**
    * Encryption type for staging bucket
    *
-   * @default - s3.BucketEncryption.S3_MANAGED
+   * @default - s3.BucketEncryption.KMS
    */
   readonly stagingBucketEncryption?: s3.BucketEncryption;
 
@@ -226,7 +226,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources {
 
   private readonly appId: string;
   private readonly stagingBucketName?: string;
-  private stagingBucketEncryption: s3.BucketEncryption;
+  private stagingBucketEncryption?: s3.BucketEncryption;
 
   /**
    * File publish role ARN in asset manifest format
@@ -267,7 +267,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources {
 
     this.deployRoleArn = props.deployRoleArn;
     this.stagingBucketName = props.stagingBucketName;
-    this.stagingBucketEncryption = props.stagingBucketEncryption ?? s3.BucketEncryption.S3_MANAGED;
+    this.stagingBucketEncryption = props.stagingBucketEncryption;
     const specializer = new StringSpecializer(this, props.qualifier);
 
     this.providedFileRole = props.fileAssetPublishingRole?._specialize(specializer);
@@ -368,6 +368,15 @@ export class DefaultStagingStack extends Stack implements IStagingResources {
 
     this.ensureFileRole();
 
+    let key = undefined;
+    if (this.stagingBucketEncryption === s3.BucketEncryption.KMS || this.stagingBucketEncryption === undefined) {
+      if (this.stagingBucketEncryption === undefined) {
+        // default is KMS as an AWS best practice, and for backwards compatibility
+        this.stagingBucketEncryption = s3.BucketEncryption.KMS;
+      }
+      key = this.createBucketKey();
+    }
+
     // Create the bucket once the dependencies have been created
     const bucket = new s3.Bucket(this, bucketId, {
       bucketName: stagingBucketName,
@@ -378,7 +387,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources {
         removalPolicy: RemovalPolicy.RETAIN,
       }),
       encryption: this.stagingBucketEncryption,
-      encryptionKey: this.stagingBucketEncryption === s3.BucketEncryption.KMS ? this.createBucketKey() : undefined,
+      encryptionKey: key,
 
       // Many AWS account safety checkers will complain when buckets aren't versioned
       versioned: true,

diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts
@@ -277,26 +277,26 @@ describe(AppStagingSynthesizer, () => {
             Status: 'Enabled',
           }]),
         },
-        // When stagingBucketEncryption is not specified, it should be S3_MANAGED
+        // When stagingBucketEncryption is not specified, it should be KMS for backwards compatibility
         BucketEncryption: {
           ServerSideEncryptionConfiguration: [
             {
               ServerSideEncryptionByDefault: {
-                SSEAlgorithm: 'AES256',
+                SSEAlgorithm: 'aws:kms',
               },
             },
           ],
         },
       });
     });
 
-    test('staging bucket with SSE-KMS encryption', () => {
+    test('staging bucket with SSE-S3 encryption', () => {
       // GIVEN
       app = new App({
         defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
           appId: APP_ID,
           deployTimeFileAssetLifetime: Duration.days(1),
-          stagingBucketEncryption: BucketEncryption.KMS,
+          stagingBucketEncryption: BucketEncryption.S3_MANAGED,
         }),
       });
       stack = new Stack(app, 'Stack', {
@@ -318,7 +318,7 @@ describe(AppStagingSynthesizer, () => {
           ServerSideEncryptionConfiguration: [
             {
               ServerSideEncryptionByDefault: {
-                SSEAlgorithm: 'aws:kms',
+                SSEAlgorithm: 'AES256',
               },
             },
           ],

diff --git a/...resourcesmax-ACCOUNT-REGION.template.json → ...resourcesmax-ACCOUNT-REGION.template.json b/...resourcesmax-ACCOUNT-REGION.template.json → ...resourcesmax-ACCOUNT-REGION.template.json
@@ -85,22 +85,6 @@
          ]
         }
        ]
-      },
-      {
-       "Action": [
-        "kms:Decrypt",
-        "kms:DescribeKey",
-        "kms:Encrypt",
-        "kms:GenerateDataKey*",
-        "kms:ReEncrypt*"
-       ],
-       "Effect": "Allow",
-       "Resource": {
-        "Fn::GetAtt": [
-         "BucketKey7092080A",
-         "Arn"
-        ]
-       }
       }
      ],
      "Version": "2012-10-17"
@@ -113,105 +97,14 @@
     ]
    }
   },
-  "BucketKey7092080A": {
-   "Type": "AWS::KMS::Key",
-   "Properties": {
-    "KeyPolicy": {
-     "Statement": [
-      {
-       "Action": "kms:*",
-       "Effect": "Allow",
-       "Principal": {
-        "AWS": {
-         "Fn::Join": [
-          "",
-          [
-           "arn:",
-           {
-            "Ref": "AWS::Partition"
-           },
-           ":iam::",
-           {
-            "Ref": "AWS::AccountId"
-           },
-           ":root"
-          ]
-         ]
-        }
-       },
-       "Resource": "*"
-      },
-      {
-       "Action": [
-        "kms:CancelKeyDeletion",
-        "kms:Create*",
-        "kms:Delete*",
-        "kms:Describe*",
-        "kms:Disable*",
-        "kms:Enable*",
-        "kms:Get*",
-        "kms:List*",
-        "kms:Put*",
-        "kms:Revoke*",
-        "kms:ScheduleKeyDeletion",
-        "kms:TagResource",
-        "kms:UntagResource",
-        "kms:Update*"
-       ],
-       "Effect": "Allow",
-       "Principal": {
-        "AWS": {
-         "Fn::Join": [
-          "",
-          [
-           "arn:",
-           {
-            "Ref": "AWS::Partition"
-           },
-           ":iam::",
-           {
-            "Ref": "AWS::AccountId"
-           },
-           ":root"
-          ]
-         ]
-        }
-       },
-       "Resource": "*"
-      }
-     ],
-     "Version": "2012-10-17"
-    }
-   },
-   "UpdateReplacePolicy": "Retain",
-   "DeletionPolicy": "Retain"
-  },
-  "BucketKeyAlias69A0886F": {
-   "Type": "AWS::KMS::Alias",
-   "Properties": {
-    "AliasName": "alias/cdk-default-resourcesmax-staging",
-    "TargetKeyId": {
-     "Fn::GetAtt": [
-      "BucketKey7092080A",
-      "Arn"
-     ]
-    }
-   }
-  },
   "CdkStagingBucket1636058C": {
    "Type": "AWS::S3::Bucket",
    "Properties": {
     "BucketEncryption": {
      "ServerSideEncryptionConfiguration": [
       {
        "ServerSideEncryptionByDefault": {
-        "KMSMasterKeyID": {
-         "Fn::GetAtt": [
-          "BucketKey7092080A",
-          "Arn"
-         ]
-        },
-        "SSEAlgorithm": "aws:kms"
+        "SSEAlgorithm": "AES256"
        }
       }
      ]

diff --git a/....synth-kms-encryption.js.snapshot/cdk.out → ...th-default-encryption.js.snapshot/cdk.out b/....synth-kms-encryption.js.snapshot/cdk.out → ...th-default-encryption.js.snapshot/cdk.out
diff --git a/...nth-kms-encryption.js.snapshot/integ.json → ...default-encryption.js.snapshot/integ.json b/...nth-kms-encryption.js.snapshot/integ.json → ...default-encryption.js.snapshot/integ.json
diff --git a/...faultTestDeployAssert44C8D370.assets.json → ...faultTestDeployAssert44C8D370.assets.json b/...faultTestDeployAssert44C8D370.assets.json → ...faultTestDeployAssert44C8D370.assets.json
diff --git a/...ultTestDeployAssert44C8D370.template.json → ...ultTestDeployAssert44C8D370.template.json b/...ultTestDeployAssert44C8D370.template.json → ...ultTestDeployAssert44C8D370.template.json
diff --git a/...-kms-encryption.js.snapshot/manifest.json → ...ault-encryption.js.snapshot/manifest.json b/...-kms-encryption.js.snapshot/manifest.json → ...ault-encryption.js.snapshot/manifest.json
diff --git a/...synthesize-default-encryption.assets.json → ...synthesize-default-encryption.assets.json b/...synthesize-default-encryption.assets.json → ...synthesize-default-encryption.assets.json
diff --git a/...nthesize-default-encryption.template.json → ...nthesize-default-encryption.template.json b/...nthesize-default-encryption.template.json → ...nthesize-default-encryption.template.json