Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-ecs: ManagedStorageConfiguration add option to provide KMS key to encrypt managed storage besides the fargate ephemeral storage #33380

Closed
2 tasks
mMeijden opened this issue Feb 11, 2025 · 2 comments · Fixed by #33535
Closed
2 tasks

aws-ecs: ManagedStorageConfiguration add option to provide KMS key to encrypt managed storage besides the fargate ephemeral storage #33380

mMeijden opened this issue Feb 11, 2025 · 2 comments · Fixed by #33535
Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@mMeijden
Copy link

mMeijden commented Feb 11, 2025
edited
Loading

Describe the feature

The current ManagedStorageConfiguration interface only supports the option to encrypt the Fargate ephemeral storage while the L1 construct has the option to also add the regular kmsKeyId to encrypt the managed storage.
L2 Cluster construct:

managedStorageConfiguration: {
      fargateEphemeralStorageKmsKey: kmsKey
}

L1 CfnCluster:

// other properties omitted
managedStorageConfiguration: {
      fargateEphemeralStorageKmsKeyId: 'fargateEphemeralStorageKmsKeyId',
      kmsKeyId: 'kmsKeyId',
    },
// other properties omitted

Desired outcome:
The L2 construct should have the option to provide the kmsKeyId property as well to avoid using the CfnCluster construct

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.Cluster.html#managedstorageconfiguration
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.CfnCluster.ClusterConfigurationProperty.html

Use Case

There are two types of storages in ECS clusters that can be encrypted. The L2 construct only supports the ephemeral storage at this point.

As we are building opinionated constructs for our company, where enforcing encryption with KMS by default is one of them, I am currently unable to use the L2 construct for this.

Proposed Solution

Add kmsKeyId to the ManagedStorageConfiguration interface and the L2 construct

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.178.0

Environment details (OS name and version, etc.)

applies to all environments
@mMeijden mMeijden added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Feb 11, 2025
@github-actions github-actions bot added the @aws-cdk/aws-ecs Related to Amazon Elastic Container label Feb 11, 2025
@pahud
Copy link
Contributor

pahud commented Feb 11, 2025

Yeah, sounds like we could expose that to L2. Welcome PRs to move this forward.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Feb 11, 2025
@phuhung273 phuhung273 mentioned this issue Feb 20, 2025
Merged
1 task
@mergify mergify bot closed this as completed in #33535 Feb 26, 2025
mergify bot pushed a commit that referenced this issue Feb 26, 2025
@phuhung273
feat(ecs): encrypting managed storage (#33535)
07f0fe3 
### Issue # (if applicable)

Closes #33380

### Reason for this change
ECS cluster doesn't support encrypting managed storage

### Description of changes
`managedStorageConfiguration` support encrypting managed storage

### Description of how you validated changes
Unit + Integ

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 26, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(ecs): encrypting managed storage phuhung273/aws-cdk
2 participants
@pahud @mMeijden