From 80fbce7c6644906a6b35a6fd391895fab10e2716 Mon Sep 17 00:00:00 2001 From: Kazuho CryerShinozuka Date: Tue, 23 Apr 2024 07:35:49 +0900 Subject: [PATCH 1/6] feat: rotation period --- packages/aws-cdk-lib/aws-kms/lib/key.ts | 17 +++++++++++++++++ packages/aws-cdk-lib/aws-kms/test/key.test.ts | 8 ++++++++ 2 files changed, 25 insertions(+) diff --git a/packages/aws-cdk-lib/aws-kms/lib/key.ts b/packages/aws-cdk-lib/aws-kms/lib/key.ts index ba5d33c2988e9..609523a526b5c 100644 --- a/packages/aws-cdk-lib/aws-kms/lib/key.ts +++ b/packages/aws-cdk-lib/aws-kms/lib/key.ts @@ -434,6 +434,13 @@ export interface KeyProps { */ readonly enableKeyRotation?: boolean; + /** + * The period between each automatic rotation. + * + * @default - 365 days. + */ + readonly rotationPeriod?: Duration; + /** * Indicates whether the key is available for use. * @@ -722,6 +729,15 @@ export class Key extends KeyBase { throw new Error('key rotation cannot be enabled on asymmetric keys'); } + if (props.rotationPeriod) { + if (!props.enableKeyRotation) { + throw new Error('\'rotationPeriod\' cannot be specified when \'enableKeyRotation\' is disabled'); + } + if (props.rotationPeriod.toDays() < 90 || props.rotationPeriod.toDays() > 2560) { + throw new Error(`'rotationPeriod' value must between 90 and 2650 days. Received: ${props.rotationPeriod.toDays()}`); + } + } + const defaultKeyPoliciesFeatureEnabled = FeatureFlags.of(this).isEnabled(cxapi.KMS_DEFAULT_KEY_POLICIES); this.policy = props.policy ?? new iam.PolicyDocument(); @@ -755,6 +771,7 @@ export class Key extends KeyBase { const resource = new CfnKey(this, 'Resource', { description: props.description, enableKeyRotation: props.enableKeyRotation, + rotationPeriodInDays: props.rotationPeriod?.toDays(), enabled: props.enabled, keySpec: props.keySpec, keyUsage: props.keyUsage, diff --git a/packages/aws-cdk-lib/aws-kms/test/key.test.ts b/packages/aws-cdk-lib/aws-kms/test/key.test.ts index 3493c31dff3ac..370edc10051f6 100644 --- a/packages/aws-cdk-lib/aws-kms/test/key.test.ts +++ b/packages/aws-cdk-lib/aws-kms/test/key.test.ts @@ -491,6 +491,7 @@ test('key with some options', () => { enableKeyRotation: true, enabled: false, pendingWindow: cdk.Duration.days(7), + rotationPeriod: cdk.Duration.days(180), }); cdk.Tags.of(key).add('tag1', 'value1'); @@ -501,6 +502,7 @@ test('key with some options', () => { Enabled: false, EnableKeyRotation: true, PendingWindowInDays: 7, + RotationPeriodInDays: 180, Tags: [ { Key: 'tag1', @@ -524,6 +526,12 @@ test('setting pendingWindow value to not in allowed range will throw', () => { .toThrow('\'pendingWindow\' value must between 7 and 30 days. Received: 6'); }); +test.each([89, 2561])('throw if rotationPeriod is not in allowed range', (period) => { + const stack = new cdk.Stack(); + expect(() => new kms.Key(stack, 'MyKey', { enableKeyRotation: true, rotationPeriod: cdk.Duration.days(period) })) + .toThrow(`'rotationPeriod' value must between 90 and 2650 days. Received: ${period}`); +}); + describeDeprecated('trustAccountIdentities is deprecated', () => { test('setting trustAccountIdentities to false will throw (when the defaultKeyPolicies feature flag is enabled)', () => { const stack = new cdk.Stack(); From ee81e6ba775876ff9056f3b1f1a7fa2d9b3f8556 Mon Sep 17 00:00:00 2001 From: Kazuho CryerShinozuka Date: Tue, 23 Apr 2024 07:52:07 +0900 Subject: [PATCH 2/6] docs: update readme --- packages/aws-cdk-lib/aws-kms/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/aws-cdk-lib/aws-kms/README.md b/packages/aws-cdk-lib/aws-kms/README.md index a039288e468eb..5bf8c6366087d 100644 --- a/packages/aws-cdk-lib/aws-kms/README.md +++ b/packages/aws-cdk-lib/aws-kms/README.md @@ -6,6 +6,7 @@ Define a KMS key: ```ts new kms.Key(this, 'MyKey', { enableKeyRotation: true, + rotationPeriod: Duration.days(180), // Default is 365 days }); ``` From 821cfd52b49b50a222c879d36167b1e64f1a8a02 Mon Sep 17 00:00:00 2001 From: Kazuho CryerShinozuka Date: Tue, 23 Apr 2024 07:52:28 +0900 Subject: [PATCH 3/6] test: integ test --- .../TestStack.assets.json | 19 +++ .../TestStack.template.json | 75 +++++++++ .../integ.key-rotation.js.snapshot/cdk.out | 1 + .../integ.key-rotation.js.snapshot/integ.json | 12 ++ ...efaultTestDeployAssert801AD589.assets.json | 19 +++ ...aultTestDeployAssert801AD589.template.json | 36 ++++ .../manifest.json | 113 +++++++++++++ .../integ.key-rotation.js.snapshot/tree.json | 154 ++++++++++++++++++ .../test/aws-kms/test/integ.key-rotation.ts | 20 +++ 9 files changed, 449 insertions(+) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/TestStack.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/TestStack.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/kmskeyrotationDefaultTestDeployAssert801AD589.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/kmskeyrotationDefaultTestDeployAssert801AD589.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/TestStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/TestStack.assets.json new file mode 100644 index 0000000000000..47259228e9f83 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/TestStack.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "f837a0f3219d71ea4c1ebf1c3f9a95829e51186d2a0601bbbc2e60e416e811ee": { + "source": { + "path": "TestStack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "f837a0f3219d71ea4c1ebf1c3f9a95829e51186d2a0601bbbc2e60e416e811ee.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/TestStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/TestStack.template.json new file mode 100644 index 0000000000000..8b8a55b07b5fd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/TestStack.template.json @@ -0,0 +1,75 @@ +{ + "Resources": { + "keyFEDD6EC0": { + "Type": "AWS::KMS::Key", + "Properties": { + "EnableKeyRotation": true, + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "RotationPeriodInDays": 180 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/integ.json new file mode 100644 index 0000000000000..b8926f3a28036 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "36.0.0", + "testCases": { + "kms-key-rotation/DefaultTest": { + "stacks": [ + "TestStack" + ], + "assertionStack": "kms-key-rotation/DefaultTest/DeployAssert", + "assertionStackName": "kmskeyrotationDefaultTestDeployAssert801AD589" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/kmskeyrotationDefaultTestDeployAssert801AD589.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/kmskeyrotationDefaultTestDeployAssert801AD589.assets.json new file mode 100644 index 0000000000000..57371b3bde5a0 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/kmskeyrotationDefaultTestDeployAssert801AD589.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "kmskeyrotationDefaultTestDeployAssert801AD589.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/kmskeyrotationDefaultTestDeployAssert801AD589.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/kmskeyrotationDefaultTestDeployAssert801AD589.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/kmskeyrotationDefaultTestDeployAssert801AD589.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/manifest.json new file mode 100644 index 0000000000000..5df0c543da274 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/manifest.json @@ -0,0 +1,113 @@ +{ + "version": "36.0.0", + "artifacts": { + "TestStack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "TestStack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "TestStack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "TestStack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f837a0f3219d71ea4c1ebf1c3f9a95829e51186d2a0601bbbc2e60e416e811ee.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "TestStack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "TestStack.assets" + ], + "metadata": { + "/TestStack/key/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "keyFEDD6EC0" + } + ], + "/TestStack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/TestStack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "TestStack" + }, + "kmskeyrotationDefaultTestDeployAssert801AD589.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "kmskeyrotationDefaultTestDeployAssert801AD589.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "kmskeyrotationDefaultTestDeployAssert801AD589": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "kmskeyrotationDefaultTestDeployAssert801AD589.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "kmskeyrotationDefaultTestDeployAssert801AD589.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "kmskeyrotationDefaultTestDeployAssert801AD589.assets" + ], + "metadata": { + "/kms-key-rotation/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/kms-key-rotation/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "kms-key-rotation/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/tree.json new file mode 100644 index 0000000000000..19125cabaced8 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.js.snapshot/tree.json @@ -0,0 +1,154 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "TestStack": { + "id": "TestStack", + "path": "TestStack", + "children": { + "key": { + "id": "key", + "path": "TestStack/key", + "children": { + "Resource": { + "id": "Resource", + "path": "TestStack/key/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "enableKeyRotation": true, + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "rotationPeriodInDays": 180 + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnKey", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Key", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "TestStack/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "TestStack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "kms-key-rotation": { + "id": "kms-key-rotation", + "path": "kms-key-rotation", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "kms-key-rotation/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "kms-key-rotation/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "kms-key-rotation/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "kms-key-rotation/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "kms-key-rotation/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.ts new file mode 100644 index 0000000000000..c7f4472b19af6 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-rotation.ts @@ -0,0 +1,20 @@ +import { App, Duration, Stack } from 'aws-cdk-lib'; +import * as kms from 'aws-cdk-lib/aws-kms'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; + +class TestStack extends Stack { + constructor(scope: App) { + super(scope, 'TestStack'); + new kms.Key(this, 'key', { + enableKeyRotation: true, + rotationPeriod: Duration.days(180), + }); + } +} + +const app = new App(); +const stack = new TestStack(app); + +new IntegTest(app, 'kms-key-rotation', { + testCases: [stack], +}); From 56625d3e351e05bbea70b5669167427bb60a2ea9 Mon Sep 17 00:00:00 2001 From: kazuho cryer-shinozuka Date: Wed, 24 Apr 2024 10:37:31 +0900 Subject: [PATCH 4/6] Update packages/aws-cdk-lib/aws-kms/lib/key.ts Co-authored-by: Calvin Combs <66279577+comcalvi@users.noreply.github.com> --- packages/aws-cdk-lib/aws-kms/lib/key.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-kms/lib/key.ts b/packages/aws-cdk-lib/aws-kms/lib/key.ts index 609523a526b5c..34c82bc7f39b1 100644 --- a/packages/aws-cdk-lib/aws-kms/lib/key.ts +++ b/packages/aws-cdk-lib/aws-kms/lib/key.ts @@ -437,7 +437,7 @@ export interface KeyProps { /** * The period between each automatic rotation. * - * @default - 365 days. + * @default - set by CFN to 365 days. */ readonly rotationPeriod?: Duration; From 82fd2a55b964a4006d63df700658c6764901f1b1 Mon Sep 17 00:00:00 2001 From: kazuho cryer-shinozuka Date: Wed, 24 Apr 2024 10:38:10 +0900 Subject: [PATCH 5/6] Update packages/aws-cdk-lib/aws-kms/lib/key.ts Co-authored-by: Calvin Combs <66279577+comcalvi@users.noreply.github.com> --- packages/aws-cdk-lib/aws-kms/lib/key.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-kms/lib/key.ts b/packages/aws-cdk-lib/aws-kms/lib/key.ts index 34c82bc7f39b1..234009c466699 100644 --- a/packages/aws-cdk-lib/aws-kms/lib/key.ts +++ b/packages/aws-cdk-lib/aws-kms/lib/key.ts @@ -730,7 +730,7 @@ export class Key extends KeyBase { } if (props.rotationPeriod) { - if (!props.enableKeyRotation) { + if (props.enableKeyRotation === false) { throw new Error('\'rotationPeriod\' cannot be specified when \'enableKeyRotation\' is disabled'); } if (props.rotationPeriod.toDays() < 90 || props.rotationPeriod.toDays() > 2560) { From 14f654c2cf385cd2ae9e2cf80ef1196304167615 Mon Sep 17 00:00:00 2001 From: Kazuho CryerShinozuka Date: Wed, 24 Apr 2024 10:49:25 +0900 Subject: [PATCH 6/6] feat: enableKeyRotation is implicitly enabled by specifying rotationPeriod --- packages/aws-cdk-lib/aws-kms/lib/key.ts | 9 ++++++++- packages/aws-cdk-lib/aws-kms/test/key.test.ts | 12 ++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-kms/lib/key.ts b/packages/aws-cdk-lib/aws-kms/lib/key.ts index 234009c466699..fec01eaade57d 100644 --- a/packages/aws-cdk-lib/aws-kms/lib/key.ts +++ b/packages/aws-cdk-lib/aws-kms/lib/key.ts @@ -681,6 +681,7 @@ export class Key extends KeyBase { public readonly keyId: string; protected readonly policy?: iam.PolicyDocument; protected readonly trustAccountIdentities: boolean; + private readonly enableKeyRotation?: boolean; constructor(scope: Construct, id: string, props: KeyProps = {}) { super(scope, id); @@ -729,6 +730,8 @@ export class Key extends KeyBase { throw new Error('key rotation cannot be enabled on asymmetric keys'); } + this.enableKeyRotation = props.enableKeyRotation; + if (props.rotationPeriod) { if (props.enableKeyRotation === false) { throw new Error('\'rotationPeriod\' cannot be specified when \'enableKeyRotation\' is disabled'); @@ -736,6 +739,10 @@ export class Key extends KeyBase { if (props.rotationPeriod.toDays() < 90 || props.rotationPeriod.toDays() > 2560) { throw new Error(`'rotationPeriod' value must between 90 and 2650 days. Received: ${props.rotationPeriod.toDays()}`); } + // If rotationPeriod is specified, enableKeyRotation is set to true by default + if (props.enableKeyRotation === undefined) { + this.enableKeyRotation = true; + } } const defaultKeyPoliciesFeatureEnabled = FeatureFlags.of(this).isEnabled(cxapi.KMS_DEFAULT_KEY_POLICIES); @@ -770,7 +777,7 @@ export class Key extends KeyBase { const resource = new CfnKey(this, 'Resource', { description: props.description, - enableKeyRotation: props.enableKeyRotation, + enableKeyRotation: this.enableKeyRotation, rotationPeriodInDays: props.rotationPeriod?.toDays(), enabled: props.enabled, keySpec: props.keySpec, diff --git a/packages/aws-cdk-lib/aws-kms/test/key.test.ts b/packages/aws-cdk-lib/aws-kms/test/key.test.ts index 370edc10051f6..298a82730dc45 100644 --- a/packages/aws-cdk-lib/aws-kms/test/key.test.ts +++ b/packages/aws-cdk-lib/aws-kms/test/key.test.ts @@ -520,6 +520,18 @@ test('key with some options', () => { }); }); +test('set rotationPeriod without enabling enableKeyRotation', () => { + const stack = new cdk.Stack(); + new kms.Key(stack, 'MyKey', { + rotationPeriod: cdk.Duration.days(180), + }); + + Template.fromStack(stack).hasResourceProperties('AWS::KMS::Key', { + EnableKeyRotation: true, + RotationPeriodInDays: 180, + }); +}); + test('setting pendingWindow value to not in allowed range will throw', () => { const stack = new cdk.Stack(); expect(() => new kms.Key(stack, 'MyKey', { enableKeyRotation: true, pendingWindow: cdk.Duration.days(6) }))