feat(pipes-alpha): support for customer-managed KMS keys to encrypt pipe data

[badmintoncryer]

Issue # (if applicable)

Closes #31453

Reason for this change

AWS Pipes supports for encrypting data by customer managed KMS key instead of Amazon managed key.

https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.html

The L2 Pipe construct does not support this feature now.

Description of changes

• Add kmsKey prop to PipeProps

Describe any new or updated permissions being added

• Add KMS key policy which enables pipes to access to the key.

https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-encryption-key-policy.html#eb-encryption-key-policy-pipe

Description of how you validated changes

Add both unit and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[badmintoncryer]

Removed several unnecessary spaces.

[aws-cdk-automation]

(This review is outdated)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.21%. Comparing base (7ebb92c) to head (8ce477f).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33546   +/-   ##
=======================================
  Coverage   82.21%   82.21%           
=======================================
  Files         119      119           
  Lines        6876     6876           
  Branches     1162     1162           
=======================================
  Hits         5653     5653           
  Misses       1120     1120           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.21% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.21% <ø> (ø)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[mazyu36]

Thanks for your contribution! I think it's mostly fine.
I've added one question.

Also, I previously opened an issue here: #31453.
Would it be possible to link this contribution to that issue?

[mazyu36]

Just a question—did it work correctly even without setting a key policy?

When I previously attempted to contribute to this, I encountered an error without a key policy, but I couldn't come up with a proper way to configure it and had to give up at the time.

It might have been my misunderstanding back then, or something might have changed with an update. If it worked fine, please just ignore this question.

Ref: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-encryption-key-policy.html#eb-encryption-key-policy-pipe

[badmintoncryer]

You are absolutely right.. I misunderstood that this implementation would be work fine. Thank you for your great suggestion.

How about adding the restriction that makes pipeName mandatory when kmsKey is provided?
This idea is not ideal, but it would provide the minimum feature that enables us to configure CMK for Pipes.

[mazyu36]

Thank you for confirming. So that's how it is...
I think your suggested solution is good.​​​​​​​​​​​​​​​​

Personally, I've been considering the following three options:

1. Make name mandatory when kmsKey is specified. This is the same as the suggestion you provided.
2. Instead of setting name to undefined when it's not specified, automatically generate it using Names.uniquid. However, I understand this would be a breaking change.
3. Configure kmsKey using a custom resource. I think this option is not ideal.

Based on the above, I believe option 1 or option 2 would be good, and I think option 1 would be better to avoid a breaking change.

[badmintoncryer]

I hadn't thought of option 2. I think implementing option 2 with a feature flag is also a good idea.
For now, I'll proceed with option 1. Of course, I'll also add integration testing to verify the functionality.

[badmintoncryer]

I've just noticed that the feature flag is not essential because this is alpha module..
I think the option 2 might be preferable for alpha module. I'll leave the decision to the maintainer.

[mazyu36]

I also think Options2 is smarter, but since the impact is significant, I'd like to wait for the maintainer's opinion.

[GavinZZ]

Thanks for the deep dive. I think Option 1 makes sense to me. Can you help me understand Option 2 + feature flag solution?
In my understanding, we can't create the policy without knowing the pipe name. If we add a feature flag, for new stacks, we will always create a default pipe name if not specified which would solve the issue. However, for existing stack (who did not enable this feature flag), we will still have the same issue right?

[badmintoncryer]

@GavinZZ

Thank you for the clarification.

However, for existing stack (who did not enable this feature flag), we will still have the same issue right?

You're absolutely right! When setting a CMK for stacks under an App where the function flag is not enabled, the pipeName cannot be obtained, resulting in the inability to set the correct key policy.

[GavinZZ]

Thanks for the quick response. Given the above discussion, I'll remove the do-not-merge label and let's go with the solution you had here. Thank you!

[badmintoncryer]

@mazyu36 Thank you for your nice review!! I've addressed your comments.

[mazyu36]

Thanks! LGTM

[GavinZZ]

Great, thank you!

[GavinZZ]

Thanks for the deep dive. I think Option 1 makes sense to me. Can you help me understand Option 2 + feature flag solution?
In my understanding, we can't create the policy without knowing the pipe name. If we add a feature flag, for new stacks, we will always create a default pipe name if not specified which would solve the issue. However, for existing stack (who did not enable this feature flag), we will still have the same issue right?

[GavinZZ]

Adding a do-not-merge flag for this thread #33546 (comment)

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 8ce477f
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.