AWS SNS CDK: Allow referencing managed KMS keys

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code

https://aws.amazon.com/cdk

Apache License 2.0

11.5k stars 3.85k forks source link

AWS SNS CDK: Allow referencing managed KMS keys #31012

Open ll-michael opened 1 month ago

ll-michael commented 1 month ago

Describe the feature

The CDK does not support referencing AWS managed KMS keys associated with SNS topics that have EnforceSSL set to true. This diverges from CDK behavior with S3, which allows referencing encryption keys that are associated with buckets with KMS encryption enabled.

Use Case

I would like to reference AWS managed SNS keys associated with SNS topics in the CDK. This allows for other CDK resources, such as iam policies, to reference the KMS key.

Proposed Solution

Add a property to CDK SNS topics to return the AWS managed KMS key.

Other Information

No response

Acknowledgements

[ ] I may be able to implement this feature request
[ ] This feature might incur a breaking change

CDK version used

2.150.0

Environment details (OS name and version, etc.)

ashishdhingra commented 1 month ago

@ll-michael Good morning. Thanks for opening the issue. If you refer construct props for Topic, it does support properties masterKey properties which maps to AWS::SNS::Topic KmsMasterKeyId property. Please check if this is the property you are looking for.

Thanks, Ashish

ll-michael commented 1 month ago

Hello Anish,

While the S3 and SNS CDK both support passing iam keys to construct an item, the SNS CDK does not support referencing an encryption/master key as part of its properties after creation.

This behavior diverges from the S3 CDK, which supports referencing an S3 encryption key property.

Is there an SNS CDK property that allows referencing iam keys after creation?

Best, Michael

ashishdhingra commented 1 month ago

The feature should perhaps expose a public readonly property named masterKey in Topic class.

Normally the L2 construct public properties are exposed based on the underlying return values specified in CloudFormation resource specification.

For AWS::SNS::Topic, KmsMasterKeyId is not one of the return values.
However, for AWS::S3::Bucket also doesn't document encryptionKey as one of the return values. This is possibly because it is more opinionated.

This feature needs to be discussed with the team.

@ll-michael Could you please elaborate your case for need of such property when the value for masterKey would have been defined in constructor properties from some configuration and already accessible?

ll-michael commented 1 month ago

The AWS CDK is an approximate superset of CloudFormation. While I am not familiar with the inner workings of the AWS CDK, I imagine it makes API calls to determine information, such as encryption keys, not included in the CloudFormation response.

Got it. The feature should perhaps expose a public readonly property named masterKey in Topic class.

Yes, including a master key property in the CDK SNS construct is recommended.