aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.71k stars 3.93k forks source link

pipes: support Customer Managed Key for EventBridge pipes #31453

Open mazyu36 opened 2 months ago

mazyu36 commented 2 months ago

Describe the feature

Amazon EventBridge Pipes now supports customer managed KMS keys. But L2 Construct (alpha module) does not support it.

Ref: https://aws.amazon.com/about-aws/whats-new/2024/09/amazon-eventbridge-pipes-customer-managed-keys/

Use Case

When you want to use Customer Managed key to encrypt data.

Proposed Solution

Add kmsKey property to Pipe class.

Other Information

CloudFormation already support it, but L1 Construct does not yet.

I plan to implement L2 Construct after L1 Construct support it.

Acknowledgements

CDK version used

all

Environment details (OS name and version, etc.)

all

pahud commented 2 months ago

Thank you @mazyu36 !

mazyu36 commented 1 month ago

I'm struggling with the implementation approach.

To minimize privileges in the CMK key policy, I need to set the Pipe ARN. However, since the pipe name is optional, the exact ARN won't be known until deployment if the name isn't specified.

Currently, the only solution I can think of is using a custom resource. If anyone knows a better method, please let me know.

https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-encryption-key-policy.html#eb-encryption-key-policy-pipe