diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/KmsKeyMultiRegionStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/KmsKeyMultiRegionStack.assets.json new file mode 100644 index 0000000000000..d362330acdb20 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/KmsKeyMultiRegionStack.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.5", + "files": { + "d9e986753b0d85d4019eeeb0bfa3943d6b3e1f7727b0ad62c1f97277cc0567ac": { + "source": { + "path": "KmsKeyMultiRegionStack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "d9e986753b0d85d4019eeeb0bfa3943d6b3e1f7727b0ad62c1f97277cc0567ac.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/KmsKeyMultiRegionStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/KmsKeyMultiRegionStack.template.json new file mode 100644 index 0000000000000..d88e8944ac546 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/KmsKeyMultiRegionStack.template.json @@ -0,0 +1,74 @@ +{ + "Resources": { + "keyFEDD6EC0": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "MultiRegion": true + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/cdk.out new file mode 100644 index 0000000000000..bd5311dc372de --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.5"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/integ.json new file mode 100644 index 0000000000000..f7aae343362c5 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "36.0.5", + "testCases": { + "kms-key-multi-region/DefaultTest": { + "stacks": [ + "KmsKeyMultiRegionStack" + ], + "assertionStack": "kms-key-multi-region/DefaultTest/DeployAssert", + "assertionStackName": "kmskeymultiregionDefaultTestDeployAssert5D62E49E" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/kmskeymultiregionDefaultTestDeployAssert5D62E49E.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/kmskeymultiregionDefaultTestDeployAssert5D62E49E.assets.json new file mode 100644 index 0000000000000..96989d02ba47d --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/kmskeymultiregionDefaultTestDeployAssert5D62E49E.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.5", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "kmskeymultiregionDefaultTestDeployAssert5D62E49E.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/kmskeymultiregionDefaultTestDeployAssert5D62E49E.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/kmskeymultiregionDefaultTestDeployAssert5D62E49E.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/kmskeymultiregionDefaultTestDeployAssert5D62E49E.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/manifest.json new file mode 100644 index 0000000000000..7224a06794e6b --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/manifest.json @@ -0,0 +1,113 @@ +{ + "version": "36.0.5", + "artifacts": { + "KmsKeyMultiRegionStack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "KmsKeyMultiRegionStack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "KmsKeyMultiRegionStack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "KmsKeyMultiRegionStack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d9e986753b0d85d4019eeeb0bfa3943d6b3e1f7727b0ad62c1f97277cc0567ac.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "KmsKeyMultiRegionStack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "KmsKeyMultiRegionStack.assets" + ], + "metadata": { + "/KmsKeyMultiRegionStack/key/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "keyFEDD6EC0" + } + ], + "/KmsKeyMultiRegionStack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/KmsKeyMultiRegionStack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "KmsKeyMultiRegionStack" + }, + "kmskeymultiregionDefaultTestDeployAssert5D62E49E.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "kmskeymultiregionDefaultTestDeployAssert5D62E49E.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "kmskeymultiregionDefaultTestDeployAssert5D62E49E": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "kmskeymultiregionDefaultTestDeployAssert5D62E49E.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "kmskeymultiregionDefaultTestDeployAssert5D62E49E.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "kmskeymultiregionDefaultTestDeployAssert5D62E49E.assets" + ], + "metadata": { + "/kms-key-multi-region/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/kms-key-multi-region/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "kms-key-multi-region/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/tree.json new file mode 100644 index 0000000000000..2788290326799 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.js.snapshot/tree.json @@ -0,0 +1,153 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "KmsKeyMultiRegionStack": { + "id": "KmsKeyMultiRegionStack", + "path": "KmsKeyMultiRegionStack", + "children": { + "key": { + "id": "key", + "path": "KmsKeyMultiRegionStack/key", + "children": { + "Resource": { + "id": "Resource", + "path": "KmsKeyMultiRegionStack/key/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "multiRegion": true + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "KmsKeyMultiRegionStack/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "KmsKeyMultiRegionStack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "kms-key-multi-region": { + "id": "kms-key-multi-region", + "path": "kms-key-multi-region", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "kms-key-multi-region/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "kms-key-multi-region/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "kms-key-multi-region/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "kms-key-multi-region/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "kms-key-multi-region/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.ts new file mode 100644 index 0000000000000..996c11faa2b87 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.key-multi-region.ts @@ -0,0 +1,19 @@ +import { App, Stack } from 'aws-cdk-lib'; +import * as kms from 'aws-cdk-lib/aws-kms'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; + +class KmsKeyMultiRegionStack extends Stack { + constructor(scope: App) { + super(scope, 'KmsKeyMultiRegionStack'); + new kms.Key(this, 'key', { + multiRegion: true, + }); + } +} + +const app = new App(); +const stack = new KmsKeyMultiRegionStack(app); + +new IntegTest(app, 'kms-key-multi-region', { + testCases: [stack], +}); diff --git a/packages/aws-cdk-lib/aws-kms/README.md b/packages/aws-cdk-lib/aws-kms/README.md index 5bf8c6366087d..ae78310e96917 100644 --- a/packages/aws-cdk-lib/aws-kms/README.md +++ b/packages/aws-cdk-lib/aws-kms/README.md @@ -41,6 +41,15 @@ const key = new kms.Key(this, 'MyKey', { }); ``` + +Create a multi-Region primary key: + +```ts +const key = new kms.Key(this, 'MyKey', { + multiRegion: true, // Default is false +}); +``` + ## Sharing keys between stacks To use a KMS key in a different stack in the same CDK application, diff --git a/packages/aws-cdk-lib/aws-kms/lib/key.ts b/packages/aws-cdk-lib/aws-kms/lib/key.ts index fec01eaade57d..7cdd14fc546e0 100644 --- a/packages/aws-cdk-lib/aws-kms/lib/key.ts +++ b/packages/aws-cdk-lib/aws-kms/lib/key.ts @@ -468,6 +468,20 @@ export interface KeyProps { */ readonly keyUsage?: KeyUsage; + /** + * Creates a multi-Region primary key that you can replicate in other AWS Regions. + * + * You can't change the `multiRegion` value after the KMS key is created. + * + * IMPORTANT: If you change the value of the `multiRegion` property on an existing KMS key, the update request fails, + * regardless of the value of the UpdateReplacePolicy attribute. + * This prevents you from accidentally deleting a KMS key by changing an immutable property value. + * + * @default false + * @see https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html + */ + readonly multiRegion?: boolean; + /** * Custom policy document to attach to the KMS key. * @@ -783,6 +797,7 @@ export class Key extends KeyBase { keySpec: props.keySpec, keyUsage: props.keyUsage, keyPolicy: this.policy, + multiRegion: props.multiRegion, pendingWindowInDays: pendingWindowInDays, }); diff --git a/packages/aws-cdk-lib/aws-kms/test/key.test.ts b/packages/aws-cdk-lib/aws-kms/test/key.test.ts index 298a82730dc45..14f2df628f0b1 100644 --- a/packages/aws-cdk-lib/aws-kms/test/key.test.ts +++ b/packages/aws-cdk-lib/aws-kms/test/key.test.ts @@ -646,6 +646,17 @@ test('fails if key policy has no IAM principals', () => { expect(() => app.synth()).toThrow(/A PolicyStatement used in a resource-based policy must specify at least one IAM principal/); }); +test('multi-region primary key', () => { + const stack = new cdk.Stack(); + new kms.Key(stack, 'MyKey', { + multiRegion: true, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::KMS::Key', { + MultiRegion: true, + }); +}); + describe('imported keys', () => { test('throw an error when providing something that is not a valid key ARN', () => { const stack = new cdk.Stack();