-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(kms): key rotation period #29928
Conversation
* | ||
* @default - 365 days. | ||
*/ | ||
readonly rotationPeriod?: Duration; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've simply added rotationPeriod
properties to KeyProps
.
However, there are other possible implementation approaches, and I'm struggling to decide which one is best. Could I please get your opinions, reviewers?
- add rotationPeriod property (current implementation)
new kms.Key(this, 'MyKey', {
enableKeyRotation: true,
rotationPeriod: Duration.days(180), // Add
});
- deprecate
enableKeyRotation
and defineKeyRotation
property
export interface KeyRotation {
enableKeyRotation: boolean,
rotationPeriod?: Duration,
}
new kms.Key(this, 'MyKey', {
keyRotation: {
enableKeyRotation: true,
rotationPeriod: Duration.days(180), // optional
},
});
- deprecate
enableKeyRotation
and add onlyrotationPeriod
new kms.Key(this, 'MyKey', {
rotationPeriod: Duration.days(180), // Implicitly enable key rotation by defining this property
});
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think the current implementation is that terrible. It probably wouldn't have been my first choice if enableKeyRotation
wasn't already there, but given the circumstances, you're not introducing a deprecation or breaking change, you're allowing the existing construct to customize its default value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nmussy Thank you for your opinion. I'm relieved to hear that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the implementation you chose @badmintoncryer, just with a small modification; if rotationPeriod
is defined and enableKeyRotation
is undefined
, let's set enableKeyRotation
to true
.
* | ||
* @default - 365 days. | ||
*/ | ||
readonly rotationPeriod?: Duration; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the implementation you chose @badmintoncryer, just with a small modification; if rotationPeriod
is defined and enableKeyRotation
is undefined
, let's set enableKeyRotation
to true
.
Co-authored-by: Calvin Combs <[email protected]>
@comcalvi |
@@ -518,12 +520,30 @@ test('key with some options', () => { | |||
}); | |||
}); | |||
|
|||
test('set rotationPeriod without enabling enableKeyRotation', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we also add a test with enableKeyRotation
explicitly set to true? Other than that this looks ready to ship.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this test covers that case.
const key = new kms.Key(stack, 'MyKey', {
enableKeyRotation: true,
enabled: false,
pendingWindow: cdk.Duration.days(7),
rotationPeriod: cdk.Duration.days(180),
});
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are correct, it does.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Issue # (if applicable)
Closes #29927.
Reason for this change
Cloudformation supports for configuring period of automatic key rotation but CDK does not.
Description of changes
Added
rotationPeriod
toKeyProps
.Description of how you validated changes
I've added both unit and integ tests.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license