From 2ed6ee105cebb3820f9d83ea8a44910f68252afd Mon Sep 17 00:00:00 2001 From: maz Date: Mon, 27 May 2024 22:06:50 +0900 Subject: [PATCH 1/2] feat: add kmsKey property for the AppRunenr Service class --- .../@aws-cdk/aws-apprunner-alpha/README.md | 21 +- .../aws-apprunner-alpha/lib/service.ts | 13 +- ...efaultTestDeployAssert21640739.assets.json | 19 ++ ...aultTestDeployAssert21640739.template.json | 36 +++ .../cdk.out | 1 + .../integ-apprunner-encryption.assets.json | 19 ++ .../integ-apprunner-encryption.template.json | 146 ++++++++++ .../integ.json | 12 + .../manifest.json | 131 +++++++++ .../tree.json | 259 ++++++++++++++++++ .../test/integ.service-encryption.ts | 30 ++ .../aws-apprunner-alpha/test/service.test.ts | 25 ++ 12 files changed, 709 insertions(+), 3 deletions(-) create mode 100644 packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/AppRunnerEncryptionDefaultTestDeployAssert21640739.assets.json create mode 100644 packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/AppRunnerEncryptionDefaultTestDeployAssert21640739.template.json create mode 100644 packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/integ-apprunner-encryption.assets.json create mode 100644 packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/integ-apprunner-encryption.template.json create mode 100644 packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/integ.json create mode 100644 packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/tree.json create mode 100644 packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.ts diff --git a/packages/@aws-cdk/aws-apprunner-alpha/README.md b/packages/@aws-cdk/aws-apprunner-alpha/README.md index 1cc9363c8c139..9a1ef6165ced4 100644 --- a/packages/@aws-cdk/aws-apprunner-alpha/README.md +++ b/packages/@aws-cdk/aws-apprunner-alpha/README.md @@ -32,7 +32,7 @@ The `Service` construct allows you to create AWS App Runner services with `ECR P - `Source.fromEcr()` - To define the source repository from `ECR`. - `Source.fromEcrPublic()` - To define the source repository from `ECR Public`. - `Source.fromGitHub()` - To define the source repository from the `Github repository`. -- `Source.fromAsset()` - To define the source from local asset directory. +- `Source.fromAsset()` - To define the source from local asset directory. The `Service` construct implements `IGrantable`. @@ -183,7 +183,7 @@ new apprunner.Service(this, 'Service', { ## Secrets Manager To include environment variables integrated with AWS Secrets Manager, use the `environmentSecrets` attribute. -You can use the `addSecret` method from the App Runner `Service` class to include secrets from outside the +You can use the `addSecret` method from the App Runner `Service` class to include secrets from outside the service definition. ```ts @@ -216,6 +216,23 @@ const service = new apprunner.Service(stack, 'Service', { service.addSecret('LATER_SECRET', apprunner.Secret.fromSecretsManager(secret, 'field')); ``` +## Use a customer managed key +To use a customer managed key for your source encryption, use the `kmsKey` attribute. + +```ts +import * as kms from 'aws-cdk-lib/aws-kms'; + +declare const kmsKey: kms.IKey; + +new apprunner.Service(this, 'Service', { + source: apprunner.Source.fromEcrPublic({ + imageConfiguration: { port: 8000 }, + imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest', + }), + kmsKey, +}); +``` + ## HealthCheck To configure the health check for the service, use the `healthCheck` attribute. diff --git a/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts b/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts index 9564bbae18cf3..c66fb75d850bf 100644 --- a/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts +++ b/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts @@ -1,6 +1,7 @@ import * as ecr from 'aws-cdk-lib/aws-ecr'; import * as assets from 'aws-cdk-lib/aws-ecr-assets'; import * as iam from 'aws-cdk-lib/aws-iam'; +import * as kms from 'aws-cdk-lib/aws-kms'; import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager'; import * as ssm from 'aws-cdk-lib/aws-ssm'; import * as cdk from 'aws-cdk-lib/core'; @@ -79,7 +80,7 @@ export class Cpu { * * @param unit The unit of CPU. */ - private constructor(public readonly unit: string) {} + private constructor(public readonly unit: string) { } } /** @@ -715,6 +716,13 @@ export interface ServiceProps { * @default - no health check configuration */ readonly healthCheck?: HealthCheck; + + /** + * The customer managed key that AWS App Runner uses to encrypt copies of the source repository and service logs. + * + * @default - Use an AWS managed key + */ + readonly kmsKey?: kms.IKey; } /** @@ -1239,6 +1247,9 @@ export class Service extends cdk.Resource implements iam.IGrantable { this.renderCodeConfiguration(this.source.codeRepository!.codeConfiguration.configurationValues!) : undefined, }, + encryptionConfiguration: this.props.kmsKey ? { + kmsKey: this.props.kmsKey.keyArn, + } : undefined, networkConfiguration: { egressConfiguration: { egressType: this.props.vpcConnector ? 'VPC' : 'DEFAULT', diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/AppRunnerEncryptionDefaultTestDeployAssert21640739.assets.json b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/AppRunnerEncryptionDefaultTestDeployAssert21640739.assets.json new file mode 100644 index 0000000000000..770a0d82991ff --- /dev/null +++ b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/AppRunnerEncryptionDefaultTestDeployAssert21640739.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "AppRunnerEncryptionDefaultTestDeployAssert21640739.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/AppRunnerEncryptionDefaultTestDeployAssert21640739.template.json b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/AppRunnerEncryptionDefaultTestDeployAssert21640739.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/AppRunnerEncryptionDefaultTestDeployAssert21640739.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/cdk.out b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/integ-apprunner-encryption.assets.json b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/integ-apprunner-encryption.assets.json new file mode 100644 index 0000000000000..3cb0c96545ab8 --- /dev/null +++ b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/integ-apprunner-encryption.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "0fe6f95cda1a644231803b5acf00b70af151133660b969f529838e037d6ffcfd": { + "source": { + "path": "integ-apprunner-encryption.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "0fe6f95cda1a644231803b5acf00b70af151133660b969f529838e037d6ffcfd.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/integ-apprunner-encryption.template.json b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/integ-apprunner-encryption.template.json new file mode 100644 index 0000000000000..a66370cbe1fc5 --- /dev/null +++ b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/integ-apprunner-encryption.template.json @@ -0,0 +1,146 @@ +{ + "Resources": { + "Key961B73FD": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "ServiceInstanceRoleDFA90CEC": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "tasks.apprunner.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "ServiceDBC79909": { + "Type": "AWS::AppRunner::Service", + "Properties": { + "EncryptionConfiguration": { + "KmsKey": { + "Fn::GetAtt": [ + "Key961B73FD", + "Arn" + ] + } + }, + "InstanceConfiguration": { + "InstanceRoleArn": { + "Fn::GetAtt": [ + "ServiceInstanceRoleDFA90CEC", + "Arn" + ] + } + }, + "NetworkConfiguration": { + "EgressConfiguration": { + "EgressType": "DEFAULT" + } + }, + "ServiceName": "service", + "SourceConfiguration": { + "AuthenticationConfiguration": {}, + "AutoDeploymentsEnabled": false, + "ImageRepository": { + "ImageConfiguration": { + "Port": "8000" + }, + "ImageIdentifier": "public.ecr.aws/aws-containers/hello-app-runner:latest", + "ImageRepositoryType": "ECR_PUBLIC" + } + } + } + } + }, + "Outputs": { + "URL": { + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Fn::GetAtt": [ + "ServiceDBC79909", + "ServiceUrl" + ] + } + ] + ] + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/integ.json b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/integ.json new file mode 100644 index 0000000000000..5163e80181b81 --- /dev/null +++ b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "36.0.0", + "testCases": { + "AppRunnerEncryption/DefaultTest": { + "stacks": [ + "integ-apprunner-encryption" + ], + "assertionStack": "AppRunnerEncryption/DefaultTest/DeployAssert", + "assertionStackName": "AppRunnerEncryptionDefaultTestDeployAssert21640739" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/manifest.json b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/manifest.json new file mode 100644 index 0000000000000..2de3a0a6da66d --- /dev/null +++ b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/manifest.json @@ -0,0 +1,131 @@ +{ + "version": "36.0.0", + "artifacts": { + "integ-apprunner-encryption.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integ-apprunner-encryption.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integ-apprunner-encryption": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integ-apprunner-encryption.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0fe6f95cda1a644231803b5acf00b70af151133660b969f529838e037d6ffcfd.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integ-apprunner-encryption.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integ-apprunner-encryption.assets" + ], + "metadata": { + "/integ-apprunner-encryption/Key/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "Key961B73FD" + } + ], + "/integ-apprunner-encryption/Service/InstanceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ServiceInstanceRoleDFA90CEC" + } + ], + "/integ-apprunner-encryption/Service/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ServiceDBC79909" + } + ], + "/integ-apprunner-encryption/URL": [ + { + "type": "aws:cdk:logicalId", + "data": "URL" + } + ], + "/integ-apprunner-encryption/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-apprunner-encryption/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-apprunner-encryption" + }, + "AppRunnerEncryptionDefaultTestDeployAssert21640739.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "AppRunnerEncryptionDefaultTestDeployAssert21640739.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "AppRunnerEncryptionDefaultTestDeployAssert21640739": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "AppRunnerEncryptionDefaultTestDeployAssert21640739.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "AppRunnerEncryptionDefaultTestDeployAssert21640739.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "AppRunnerEncryptionDefaultTestDeployAssert21640739.assets" + ], + "metadata": { + "/AppRunnerEncryption/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/AppRunnerEncryption/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "AppRunnerEncryption/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/tree.json b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/tree.json new file mode 100644 index 0000000000000..1cf14daae78a6 --- /dev/null +++ b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/tree.json @@ -0,0 +1,259 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "integ-apprunner-encryption": { + "id": "integ-apprunner-encryption", + "path": "integ-apprunner-encryption", + "children": { + "Key": { + "id": "Key", + "path": "integ-apprunner-encryption/Key", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-apprunner-encryption/Key/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnKey", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Key", + "version": "0.0.0" + } + }, + "Service": { + "id": "Service", + "path": "integ-apprunner-encryption/Service", + "children": { + "InstanceRole": { + "id": "InstanceRole", + "path": "integ-apprunner-encryption/Service/InstanceRole", + "children": { + "ImportInstanceRole": { + "id": "ImportInstanceRole", + "path": "integ-apprunner-encryption/Service/InstanceRole/ImportInstanceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "integ-apprunner-encryption/Service/InstanceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "tasks.apprunner.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "integ-apprunner-encryption/Service/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::AppRunner::Service", + "aws:cdk:cloudformation:props": { + "encryptionConfiguration": { + "kmsKey": { + "Fn::GetAtt": [ + "Key961B73FD", + "Arn" + ] + } + }, + "instanceConfiguration": { + "instanceRoleArn": { + "Fn::GetAtt": [ + "ServiceInstanceRoleDFA90CEC", + "Arn" + ] + } + }, + "networkConfiguration": { + "egressConfiguration": { + "egressType": "DEFAULT" + } + }, + "serviceName": "service", + "sourceConfiguration": { + "authenticationConfiguration": {}, + "autoDeploymentsEnabled": false, + "imageRepository": { + "imageConfiguration": { + "port": "8000" + }, + "imageIdentifier": "public.ecr.aws/aws-containers/hello-app-runner:latest", + "imageRepositoryType": "ECR_PUBLIC" + } + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apprunner.CfnService", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "URL": { + "id": "URL", + "path": "integ-apprunner-encryption/URL", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnOutput", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-apprunner-encryption/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-apprunner-encryption/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "AppRunnerEncryption": { + "id": "AppRunnerEncryption", + "path": "AppRunnerEncryption", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "AppRunnerEncryption/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "AppRunnerEncryption/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "AppRunnerEncryption/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "AppRunnerEncryption/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "AppRunnerEncryption/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.ts b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.ts new file mode 100644 index 0000000000000..17149a4b5fbd2 --- /dev/null +++ b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.ts @@ -0,0 +1,30 @@ +import * as cdk from 'aws-cdk-lib'; +import { Service, Source } from '../lib'; +import * as kms from 'aws-cdk-lib/aws-kms'; +import * as integ from '@aws-cdk/integ-tests-alpha'; + +const app = new cdk.App(); + +const stack = new cdk.Stack(app, 'integ-apprunner-encryption'); + +const key = new kms.Key(stack, 'Key', { removalPolicy: cdk.RemovalPolicy.DESTROY }); + +const service = new Service(stack, 'Service', { + serviceName: 'service', + source: Source.fromEcrPublic({ + imageConfiguration: { + port: 8000, + }, + imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest', + }), + autoDeploymentsEnabled: false, + kmsKey: key, +}); + +new cdk.CfnOutput(stack, 'URL', { value: `https://${service.serviceUrl}` }); + +new integ.IntegTest(app, 'AppRunnerEncryption', { + testCases: [stack], +}); + +app.synth(); \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/service.test.ts b/packages/@aws-cdk/aws-apprunner-alpha/test/service.test.ts index d4ef80d552bd1..389c36de9c7b5 100644 --- a/packages/@aws-cdk/aws-apprunner-alpha/test/service.test.ts +++ b/packages/@aws-cdk/aws-apprunner-alpha/test/service.test.ts @@ -3,6 +3,7 @@ import { Match, Template } from 'aws-cdk-lib/assertions'; import * as ec2 from 'aws-cdk-lib/aws-ec2'; import * as ecr from 'aws-cdk-lib/aws-ecr'; import * as ecr_assets from 'aws-cdk-lib/aws-ecr-assets'; +import * as kms from 'aws-cdk-lib/aws-kms'; import * as iam from 'aws-cdk-lib/aws-iam'; import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager'; import * as ssm from 'aws-cdk-lib/aws-ssm'; @@ -1579,4 +1580,28 @@ test('timeout must be less than or equal to 20 in healthCheck', () => { }), }); }).toThrow('timeout must be between 1 and 20 seconds, got 21'); +}); + +test('create a service with a customer managed key)', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'demo-stack'); + const key = new kms.Key(stack, 'Key'); + + // WHEN + new apprunner.Service(stack, 'DemoService', { + source: apprunner.Source.fromEcrPublic({ + imageConfiguration: { port: 8000 }, + imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest', + }), + kmsKey: key, + }); + + // THEN + // we should have the service + Template.fromStack(stack).hasResourceProperties('AWS::AppRunner::Service', { + EncryptionConfiguration: { + KmsKey: stack.resolve(key.keyArn), + }, + }); }); \ No newline at end of file From 4923b117e1f64d65735feddb2a31eb80077eb77c Mon Sep 17 00:00:00 2001 From: maz Date: Mon, 27 May 2024 22:37:27 +0900 Subject: [PATCH 2/2] fix: README --- packages/@aws-cdk/aws-apprunner-alpha/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/@aws-cdk/aws-apprunner-alpha/README.md b/packages/@aws-cdk/aws-apprunner-alpha/README.md index 9a1ef6165ced4..22c95ccdf2b23 100644 --- a/packages/@aws-cdk/aws-apprunner-alpha/README.md +++ b/packages/@aws-cdk/aws-apprunner-alpha/README.md @@ -217,6 +217,7 @@ service.addSecret('LATER_SECRET', apprunner.Secret.fromSecretsManager(secret, 'f ``` ## Use a customer managed key + To use a customer managed key for your source encryption, use the `kmsKey` attribute. ```ts