fix(aws-rds): addProxy can use kms encrypted secrets

scub · scub · commit 304aac00e655 · 2024-01-24T16:26:31.000-05:00
diff --git a/packages/aws-cdk-lib/aws-rds/lib/proxy.ts b/packages/aws-cdk-lib/aws-rds/lib/proxy.ts
@@ -457,6 +457,9 @@ export class DatabaseProxy extends DatabaseProxyBase
 
     for (const secret of props.secrets) {
       secret.grantRead(role);
+      if (secret.encryptionKey !== undefined) {
+        secret.encryptionKey.grantDecrypt(role);
+      }
     }
 
     const securityGroups = props.securityGroups ?? [
diff --git a/packages/aws-cdk-lib/aws-rds/test/proxy.test.ts b/packages/aws-cdk-lib/aws-rds/test/proxy.test.ts
@@ -1,6 +1,7 @@
 import { Match, Template } from '../../assertions';
 import * as ec2 from '../../aws-ec2';
 import { AccountPrincipal, Role } from '../../aws-iam';
+import { Key } from '../../aws-kms';
 import * as secretsmanager from '../../aws-secretsmanager';
 import * as cdk from '../../core';
 import * as cxapi from '../../cx-api';
@@ -371,6 +372,51 @@ describe('proxy', () => {
     }).toThrow(/When the Proxy contains multiple Secrets, you must pass a dbUser explicitly to grantConnect/);
   });
 
+  test('new Proxy with kms encrypted Secrets has permissions to kms:Decrypt that secret using its key', () => {
+    // GIVEN
+    const cluster = new rds.DatabaseCluster(stack, 'Database', {
+      engine: rds.DatabaseClusterEngine.AURORA,
+      instanceProps: { vpc },
+    });
+
+    const kmsKey = new Key(stack, 'Key');
+
+    const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey});
+
+    // WHEN
+    new rds.DatabaseProxy(stack, 'Proxy', {
+      proxyTarget: rds.ProxyTarget.fromCluster(cluster),
+      vpc,
+      secrets: [kmsEncryptedSecret],
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+      PolicyDocument: {
+        "Statement": [
+          {
+            "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ],
+            "Effect": "Allow",
+            "Resource": {
+              "Ref": "SecretA720EF05"
+            }
+          },
+          {
+            "Action": "kms:Decrypt",
+            "Effect": "Allow",
+            "Resource": {
+              "Fn::GetAtt": [
+                "Key961B73FD",
+                "Arn"
+              ]
+            }
+          }
+        ]
+      },
+      Roles: [ { "Ref": "ProxyIAMRole2FE8AB0F" } ]
+    });
+  });
+
   test('DBProxyTargetGroup should have dependency on the proxy targets', () => {
     // GIVEN
     const cluster = new rds.DatabaseCluster(stack, 'cluster', {

Original file line number	Diff line number	Diff line change
`@@ -457,6 +457,9 @@ export class DatabaseProxy extends DatabaseProxyBase`
`457`	`457`
`458`	`458`	`for (const secret of props.secrets) {`
`459`	`459`	`secret.grantRead(role);`
	`460`	`+ if (secret.encryptionKey !== undefined) {`
	`461`	`+ secret.encryptionKey.grantDecrypt(role);`
	`462`	`+ }`
`460`	`463`	`}`
`461`	`464`
`462`	`465`	`const securityGroups = props.securityGroups ?? [`