Support encryption key in an ArtifactStore of CodePipeline when bucket is imported

[kadishmal]

• CDK CLI Version: 0.36.0
• Module Version: 0.26.0
• OS: macOS 0.13.6
• Language: TypeScript

Currently it is not possible to set encryption key for an ArtifactStore of CodePipeline based on an imported S3 bucket. This is required for cross account code pipeline setup. For instance:

// The bucket is created in the same account but a different stack prior to this current stack.
// The S3 bucket has encryption enabled with a custom KMS key created in that same stack.
const bucket = Bucket.fromBucketName(this, 'ArtifactBucket', S3BucketName);

// The pipeline is being created in the second stack in the same account.
const pipeline = new Pipeline(this, 'code-pipeline', {
  artifactBucket: bucket,
  stages: [
     pipelineSourceStage,
     pipelineBuildStage
  ]
});

This generates the following CFN template.

  codepipeline5D0077E6:
    Type: AWS::CodePipeline::Pipeline
    Properties:
      RoleArn:
        Fn::GetAtt:
          - codepipelineRole2DBF2AC8
          - Arn
      Stages:
        - Actions:
            - ActionTypeId:
                Category: Source
                Owner: AWS
                Provider: CodeCommit
                Version: "1"
              Configuration:
                RepositoryName: web
                BranchName: master
                PollForSourceChanges: false
              InputArtifacts: []
              Name: CodeCommit
              OutputArtifacts:
                - Name: SourceArtifact
              RoleArn: arn:aws:iam::123456789101:role/ToolsAcctCodePipelineCodeCommitRole
              RunOrder: 1
          Name: Source
        - Actions:
            - ActionTypeId:
                Category: Build
                Owner: AWS
                Provider: CodeBuild
                Version: "1"
              Configuration:
                ProjectName:
                  Ref: codebuild2BA0470D
              InputArtifacts:
                - Name: SourceArtifact
              Name: CodeBuild
              OutputArtifacts: []
              RunOrder: 1
          Name: Build
      ArtifactStore:
        Location: artifactbucket
        Type: S3
    DependsOn:
      - codepipelineRoleDefaultPolicyAAA5ADDF
      - codepipelineRole2DBF2AC8
    Metadata:
      aws:cdk:path: ToolsCodePipelineStack/code-pipeline/Resource

Note that ArtifactStore doesn't have any encryption related properties.

CDK should be able to detect automatically (or at least provide an option so that developers can indicate) that a bucket has default encryption set which uses the a custom KMS key.

The ideal definition for the second stack should have the following instead:

"ArtifactStore": {
  "Type": "S3",
  "Location": {
    "Ref": "S3Bucket"
  },
  "EncryptionKey": {
    "Id": {
      "Ref": "CMKARN"
    },
    "Type": "KMS"
  }
}

[kadishmal]

A workaround is:

// Imported bucket doesn't allow setting an encryption key (it's readonly), but it is required for the ArtifactStore.
(bucket as any).encryptionKey = encryptionKey;

[NGL321]

Hi @kadishmal,

Thank you for bringing this to our attention!
We are working hard to stabilize the CDK APIs and tuning them to meet our consistency guidelines. While we work on getting the APIs aligned with our guidelines, we are pausing work on most community feature-requests.

We expect to get back to work on community PRs within a few weeks.

[skinny85]

Thanks for bringing this to our attention @kadishmal!

I believe the solution is to add IEncryptionKey to BucketAttributes, like this:

export interface BucketAttributes {
  // old stuff
  readonly bucketArn?: string;
  readonly bucketName?: string;
  readonly bucketDomainName?: string;
  readonly bucketWebsiteUrl?: string;
  readonly bucketRegionalDomainName?: string;
  readonly bucketDualStackDomainName?: string;
  readonly bucketWebsiteNewUrlFormat?: boolean;

  // new
  encryptionKey?: kms.Key;
}

And then, if it has been passed, assign it to the IBucket that fromBucketAttributes returns.