aws-ecs: ManagedStorageConfiguration add option to provide KMS key to encrypt managed storage besides the fargate ephemeral storage

[mMeijden]

Describe the feature

The current ManagedStorageConfiguration interface only supports the option to encrypt the Fargate ephemeral storage while the L1 construct has the option to also add the regular kmsKeyId to encrypt the managed storage.
L2 Cluster construct:

managedStorageConfiguration: {
      fargateEphemeralStorageKmsKey: kmsKey
}

L1 CfnCluster:

// other properties omitted
managedStorageConfiguration: {
      fargateEphemeralStorageKmsKeyId: 'fargateEphemeralStorageKmsKeyId',
      kmsKeyId: 'kmsKeyId',
    },
// other properties omitted

Desired outcome:
The L2 construct should have the option to provide the kmsKeyId property as well to avoid using the CfnCluster construct

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.Cluster.html#managedstorageconfiguration
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.CfnCluster.ClusterConfigurationProperty.html

Use Case

There are two types of storages in ECS clusters that can be encrypted. The L2 construct only supports the ephemeral storage at this point.

As we are building opinionated constructs for our company, where enforcing encryption with KMS by default is one of them, I am currently unable to use the L2 construct for this.

Proposed Solution

Add kmsKeyId to the ManagedStorageConfiguration interface and the L2 construct

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.178.0

Environment details (OS name and version, etc.)

applies to all environments

[pahud]

Yeah, sounds like we could expose that to L2. Welcome PRs to move this forward.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.