Skip to content

fix(rds): allow cluster from snapshot to enable encrypted storage#19175

Merged
mergify[bot] merged 4 commits intoaws:masterfrom
relm923:relm/rds-cluster-encrypted-storage
Mar 2, 2022
Merged

fix(rds): allow cluster from snapshot to enable encrypted storage#19175
mergify[bot] merged 4 commits intoaws:masterfrom
relm923:relm/rds-cluster-encrypted-storage

Conversation

@relm923
Copy link
Copy Markdown
Contributor

@relm923 relm923 commented Feb 26, 2022

Closes #17241

Tested by:

// 1. Create original cluster with unencrypted storage
new DatabaseCluster(stack, 'Database', {
  engine: DatabaseClusterEngine.AURORA,
  instanceProps: { vpc },
});

// 2. Take snapshot of cluster (mySnapshot)

// 3. Create cluster from snapshot with encrypted storage
new DatabaseClusterFromSnapshot(stack, 'Database', {
  engine: DatabaseClusterEngine.AURORA,
  instanceProps: { vpc },
  snapshotIdentifier: 'mySnapshot',
  storageEncryptionKey: new kms.Key(stack, 'Key'),
});

// 4. Verify new cluster has encrypted storage

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link
Copy Markdown

gitpod-io bot commented Feb 26, 2022

@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Feb 26, 2022
skinny85
skinny85 previously requested changes Mar 1, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@skinny85 skinny85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great @relm923, thanks for the contribution!

Two super minor comments on the test before we merge this in 🙂.

packages/@aws-cdk/aws-rds/test/cluster.test.ts Outdated
vpc,
},
snapshotIdentifier: 'mySnapshot',
storageEncryptionKey: new kms.Key(stack, 'Key'),
Copy link
Copy Markdown
Contributor

@skinny85 skinny85 Mar 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about using an imported Key in the test (Key.fromKeyArn())? I think that will make the test read nicer.

Copy link
Copy Markdown
Contributor Author

@relm923 relm923 Mar 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

packages/@aws-cdk/aws-rds/test/cluster.test.ts Outdated
'Key961B73FD',
'Arn',
],
},
Copy link
Copy Markdown
Contributor

@skinny85 skinny85 Mar 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also assert here StorageEncryption is true?

Copy link
Copy Markdown
Contributor Author

@relm923 relm923 Mar 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@mergify mergify bot dismissed skinny85’s stale review March 1, 2022 19:47

Pull request has been modified.

skinny85
skinny85 reviewed Mar 1, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@skinny85 skinny85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're almost there 🙂.

packages/@aws-cdk/aws-rds/test/cluster.test.ts Outdated
vpc,
},
snapshotIdentifier: 'mySnapshot',
storageEncryptionKey: kms.Key.fromKeyArn(stack, 'Key', 'KeyArn'),
Copy link
Copy Markdown
Contributor

@skinny85 skinny85 Mar 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty sure you need an actual ARN here 😉. See here.

packages/@aws-cdk/aws-rds/test/cluster.test.ts Outdated
Comment on lines +1974 to +1977
'Fn::GetAtt': [
'Key961B73FD',
'Arn',
],
Copy link
Copy Markdown
Contributor

@skinny85 skinny85 Mar 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty sure this assertions is now incorrect 🙂.

Copy link
Copy Markdown
Contributor Author

@relm923 relm923 Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤦‍♂️ all fixed now

skinny85
skinny85 approved these changes Mar 2, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@skinny85 skinny85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @relm923!

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 2, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Mar 2, 2022

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: d9cfc03
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit bd4141d into aws:master Mar 2, 2022
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 2, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

TheRealAmazonKendra pushed a commit to TheRealAmazonKendra/aws-cdk that referenced this pull request Mar 11, 2022
@relm923 @TheRealAmazonKendra
fix(rds): allow cluster from snapshot to enable encrypted storage (aw…
3d853e1 
…s#19175)

Closes aws#17241

Tested by:
```typescript
// 1. Create original cluster with unencrypted storage
new DatabaseCluster(stack, 'Database', {
  engine: DatabaseClusterEngine.AURORA,
  instanceProps: { vpc },
});

// 2. Take snapshot of cluster (mySnapshot)

// 3. Create cluster from snapshot with encrypted storage
new DatabaseClusterFromSnapshot(stack, 'Database', {
  engine: DatabaseClusterEngine.AURORA,
  instanceProps: { vpc },
  snapshotIdentifier: 'mySnapshot',
  storageEncryptionKey: new kms.Key(stack, 'Key'),
});

// 4. Verify new cluster has encrypted storage
```

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@skinny85 skinny85 skinny85 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@skinny85 skinny85

Labels

@aws-cdk/aws-rds Related to Amazon Relational Database

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(aws-rds): DatabaseClusterFromSnapshot construct should support storage encryption

3 participants

@relm923 @aws-cdk-automation @skinny85