LG-10222 Retire old MultiRegionKmsClient#8696
Conversation
We implemented a version of a multi-region KMS client. It was intended to encrypt across multiple regions so that if a region was unavailable a ciphertext could be decrypted in a different region. This code was never enabled due to complications with configuring the KMS clients. Since this implementation was put together AWS has released KMS instances that are multi-region. This means we no longer need to use this approach to encrypt/decrypt across regions. As a result, this code can be removed. [skip changelog]
zachmargolis
left a comment
zachmargolis
left a comment
There was a problem hiding this comment.
the diff is a little funky on this, just to confirm, this is basically taking encrypt_legacy from the MultiRegionKmsClient and promoting that to be the default/only implementation?
That is correct. The one change here that is a little different is how the connection pool is managed. The connection pools look like they were added after the multi-region change. This gets rid of the hash of pools by region and switches to a single pool for the current region. If you want to give that some extra attention I'd appreciate it! |
I think it looks good! The connection pools as constants can sometimes contribute to test pollution (since the stubs outlive the specs associated with them), I would port over the stub_const(
'Encryption::MultiRegionKmsClient::KMS_REGION_CLIENT_POOL',
Hash.new do |h, region|
h[region] = FakeConnectionPool.new { Aws::KMS::Client.new(region: region) }
end,
)(but simplify it to be single region) |
|
good catch, I just pushed a commit to make the |
jmhooper
changed the title
3 participants
We implemented a version of a multi-region KMS client. It was intended to encrypt across multiple regions so that if a region was unavailable a ciphertext could be decrypted in a different region. This code was never enabled due to complications with configuring the KMS clients.
Since this implementation was put together AWS has released KMS instances that are multi-region. This means we no longer need to use this approach to encrypt/decrypt across regions. As a result, this code can be removed.