From 304aac00e65539659c4251f8954ff9991dcd37ec Mon Sep 17 00:00:00 2001 From: Penny <991850+scub@users.noreply.github.com> Date: Wed, 24 Jan 2024 16:26:31 -0500 Subject: [PATCH] fix(aws-rds): addProxy can use kms encrypted secrets --- packages/aws-cdk-lib/aws-rds/lib/proxy.ts | 3 ++ .../aws-cdk-lib/aws-rds/test/proxy.test.ts | 46 +++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/packages/aws-cdk-lib/aws-rds/lib/proxy.ts b/packages/aws-cdk-lib/aws-rds/lib/proxy.ts index 1e66307be4406..107a189474b04 100644 --- a/packages/aws-cdk-lib/aws-rds/lib/proxy.ts +++ b/packages/aws-cdk-lib/aws-rds/lib/proxy.ts @@ -457,6 +457,9 @@ export class DatabaseProxy extends DatabaseProxyBase for (const secret of props.secrets) { secret.grantRead(role); + if (secret.encryptionKey !== undefined) { + secret.encryptionKey.grantDecrypt(role); + } } const securityGroups = props.securityGroups ?? [ diff --git a/packages/aws-cdk-lib/aws-rds/test/proxy.test.ts b/packages/aws-cdk-lib/aws-rds/test/proxy.test.ts index 6546164210972..0ebc8303a0a1e 100644 --- a/packages/aws-cdk-lib/aws-rds/test/proxy.test.ts +++ b/packages/aws-cdk-lib/aws-rds/test/proxy.test.ts @@ -1,6 +1,7 @@ import { Match, Template } from '../../assertions'; import * as ec2 from '../../aws-ec2'; import { AccountPrincipal, Role } from '../../aws-iam'; +import { Key } from '../../aws-kms'; import * as secretsmanager from '../../aws-secretsmanager'; import * as cdk from '../../core'; import * as cxapi from '../../cx-api'; @@ -371,6 +372,51 @@ describe('proxy', () => { }).toThrow(/When the Proxy contains multiple Secrets, you must pass a dbUser explicitly to grantConnect/); }); + test('new Proxy with kms encrypted Secrets has permissions to kms:Decrypt that secret using its key', () => { + // GIVEN + const cluster = new rds.DatabaseCluster(stack, 'Database', { + engine: rds.DatabaseClusterEngine.AURORA, + instanceProps: { vpc }, + }); + + const kmsKey = new Key(stack, 'Key'); + + const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey}); + + // WHEN + new rds.DatabaseProxy(stack, 'Proxy', { + proxyTarget: rds.ProxyTarget.fromCluster(cluster), + vpc, + secrets: [kmsEncryptedSecret], + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + "Statement": [ + { + "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], + "Effect": "Allow", + "Resource": { + "Ref": "SecretA720EF05" + } + }, + { + "Action": "kms:Decrypt", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "Key961B73FD", + "Arn" + ] + } + } + ] + }, + Roles: [ { "Ref": "ProxyIAMRole2FE8AB0F" } ] + }); + }); + test('DBProxyTargetGroup should have dependency on the proxy targets', () => { // GIVEN const cluster = new rds.DatabaseCluster(stack, 'cluster', {