feat(codepipeline): change default value for crossAccountKeys to false (under feature flag)

packages/@aws-cdk/cx-api/FEATURE_FLAGS.md

@@ -63,6 +63,7 @@ Flags come in three types:
 | [@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters](#aws-cdkaws-rdsauroraclusterchangescopeofinstanceparametergroupwitheachparameters) | When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change. | 2.97.0 | (fix) |
 | [@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials](#aws-cdkaws-rdspreventrenderingdeprecatedcredentials) | When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials. | 2.98.0 | (fix) |
 | [@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource](#aws-cdkaws-codepipeline-actionsusenewdefaultbranchforcodecommitsource) | When enabled, the CodeCommit source action is using the default branch name 'main'. | 2.103.1 | (fix) |
+| [@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse](#aws-cdkaws-codepipelinecrossaccountkeysdefaultvaluetofalse) | Enables Pipeline to set the default value for crossAccountKeys to false. | V2NEXT | (default) |
 
 <!-- END table -->
 
@@ -116,7 +117,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
     "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
     "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
-    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true
   }
 }
 ```
@@ -1193,4 +1195,20 @@ However, with the activation of this feature flag, the default branch is updated
 | 2.103.1 | `false` | `true` |
 
 
+### @aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse
+
+*Enables Pipeline to set the default value for crossAccountKeys to false.* (default)
+
+If this is set, and a `crossAccountKeys` prop in a `Pipeline` construct is not passed to,
+the construct will set the default value of the prop to false.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2NEXT | `false` | `true` |
+
+**Compatibility with old behavior:** Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior.
+
+
 <!-- END details -->

packages/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts

@@ -153,7 +153,8 @@ export interface PipelineProps {
    * encrypted with an AWS-managed key). However, cross-account deployments will
    * no longer be possible.
    *
-   * @default true
+   * @default false - false if the feature flag CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE
+   * is true, true otherwise
    */
   readonly crossAccountKeys?: boolean;
 
@@ -386,8 +387,8 @@ export class Pipeline extends PipelineBase {
       throw new Error('Only one of artifactBucket and crossRegionReplicationBuckets can be specified!');
     }
 
-    // @deprecated(v2): switch to default false
-    this.crossAccountKeys = props.crossAccountKeys ?? true;
+    this.crossAccountKeys = props.crossAccountKeys
+      ?? (FeatureFlags.of(this).isEnabled(cxapi.CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE) ? false : true);
     this.enableKeyRotation = props.enableKeyRotation;
 
     // Cross account keys must be set for key rotation to be enabled

packages/aws-cdk-lib/aws-codepipeline/test/pipeline.test.ts

@@ -495,6 +495,49 @@ describe('', () => {
           'EnableKeyRotation': true,
         });
       });
+
+      test('crossAccountKeys as default value is set to false when feature flag is set', () => {
+        const app = new cdk.App();
+        app.node.setContext(cxapi.CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE, true);
+
+        const stack = new cdk.Stack(app, 'PipelineStack');
+        const sourceOutput = new codepipeline.Artifact();
+        new codepipeline.Pipeline(stack, 'Pipeline', {
+          stages: [
+            {
+              stageName: 'Source',
+              actions: [new FakeSourceAction({ actionName: 'Source', output: sourceOutput })],
+            },
+            {
+              stageName: 'Build',
+              actions: [new FakeBuildAction({ actionName: 'Build', input: sourceOutput })],
+            },
+          ],
+        });
+
+        Template.fromStack(stack).resourceCountIs('AWS::KMS::Key', 0);
+      });
+
+      test('crossAccountKeys as default value is set to true when feature flag is not set', () => {
+        const app = new cdk.App();
+
+        const stack = new cdk.Stack(app, 'PipelineStack');
+        const sourceOutput = new codepipeline.Artifact();
+        new codepipeline.Pipeline(stack, 'Pipeline', {
+          stages: [
+            {
+              stageName: 'Source',
+              actions: [new FakeSourceAction({ actionName: 'Source', output: sourceOutput })],
+            },
+            {
+              stageName: 'Build',
+              actions: [new FakeBuildAction({ actionName: 'Build', input: sourceOutput })],
+            },
+          ],
+        });
+
+        Template.fromStack(stack).resourceCountIs('AWS::KMS::Key', 1);
+      });
     });
   });
 

packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md

@@ -63,6 +63,7 @@ Flags come in three types:
 | [@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters](#aws-cdkaws-rdsauroraclusterchangescopeofinstanceparametergroupwitheachparameters) | When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change. | 2.97.0 | (fix) |
 | [@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials](#aws-cdkaws-rdspreventrenderingdeprecatedcredentials) | When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials. | 2.98.0 | (fix) |
 | [@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource](#aws-cdkaws-codepipeline-actionsusenewdefaultbranchforcodecommitsource) | When enabled, the CodeCommit source action is using the default branch name 'main'. | 2.103.1 | (fix) |
+| [@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse](#aws-cdkaws-codepipelinecrossaccountkeysdefaultvaluetofalse) | Enables Pipeline to set the default value for crossAccountKeys to false. | V2NEXT | (default) |
 
 <!-- END table -->
 
@@ -116,7 +117,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
     "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
     "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
-    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true
   }
 }
 ```
@@ -1193,4 +1195,20 @@ However, with the activation of this feature flag, the default branch is updated
 | 2.103.1 | `false` | `true` |
 
 
+### @aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse
+
+*Enables Pipeline to set the default value for crossAccountKeys to false.* (default)
+
+If this is set, and a `crossAccountKeys` prop in a `Pipeline` construct is not passed to,
+the construct will set the default value of the prop to false.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2NEXT | `false` | `true` |
+
+**Compatibility with old behavior:** Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior.
+
+
 <!-- END details -->

packages/aws-cdk-lib/cx-api/README.md

@@ -241,3 +241,20 @@ _cdk.json_
   }
 }
 ```
+
+* `@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse`
+
+Enables Pipeline to set the default value for `crossAccountKeys` to false.
+
+If this is set, and a `crossAccountKeys` prop in a `Pipeline` construct is not passed to,
+the construct will set the default value of the prop to false.
+
+_cdk.json_
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true
+  }
+}
+```

packages/aws-cdk-lib/cx-api/lib/features.ts

@@ -97,6 +97,7 @@ export const RDS_PREVENT_RENDERING_DEPRECATED_CREDENTIALS = '@aws-cdk/aws-rds:pr
 export const AURORA_CLUSTER_CHANGE_SCOPE_OF_INSTANCE_PARAMETER_GROUP_WITH_EACH_PARAMETERS = '@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters';
 export const APPSYNC_ENABLE_USE_ARN_IDENTIFIER_SOURCE_API_ASSOCIATION = '@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier';
 export const CODECOMMIT_SOURCE_ACTION_DEFAULT_BRANCH_NAME = '@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource';
+export const CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE = '@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse';
 
 export const FLAGS: Record<string, FlagInfo> = {
   //////////////////////////////////////////////////////////////////////
@@ -976,6 +977,19 @@ export const FLAGS: Record<string, FlagInfo> = {
     introducedIn: { v2: '2.103.1' },
     recommendedValue: true,
   },
+
+  //////////////////////////////////////////////////////////////////////
+  [CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE]: {
+    type: FlagType.ApiDefault,
+    summary: 'Enables Pipeline to set the default value for crossAccountKeys to false.',
+    detailsMd: `
+      If this is set, and a \`crossAccountKeys\` prop in a \`Pipeline\` construct is not passed to,
+      the construct will set the default value of the prop to false.
+    `,
+    introducedIn: { v2: 'V2NEXT' },
+    recommendedValue: true,
+    compatibilityWithOldBehaviorMd: 'Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior.',
+  },
 };
 
 const CURRENT_MV = 'v2';