feat(appconfig): support customer managed key for hosted configuration

[mazyu36]

Issue # (if applicable)

N/A

Reason for this change

Missing property.

Description of changes

Add kmsKey property to AppConfig Hosted Configuration

Describe any new or updated permissions being added

N/A

Description of how you validated changes

Add a unit test and an integ test.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[badmintoncryer]

Thank you for your contribution! I've added only a nit comment.

[badmintoncryer]

@mazyu36 I'm curious that is it unnecessary to set a key policy for CMK?
In the documentation, there was an introduction to resource policy settings with some Role as a Principal, but I couldn't understand what role it was.

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Sid": "Allow use of the key",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::account_ID:role/role_name" // this
        },
        "Action": [
            "kms:Decrypt",
            "kms:GenerateDataKey"
            ],
        "Resource": "*"
        }
 ]

[mazyu36]

@badmintoncryer
In my understanding, for roles that use Hosted Configuration with CMK, it is necessary to grant permission for the CMK in the key policy.

Hosted Configuration itself does not have roles.

[QuantumNeuralCoder]

What if props is undefined.

[mazyu36]

The kmsKeyIdentifier is set to undefined.
In that case, the configuration is encrypted by AWS Managed Key.

[QuantumNeuralCoder]

do we need to do this instead props?.kmsKey?.keyArn

[mazyu36]

I think this is not needed because props is required.

aws-cdk/packages/aws-cdk-lib/aws-appconfig/lib/configuration.ts

Line 442 in 29a0329

constructor(scope: Construct, id: string, props: HostedConfigurationProps) {

The other properties are same.

aws-cdk/packages/aws-cdk-lib/aws-appconfig/lib/configuration.ts

Line 462 in 29a0329

this.content = props.content.content;

[QuantumNeuralCoder]

Minor comment added above

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

Pull request has been modified.

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. Note that PRs with failing linting check or builds are not reviewed, please ensure your build is passing

To prevent automatic closure:

• Resume work on the PR
• OR request an exemption by adding a comment containing 'Exemption Request' with justification e.x "Exemption Request: "
• OR request clarification by adding a comment containing 'Clarification Request' with a question e.x "Clarification Request: "

This PR will automatically close in 14 days if no action is taken.

[mazyu36]

Exemption Request: I'm waiting for the maintainer's response.

[QuantumNeuralCoder]

Ship it. Thanks for your contribution.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 14bafa5
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.