feat(aws-ecr): support encryptionConfiguration for repository

aws · Jul 15, 2021 · b49501f · b49501f
1 parent 718d143
commit b49501f
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 1 deletion.
diff --git a/packages/@aws-cdk/aws-ecr/lib/repository.ts b/packages/@aws-cdk/aws-ecr/lib/repository.ts
@@ -362,6 +362,14 @@ export interface RepositoryProps {
    *  @default TagMutability.MUTABLE
    */
   readonly imageTagMutability?: TagMutability;
+
+  /**
+   * The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
+   *
+   * @default server side encryption with AES256 algorithm
+   */
+  readonly encryptionConfiguration?: EncryptionConfigurationProperty;
+
 }
 
 export interface RepositoryAttributes {
@@ -488,6 +496,7 @@ export class Repository extends RepositoryBase {
         scanOnPush: true,
       },
       imageTagMutability: props.imageTagMutability || undefined,
+      encryptionConfiguration: props.encryptionConfiguration || undefined,
     });
 
     resource.applyRemovalPolicy(props.removalPolicy);
@@ -662,3 +671,35 @@ export enum TagMutability {
   IMMUTABLE = 'IMMUTABLE',
 
 }
+
+/**
+ * The encryption type for your repository.
+ */
+export enum EncryptionType {
+  /**
+   * AES256 encryption type.
+   */
+  AES256 = 'AES256',
+
+  /**
+   * KMS encryption type.
+   */
+  KMS = 'KMS'
+}
+
+/**
+ * The encryption configuration setting for your repository.
+ */
+export interface EncryptionConfigurationProperty {
+  /**
+   * The encryption type to use.
+   */
+  readonly encryptionType: EncryptionType;
+
+  /**
+   * The CMK to use for encryption, if encryption type is KMS else ignored.
+   *
+   * @default - AWS managed CMK for Amazon ECR will be used.
+   */
+  readonly kmsKey?: string;
+}
diff --git a/packages/@aws-cdk/aws-ecr/test/repository.test.ts b/packages/@aws-cdk/aws-ecr/test/repository.test.ts
@@ -329,7 +329,22 @@ describe('repository', () => {
     // THEN
     expect(() => app.synth()).toThrow(/A PolicyStatement used in a resource-based policy must specify at least one IAM principal/);
   });
-
+  test('repository with encryptionConfiguration', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    // WHEN
+    new ecr.Repository(stack, 'Repo', {
+      'encryptionConfiguration': {
+        'encryptionType': ecr.EncryptionType.AES256,
+      },
+    });
+    // THEN
+    expectCDK(stack).to(haveResource('AWS::ECR::Repository', {
+      'EncryptionConfiguration': {
+        'EncryptionType': ecr.EncryptionType.AES256,
+      },
+    }));
+  });
   describe('events', () => {
     test('onImagePushed without imageTag creates the correct event', () => {
       const stack = new cdk.Stack();