Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(secretsmanager): Secret requires KMS key for some same-account access #17812

Merged
merged 2 commits into from
Jan 18, 2022
Merged

fix(secretsmanager): Secret requires KMS key for some same-account access #17812

merged 2 commits into from
Jan 18, 2022

Conversation

kaiz-io
Copy link
Contributor

@kaiz-io kaiz-io commented Dec 2, 2021
edited
Loading

Fix for #15450 Previous code did not check if the account IDs were the different. This checks if CDK is able to resolve the account ids and they are different then fail otherwise let the user create a secret.

FYI first PR. Let me know if there is something that I missed.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Dec 2, 2021

@github-actions github-actions bot added the @aws-cdk/aws-kms Related to AWS Key Management label Dec 2, 2021
@mergify
Copy link
Contributor

mergify bot commented Dec 2, 2021

Title does not follow the guidelines of Conventional Commits. Please adjust title before merge.

@kaiz-io kaiz-io changed the title fix(secrets) fix cross account logic requiring KMS key fix(secrets): fix cross account logic requiring KMS key Dec 3, 2021
@kaiz-io kaiz-io changed the title fix(secrets): fix cross account logic requiring KMS key fix(secrets): fix SecretsManager cross account logic requiring KMS key Dec 3, 2021
@github-actions github-actions bot added the @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager label Dec 3, 2021
@kaiz-io kaiz-io force-pushed the awsmikek/secretsmanager branch 2 times, most recently from 21b1ec5 to be003aa Compare December 11, 2021 20:29
njlynch
njlynch previously requested changes Dec 29, 2021
View reviewed changes
Copy link
Contributor

@njlynch njlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution, @kaizio !

The change itself looks good -- I think -- however, there are quite a bit of unintentional formatting changes that make it unclear what exactly has changed. Can you please clean up the diff so only the new/changed lines are present?

@mergify mergify bot dismissed njlynch’s stale review December 30, 2021 16:58

Pull request has been modified.

@kaiz-io kaiz-io force-pushed the awsmikek/secretsmanager branch from e1a5cdb to 8407187 Compare December 30, 2021 17:14
@kaiz-io
Copy link
Contributor Author

kaiz-io commented Dec 30, 2021

Got it fixed @njlynch Thanks. Had a bad merge trying to bring some upstream changes in.

njlynch
njlynch previously requested changes Jan 4, 2022
View reviewed changes
Copy link
Contributor

@njlynch njlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I thought there was at least one test before though. Then again, that might have just be odd formatting. Can you please add a test for this new behavior?

@kaiz-io kaiz-io force-pushed the awsmikek/secretsmanager branch from 8407187 to bdbd12e Compare January 6, 2022 01:36
@mergify mergify bot dismissed njlynch’s stale review January 6, 2022 01:36

Pull request has been modified.

@kaiz-io kaiz-io force-pushed the awsmikek/secretsmanager branch from bdbd12e to e54ace3 Compare January 9, 2022 15:02
@kaiz-io kaiz-io force-pushed the awsmikek/secretsmanager branch from e54ace3 to 3603de0 Compare January 9, 2022 15:08
@kaiz-io
Copy link
Contributor Author

kaiz-io commented Jan 10, 2022

Added two test and renamed the one that was there before. I am testing for grant read without any KMS and one where I am using a different account. Is the way that I am overwriting the "stack" correct? Hard to find an example with search.

njlynch
njlynch approved these changes Jan 18, 2022
View reviewed changes
Copy link
Contributor

@njlynch njlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@njlynch njlynch changed the title fix(secrets): fix SecretsManager cross account logic requiring KMS key fix(secretsmanager): Secret requires KMS key for some same-account access Jan 18, 2022
@mergify
Copy link
Contributor

mergify bot commented Jan 18, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: dad2f9a
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 91f3539 into aws:master Jan 18, 2022
@mergify
Copy link
Contributor

mergify bot commented Jan 18, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@kaiz-io kaiz-io deleted the awsmikek/secretsmanager branch February 2, 2022 22:38
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this pull request Feb 21, 2022
@kaiz-io @TikiTDO
fix(secretsmanager): Secret requires KMS key for some same-account ac…
90e9c0f 
…cess (aws#17812)

Fix for aws#15450 Previous code did not check if the account IDs were the different. This checks if CDK is able to resolve the account ids and they are different then fail otherwise let the user create a secret.

FYI first PR. Let me know if there is something that I missed.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@njlynch njlynch njlynch approved these changes

Assignees

@njlynch njlynch

Labels
@aws-cdk/aws-kms Related to AWS Key Management @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kaiz-io @aws-cdk-automation @njlynch