Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(pipeline): enable key rotation #23620

Merged
merged 11 commits into from
Jan 17, 2023
Merged

feat(pipeline): enable key rotation #23620

merged 11 commits into from
Jan 17, 2023

Conversation

tkglaser
Copy link
Contributor

@tkglaser tkglaser commented Jan 9, 2023
edited
Loading

closes #23595

All Submissions:

Adding new Construct Runtime Dependencies:

  • [n] This PR adds new construct runtime dependencies following the process described here

New Features

  • [y] Have you added the new feature to an integration test?
    • [y] Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Jan 9, 2023

@github-actions github-actions bot added effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Jan 9, 2023
@aws-cdk-automation aws-cdk-automation requested a review from a team January 9, 2023 15:16
aws-cdk-automation
aws-cdk-automation previously requested changes Jan 9, 2023
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

@tkglaser
Copy link
Contributor Author

tkglaser commented Jan 9, 2023
edited
Loading

I have tried running the integration test but getting an unspecified internal failure from CF. Not sure where to go with that, could a maintainer please try to repro?

Never mind I figured it out. I needed a github token as a secret in my deployment account.

@aws-cdk-automation aws-cdk-automation dismissed their stale review January 11, 2023 13:27

✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.

TheRealAmazonKendra
TheRealAmazonKendra previously requested changes Jan 12, 2023
View reviewed changes
Copy link
Contributor

@TheRealAmazonKendra TheRealAmazonKendra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution! I have just a few comments inline.

packages/@aws-cdk/pipelines/test/codepipeline/codepipeline.test.ts

new CodePipeline(pipelineStack, 'Pipeline', {
enableKeyRotation: true,
crossAccountKeys: true, // requirement of key rotation
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given this dependency, this should be enforced in code. If someone adds rotation without setting this to true, what's the behavior? We don't want a deploy time failure or a silent failure here.

Copy link
Contributor Author

@tkglaser tkglaser Jan 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is already enforced by the underlying Pipeline construct. Added a unit test to capture that.

packages/@aws-cdk/pipelines/test/integ.newpipeline-with-cross-account-keys.ts Outdated
@@ -0,0 +1,70 @@
// eslint-disable-next-line import/no-extraneous-dependencies
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which dependency is this impacting?

Copy link
Contributor Author

@tkglaser tkglaser Jan 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None, it's a copy and paste error, removed.

packages/@aws-cdk/pipelines/test/integ.newpipeline-with-cross-account-keys.ts Outdated
@@ -0,0 +1,70 @@
// eslint-disable-next-line import/no-extraneous-dependencies
/// !cdk-integ PipelineStack pragma:set-context:@aws-cdk/core:newStyleStackSynthesis=true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is no longer relevant when using the IntegTest construct for your tests. They always use the new style stack synthesis.

Copy link
Contributor Author

@tkglaser tkglaser Jan 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, removed.

@mergify mergify bot dismissed TheRealAmazonKendra’s stale review January 12, 2023 09:31

Pull request has been modified.

TheRealAmazonKendra
TheRealAmazonKendra approved these changes Jan 17, 2023
View reviewed changes
Copy link
Contributor

@TheRealAmazonKendra TheRealAmazonKendra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution!

@mergify
Copy link
Contributor

mergify bot commented Jan 17, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 2cb9ac3
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 29d7336 into aws:main Jan 17, 2023
@mergify
Copy link
Contributor

mergify bot commented Jan 17, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@tkglaser tkglaser deleted the thglaser/pipeline-keyrotation branch January 17, 2023 21:06
@filletofish filletofish mentioned this pull request Jul 2, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheRealAmazonKendra TheRealAmazonKendra TheRealAmazonKendra approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees
No one assigned
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

pipelines: not possible to enable key rotation
3 participants
@tkglaser @aws-cdk-automation @TheRealAmazonKendra