Revert "feat(ec2): support KMS keys for block device mappings for bot…

…h instances and launch templates (#18326)" Reverts commit 17dbe5f. in the meantime until we figure out the longer term solution. Fixes #18676
aws · Feb 1, 2022 · af0e7f5 · af0e7f5
1 parent 17dbe5f
commit af0e7f5
Show file tree

Hide file tree

Showing 5 changed files with 3 additions and 120 deletions.
diff --git a/packages/@aws-cdk/aws-ec2/README.md b/packages/@aws-cdk/aws-ec2/README.md
@@ -1051,37 +1051,6 @@ new ec2.Instance(this, 'Instance', {
 
 ```
 
-It is also possible to encrypt the block devices. In this example we will create an customer managed key encrypted EBS-backed root device:
-
-```ts
-import { Key } from '@aws-cdk/aws-kms';
-
-declare const vpc: ec2.Vpc;
-declare const instanceType: ec2.InstanceType;
-declare const machineImage: ec2.IMachineImage;
-
-const kmsKey = new Key(this, 'KmsKey')
-
-new ec2.Instance(this, 'Instance', {
-  vpc,
-  instanceType,
-  machineImage,
-
-  // ...
-
-  blockDevices: [
-    {
-      deviceName: '/dev/sda1',
-      volume: ec2.BlockDeviceVolume.ebs(50, {
-        encrypted: true,
-        kmsKey: kmsKey,
-      }),
-    },
-  ],
-});
-
-```
-
 ### Volumes
 
 Whereas a `BlockDeviceVolume` is an EBS volume that is created and destroyed as part of the creation and destruction of a specific instance. A `Volume` is for when you want an EBS volume separate from any particular instance. A `Volume` is an EBS block device that can be attached to, or detached from, any instance at any time. Some types of `Volume`s can also be attached to multiple instances at the same time to allow you to have shared storage between those instances.

diff --git a/packages/@aws-cdk/aws-ec2/lib/private/ebs-util.ts b/packages/@aws-cdk/aws-ec2/lib/private/ebs-util.ts
@@ -24,11 +24,8 @@ function synthesizeBlockDeviceMappings<RT, NDT>(construct: Construct, blockDevic
   return blockDevices.map<RT>(({ deviceName, volume, mappingEnabled }): RT => {
     const { virtualName, ebsDevice: ebs } = volume;
 
-    let finalEbs: CfnLaunchTemplate.EbsProperty | CfnInstance.EbsProperty | undefined;
-
     if (ebs) {
-
-      const { iops, volumeType, kmsKey, ...rest } = ebs;
+      const { iops, volumeType } = ebs;
 
       if (!iops) {
         if (volumeType === EbsDeviceVolumeType.IO1) {
@@ -37,25 +34,9 @@ function synthesizeBlockDeviceMappings<RT, NDT>(construct: Construct, blockDevic
       } else if (volumeType !== EbsDeviceVolumeType.IO1) {
         Annotations.of(construct).addWarning('iops will be ignored without volumeType: EbsDeviceVolumeType.IO1');
       }
-
-      /**
-       * Because the Ebs properties of the L2 Constructs do not match the Ebs properties of the Cfn Constructs,
-       * we have to do some transformation and handle all destructed properties
-       */
-
-      finalEbs = {
-        ...rest,
-        iops,
-        volumeType,
-        kmsKeyId: kmsKey?.keyArn,
-      };
-
-    } else {
-      finalEbs = undefined;
     }
 
-
     const noDevice = mappingEnabled === false ? noDeviceValue : undefined;
-    return { deviceName, ebs: finalEbs, virtualName, noDevice } as any;
+    return { deviceName, ebs, virtualName, noDevice } as any;
   });
 }
diff --git a/packages/@aws-cdk/aws-ec2/lib/volume.ts b/packages/@aws-cdk/aws-ec2/lib/volume.ts
@@ -89,17 +89,6 @@ export interface EbsDeviceOptions extends EbsDeviceOptionsBase {
    * @default false
    */
   readonly encrypted?: boolean;
-
-  /**
-   * The ARN of the AWS Key Management Service (AWS KMS) CMK used for encryption.
-   *
-   * You have to ensure that the KMS CMK has the correct permissions to be used by the service launching the ec2 instances.
-   *
-   * @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements
-   *
-   * @default - If encrypted is true, the default aws/ebs KMS key will be used.
-   */
-  readonly kmsKey?: IKey;
 }
 
 /**
@@ -119,7 +108,7 @@ export interface EbsDeviceSnapshotOptions extends EbsDeviceOptionsBase {
 /**
  * Properties of an EBS block device
  */
-export interface EbsDeviceProps extends EbsDeviceSnapshotOptions, EbsDeviceOptions {
+export interface EbsDeviceProps extends EbsDeviceSnapshotOptions {
   /**
    * The snapshot ID of the volume to use
    *

diff --git a/packages/@aws-cdk/aws-ec2/test/instance.test.ts b/packages/@aws-cdk/aws-ec2/test/instance.test.ts
@@ -1,6 +1,5 @@
 import * as path from 'path';
 import { Match, Template } from '@aws-cdk/assertions';
-import { Key } from '@aws-cdk/aws-kms';
 import { Asset } from '@aws-cdk/aws-s3-assets';
 import { StringParameter } from '@aws-cdk/aws-ssm';
 import * as cxschema from '@aws-cdk/cloud-assembly-schema';
@@ -185,7 +184,6 @@ describe('instance', () => {
   describe('blockDeviceMappings', () => {
     test('can set blockDeviceMappings', () => {
       // WHEN
-      const kmsKey = new Key(stack, 'EbsKey');
       new Instance(stack, 'Instance', {
         vpc,
         machineImage: new AmazonLinuxImage(),
@@ -199,16 +197,6 @@ describe('instance', () => {
             volumeType: EbsDeviceVolumeType.IO1,
             iops: 5000,
           }),
-        }, {
-          deviceName: 'ebs-cmk',
-          mappingEnabled: true,
-          volume: BlockDeviceVolume.ebs(15, {
-            deleteOnTermination: true,
-            encrypted: true,
-            kmsKey: kmsKey,
-            volumeType: EbsDeviceVolumeType.IO1,
-            iops: 5000,
-          }),
         }, {
           deviceName: 'ebs-snapshot',
           mappingEnabled: false,
@@ -236,22 +224,6 @@ describe('instance', () => {
               VolumeType: 'io1',
             },
           },
-          {
-            DeviceName: 'ebs-cmk',
-            Ebs: {
-              DeleteOnTermination: true,
-              Encrypted: true,
-              KmsKeyId: {
-                'Fn::GetAtt': [
-                  'EbsKeyD3FEE551',
-                  'Arn',
-                ],
-              },
-              Iops: 5000,
-              VolumeSize: 15,
-              VolumeType: 'io1',
-            },
-          },
           {
             DeviceName: 'ebs-snapshot',
             Ebs: {

diff --git a/packages/@aws-cdk/aws-ec2/test/launch-template.test.ts b/packages/@aws-cdk/aws-ec2/test/launch-template.test.ts
@@ -4,7 +4,6 @@ import {
   Role,
   ServicePrincipal,
 } from '@aws-cdk/aws-iam';
-import { Key } from '@aws-cdk/aws-kms';
 import {
   App,
   Duration,
@@ -255,7 +254,6 @@ describe('LaunchTemplate', () => {
 
   test('Given blockDeviceMapping', () => {
     // GIVEN
-    const kmsKey = new Key(stack, 'EbsKey');
     const blockDevices: BlockDevice[] = [
       {
         deviceName: 'ebs',
@@ -266,16 +264,6 @@ describe('LaunchTemplate', () => {
           volumeType: EbsDeviceVolumeType.IO1,
           iops: 5000,
         }),
-      }, {
-        deviceName: 'ebs-cmk',
-        mappingEnabled: true,
-        volume: BlockDeviceVolume.ebs(15, {
-          deleteOnTermination: true,
-          encrypted: true,
-          kmsKey: kmsKey,
-          volumeType: EbsDeviceVolumeType.IO1,
-          iops: 5000,
-        }),
       }, {
         deviceName: 'ebs-snapshot',
         mappingEnabled: false,
@@ -309,22 +297,6 @@ describe('LaunchTemplate', () => {
               VolumeType: 'io1',
             },
           },
-          {
-            DeviceName: 'ebs-cmk',
-            Ebs: {
-              DeleteOnTermination: true,
-              Encrypted: true,
-              KmsKeyId: {
-                'Fn::GetAtt': [
-                  'EbsKeyD3FEE551',
-                  'Arn',
-                ],
-              },
-              Iops: 5000,
-              VolumeSize: 15,
-              VolumeType: 'io1',
-            },
-          },
           {
             DeviceName: 'ebs-snapshot',
             Ebs: {