Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(codebuild): encryptionKey cannot be disabled #10474

Merged
merged 5 commits into from Sep 28, 2020
Merged

fix(codebuild): encryptionKey cannot be disabled #10474

merged 5 commits into from Sep 28, 2020

Conversation

rix0rrr
Copy link
Contributor

@rix0rrr rix0rrr commented Sep 22, 2020

Because of a limitation of the CodeBuild Service API and its
CloudFormation implementation, it is not possible to disable the
encryption key used to encrypt uploaded artifacts after having deployed
a Project once that uses a key (the update back to "no key" is ignored).

Work around this by explicitly always selecting the default
alias/aws/s3 key. This is the same one CodeBuild would have used if
no key was given, except it doesn't suffer from the "property cannot
be made empty" problem.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@rix0rrr
fix(codebuild): encryptionKey cannot be disabled
9625dfc 
Because of a limitation of the CodeBuild Service API and its
CloudFormation implementation, it is not possible to disable the
encryption key used to encrypt uploaded artifacts after having deployed
a Project once that uses a key (the update back to "no key" is ignored).

Work around this by explicitly always selecting the default
`alias/aws/s3` key. This is the same one CodeBuild would have used if
no key was given, except it doesn't suffer from the "property cannot
be made empty" problem.
@rix0rrr rix0rrr mentioned this pull request Sep 22, 2020
Merged
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Sep 22, 2020
@rix0rrr rix0rrr added the pr/do-not-merge This PR should not be merged at this time. label Sep 22, 2020
@rix0rrr
Copy link
Contributor Author

rix0rrr commented Sep 22, 2020

Blocked waiting for a response from CodeBuild acknowledging that this workaround is sane.

skinny85
skinny85 approved these changes Sep 23, 2020
View reviewed changes
Copy link
Contributor

@skinny85 skinny85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for extracting this to a separate PR Rico!

This is fine from a code perspective, so I'm OK with approving it. I still feel like we should push on the CodeBuild team to address this at the source (that is, their APIs), as this affects all CloudFormation customers, not only CDK customers, and will likely be a deployment change for a huge portion of CDK users (everyone that uses CodeBuild without encryption will see a diff after this has been released).

But I understand the realities of mitigating damage vs. long-term fixes, and so I'll leave it in your hands Rico on when to exactly merge this in.

@rix0rrr rix0rrr removed the pr/do-not-merge This PR should not be merged at this time. label Sep 28, 2020
@rix0rrr
Copy link
Contributor Author

rix0rrr commented Sep 28, 2020

Confirmed to be a valid workaround by CodeBuild

@mergify
Copy link
Contributor

mergify bot commented Sep 28, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 0a3584a
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Sep 28, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 4aadaa7 into master Sep 28, 2020
@mergify mergify bot deleted the huijbers/codebuild-default-key branch September 28, 2020 08:53
mergify bot pushed a commit that referenced this pull request Sep 29, 2020
@rix0rrr
feat(pipelines): allow disabling of KMS keys (#10396)
1f7311f 
KMS keys for cross-account actions used to be created automatically,
but incur a $1/month charge for every region, adding a charge you
don't need if you don't plan to deploy in to cross-account destinations.

Add the option `crossAccountKeys: false` to allow users to switch off
the KMS keys and avoid the charge if they don't need it.

Relates to #10115.

Must not be merged before #10474.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skinny85 skinny85 skinny85 approved these changes

@njlynch njlynch Awaiting requested review from njlynch

@nija-at nija-at Awaiting requested review from nija-at

Assignees

@skinny85 skinny85

Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rix0rrr @aws-cdk-automation @skinny85