feat(synthetics): add artifactS3Encryption property to the Canary Construct.

[mazyu36]

Issue # (if applicable)

Closes #30190.

Reason for this change

To select encryption options.

Description of changes

Add artifactS3Encryption property to the Canary Construct.

Description of how you validated changes

Add unit tests and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[mazyu36]

Artifact encryption functionality is available only for canaries that use Synthetics runtime version syn-nodejs-puppeteer-3.3 or later.
However, versions prior to 3.3 are deprecated and can no longer be configured, which is why I implemented it this way.

[lpizzinidev]

Makes sense 👍 Can you please add a short comment about it before the check?

[mazyu36]

Thanks. I've added a comment.

[lpizzinidev]

Thanks 👍 Left some comments for some initial adjustments

[lpizzinidev]

Suggested change

	readonly artifactS3Encryption?: ArtifactS3Encryption;
	readonly artifactS3EncryptionMode?: ArtifactsEncryptionMode;
	/**
	* The KMS key used to encrypt the data.
	*
	* @default - A KMS key is automatically created if `artifactS3EncryptionMode` is set to `SSE_KMS`. Otherwise, no key is generated.
	*/
	readonly artifactS3EncryptionKey?: kms.IKey;

What about keeping this flat? (guidelines)

[mazyu36]

Thank you. Canary Construct is implemented to flatten other properties as well, so I agree that it would be better to flatten it in this case as you suggested. I will modify it to make it flat.​​​​​​​​​​​​​​​​

[mazyu36]

I've changed it to flat.

[lpizzinidev]

Makes sense 👍 Can you please add a short comment about it before the check?

[mazyu36]

I refactored the creation of artifactConfig into createArtifactConfig.
However, since kmsKey needs to be set as a property, I made it so that checking and setting are done here.

Please provide your opinion if there is a better way to do this.​​​​​​​​​​​​​​​​

[lpizzinidev]

I like the approach, just a couple of adjustments:

• Why not move all validations inside the method?
• No need to declare the public readonly encryptionKey?: kms.IKey; variable
• Watch out for the typo in the function name
  Suggestion:

  private createArtifactConfig(props: CanaryProps): CfnCanary.ArtifactConfigProperty | undefined {
    if (!props.artifactS3EncryptionMode) {
      return undefined;
    }

    const isNodeRuntime = !cdk.Token.isUnresolved(props.runtime) && props.runtime.family === RuntimeFamily.NODEJS;
    const isArtifactS3EncryptionModeDefined = !cdk.Token.isUnresolved(props.artifactS3EncryptionMode) && props.artifactS3EncryptionMode;
    const isArtifactS3KmsKeyDefined = !cdk.Token.isUnresolved(props.artifactS3KmsKey) && props.artifactS3KmsKey;

    if (isArtifactS3EncryptionModeDefined &&
      props.artifactS3EncryptionMode !== ArtifactsEncryptionMode.KMS &&
      isArtifactS3KmsKeyDefined
    ) {
      throw new Error('A customer-managed KMS key was provided, but the encryption mode is not set to SSE-KMS.');
    }

    // Only check runtime family is nodejs because versions prior to syn-nodejs-puppeteer-3.3 are deprecated and can no longer be configured.
    if (!isNodeRuntime && isArtifactS3EncryptionModeDefined) {
      throw new Error(`Artifact encryption is only supported for canaries that use Synthetics runtime version syn-nodejs-puppeteer-3.3 or later, got ${props.runtime.name}.`);
    }

    let encryptionKey: kms.IKey | undefined;
    if (props.artifactS3EncryptionMode === ArtifactsEncryptionMode.KMS) {
      // Kms Key is set or generated for using `createArtifactConfig`
      encryptionKey = props.artifactS3KmsKey ?? new kms.Key(this, 'Key', { description: `Created by ${this.node.path}` });
    }

    encryptionKey?.grantEncryptDecrypt(this.role);

    return {
      s3Encryption: {
        encryptionMode: props.artifactS3EncryptionMode,
        artifactS3KmsKeyArn: encryptionKey?.keyArn,
      },
    };
  }

[mazyu36]

@lpizzinidev

Thank you for the review. I incorporated the comments and refactored.

[lpizzinidev]

Thanks 👍 Left comments for some final adjustments

[lpizzinidev]

I like the approach, just a couple of adjustments:

• Why not move all validations inside the method?
• No need to declare the public readonly encryptionKey?: kms.IKey; variable
• Watch out for the typo in the function name
  Suggestion:

  private createArtifactConfig(props: CanaryProps): CfnCanary.ArtifactConfigProperty | undefined {
    if (!props.artifactS3EncryptionMode) {
      return undefined;
    }

    const isNodeRuntime = !cdk.Token.isUnresolved(props.runtime) && props.runtime.family === RuntimeFamily.NODEJS;
    const isArtifactS3EncryptionModeDefined = !cdk.Token.isUnresolved(props.artifactS3EncryptionMode) && props.artifactS3EncryptionMode;
    const isArtifactS3KmsKeyDefined = !cdk.Token.isUnresolved(props.artifactS3KmsKey) && props.artifactS3KmsKey;

    if (isArtifactS3EncryptionModeDefined &&
      props.artifactS3EncryptionMode !== ArtifactsEncryptionMode.KMS &&
      isArtifactS3KmsKeyDefined
    ) {
      throw new Error('A customer-managed KMS key was provided, but the encryption mode is not set to SSE-KMS.');
    }

    // Only check runtime family is nodejs because versions prior to syn-nodejs-puppeteer-3.3 are deprecated and can no longer be configured.
    if (!isNodeRuntime && isArtifactS3EncryptionModeDefined) {
      throw new Error(`Artifact encryption is only supported for canaries that use Synthetics runtime version syn-nodejs-puppeteer-3.3 or later, got ${props.runtime.name}.`);
    }

    let encryptionKey: kms.IKey | undefined;
    if (props.artifactS3EncryptionMode === ArtifactsEncryptionMode.KMS) {
      // Kms Key is set or generated for using `createArtifactConfig`
      encryptionKey = props.artifactS3KmsKey ?? new kms.Key(this, 'Key', { description: `Created by ${this.node.path}` });
    }

    encryptionKey?.grantEncryptDecrypt(this.role);

    return {
      s3Encryption: {
        encryptionMode: props.artifactS3EncryptionMode,
        artifactS3KmsKeyArn: encryptionKey?.keyArn,
      },
    };
  }

[mazyu36]

@lpizzinidev
Thank you for the review. I have addressed the comments.
(For some reason, the PR linter is showing an error...)

[lpizzinidev]

Thanks 👍
Not sure about the failing build. It seems like an issue with automation scripts:

error /home/runner/work/aws-cdk/aws-cdk/node_modules/@lerna/create/node_modules/nx, /home/runner/work/aws-cdk/aws-cdk/node_modules/@nx/devkit/node_modules/nx, /home/runner/work/aws-cdk/aws-cdk/node_modules/lerna/node_modules/nx: Command failed.

[lpizzinidev]

Thanks 👍

[comcalvi]

Minor changes only, looks great!

[comcalvi]

can this value ever be a Token?

[mazyu36]

Thanks. This check is redundant.
I've removed it.

[comcalvi]

You don't need app.synth() at the end of new-style (eg, using IntegTest) integ tests. Old-style tests required it, but new-style ones should not use it.

[mazyu36]

Thanks. removed.

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 47911d6
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mazyu36]

@comcalvi
Thank you for the review.
I've addressed all your comments.