From 4d8736e97baa27d79b83182076a9b4be2c276e40 Mon Sep 17 00:00:00 2001 From: Wanxian Yang Date: Thu, 22 Apr 2021 18:01:57 -0500 Subject: [PATCH 1/3] fix: create dedicated kms --- templates/addons/aurora/cf.yml | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/templates/addons/aurora/cf.yml b/templates/addons/aurora/cf.yml index 6d0bf2ed722..461b69f2d31 100644 --- a/templates/addons/aurora/cf.yml +++ b/templates/addons/aurora/cf.yml @@ -31,6 +31,34 @@ Mappings: {{end -}} {{end}} Resources: + {{logicalIDSafe .ClusterName}}AuroraKMSCMK: + Type: 'AWS::KMS::Key' + DeletionPolicy: Retain + Properties: + KeyPolicy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' + Action: 'kms:*' + Resource: '*' + - Effect: Allow + Principal: + AWS: '*' + Action: + - 'kms:Encrypt' + - 'kms:Decrypt' + - 'kms:ReEncrypt*' + - 'kms:GenerateDataKey*' + - 'kms:CreateGrant' + - 'kms:ListGrants' + - 'kms:DescribeKey' + Resource: '*' + Condition: + StringEquals: + 'kms:CallerAccount': !Ref 'AWS::AccountId' + 'kms:ViaService': !Sub 'rds.${AWS::Region}.amazonaws.com' {{logicalIDSafe .ClusterName}}DBSubnetGroup: Type: 'AWS::RDS::DBSubnetGroup' Properties: @@ -121,9 +149,7 @@ Resources: {{- end}} EngineMode: serverless StorageEncrypted: true - KmsKeyId: - Fn::ImportValue: - !Sub '${App}-ArtifactKey' + KmsKeyId: !Ref {{logicalIDSafe .ClusterName}}AuroraKMSCMK DBClusterParameterGroupName: {{- if .ParameterGroup}} {{.ParameterGroup}} {{- else}} !Ref {{logicalIDSafe .ClusterName}}DBClusterParameterGroup {{- end}} DBSubnetGroupName: !Ref {{logicalIDSafe .ClusterName}}DBSubnetGroup VpcSecurityGroupIds: From 49d94a0c789b6711638c9f513f6f6f32c4ad403e Mon Sep 17 00:00:00 2001 From: Wanxian Yang Date: Fri, 23 Apr 2021 10:56:57 -0500 Subject: [PATCH 2/3] address feedback to remove deleteion policy --- templates/addons/aurora/cf.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/addons/aurora/cf.yml b/templates/addons/aurora/cf.yml index 461b69f2d31..e97e7905433 100644 --- a/templates/addons/aurora/cf.yml +++ b/templates/addons/aurora/cf.yml @@ -33,7 +33,6 @@ Mappings: Resources: {{logicalIDSafe .ClusterName}}AuroraKMSCMK: Type: 'AWS::KMS::Key' - DeletionPolicy: Retain Properties: KeyPolicy: Version: '2012-10-17' From bb562c5bbc3252fd2060f87ac24174ff290f6bf0 Mon Sep 17 00:00:00 2001 From: Wanxian Yang Date: Fri, 23 Apr 2021 12:36:14 -0500 Subject: [PATCH 3/3] remove encrpytion field and kms resource since aurora serverless v1 is always encrpyted and default kms is used --- templates/addons/aurora/cf.yml | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/templates/addons/aurora/cf.yml b/templates/addons/aurora/cf.yml index e97e7905433..5f3882d7f36 100644 --- a/templates/addons/aurora/cf.yml +++ b/templates/addons/aurora/cf.yml @@ -31,33 +31,6 @@ Mappings: {{end -}} {{end}} Resources: - {{logicalIDSafe .ClusterName}}AuroraKMSCMK: - Type: 'AWS::KMS::Key' - Properties: - KeyPolicy: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' - Action: 'kms:*' - Resource: '*' - - Effect: Allow - Principal: - AWS: '*' - Action: - - 'kms:Encrypt' - - 'kms:Decrypt' - - 'kms:ReEncrypt*' - - 'kms:GenerateDataKey*' - - 'kms:CreateGrant' - - 'kms:ListGrants' - - 'kms:DescribeKey' - Resource: '*' - Condition: - StringEquals: - 'kms:CallerAccount': !Ref 'AWS::AccountId' - 'kms:ViaService': !Sub 'rds.${AWS::Region}.amazonaws.com' {{logicalIDSafe .ClusterName}}DBSubnetGroup: Type: 'AWS::RDS::DBSubnetGroup' Properties: @@ -147,8 +120,6 @@ Resources: EngineVersion: '10.12' {{- end}} EngineMode: serverless - StorageEncrypted: true - KmsKeyId: !Ref {{logicalIDSafe .ClusterName}}AuroraKMSCMK DBClusterParameterGroupName: {{- if .ParameterGroup}} {{.ParameterGroup}} {{- else}} !Ref {{logicalIDSafe .ClusterName}}DBClusterParameterGroup {{- end}} DBSubnetGroupName: !Ref {{logicalIDSafe .ClusterName}}DBSubnetGroup VpcSecurityGroupIds: