diff --git a/API.md b/API.md
index a986522a..44419224 100644
--- a/API.md
+++ b/API.md
@@ -1717,6 +1717,7 @@ const multiStringParameterProps: MultiStringParameterProps = { ... }
| **Name** | **Type** | **Description** |
| --- | --- | --- |
+| assetEncryptionKey | aws-cdk-lib.aws_kms.IKey | The encryption key used by the CDK default Asset S3 Bucket. |
| autoGenerateIamPermissions | boolean | Should this construct automatically create IAM permissions? |
| convertToJSON | boolean | Should the encrypted sops value should be converted to JSON? |
| flatten | boolean | Should the structure be flattened? |
@@ -1745,6 +1746,19 @@ const multiStringParameterProps: MultiStringParameterProps = { ... }
---
+##### `assetEncryptionKey`Optional
+
+```typescript
+public readonly assetEncryptionKey: IKey;
+```
+
+- *Type:* aws-cdk-lib.aws_kms.IKey
+- *Default:* Trying to get the key using the CDK Bootstrap context.
+
+The encryption key used by the CDK default Asset S3 Bucket.
+
+---
+
##### `autoGenerateIamPermissions`Optional
```typescript
@@ -2109,6 +2123,7 @@ const sopsSecretProps: SopsSecretProps = { ... }
| secretObjectValue | {[ key: string ]: aws-cdk-lib.SecretValue} | Initial value for a JSON secret. |
| secretStringBeta1 | aws-cdk-lib.aws_secretsmanager.SecretStringValueBeta1 | Initial value for the secret. |
| secretStringValue | aws-cdk-lib.SecretValue | Initial value for the secret. |
+| assetEncryptionKey | aws-cdk-lib.aws_kms.IKey | The encryption key used by the CDK default Asset S3 Bucket. |
| autoGenerateIamPermissions | boolean | Should this construct automatically create IAM permissions? |
| convertToJSON | boolean | Should the encrypted sops value should be converted to JSON? |
| flatten | boolean | Should the structure be flattened? |
@@ -2299,6 +2314,19 @@ Only one of `secretStringBeta1`, `secretStringValue`, 'secretObjectValue', and `
---
+##### `assetEncryptionKey`Optional
+
+```typescript
+public readonly assetEncryptionKey: IKey;
+```
+
+- *Type:* aws-cdk-lib.aws_kms.IKey
+- *Default:* Trying to get the key using the CDK Bootstrap context.
+
+The encryption key used by the CDK default Asset S3 Bucket.
+
+---
+
##### `autoGenerateIamPermissions`Optional
```typescript
@@ -2506,6 +2534,7 @@ const sopsStringParameterProps: SopsStringParameterProps = { ... }
| **Name** | **Type** | **Description** |
| --- | --- | --- |
+| assetEncryptionKey | aws-cdk-lib.aws_kms.IKey | The encryption key used by the CDK default Asset S3 Bucket. |
| autoGenerateIamPermissions | boolean | Should this construct automatically create IAM permissions? |
| convertToJSON | boolean | Should the encrypted sops value should be converted to JSON? |
| flatten | boolean | Should the structure be flattened? |
@@ -2532,6 +2561,19 @@ const sopsStringParameterProps: SopsStringParameterProps = { ... }
---
+##### `assetEncryptionKey`Optional
+
+```typescript
+public readonly assetEncryptionKey: IKey;
+```
+
+- *Type:* aws-cdk-lib.aws_kms.IKey
+- *Default:* Trying to get the key using the CDK Bootstrap context.
+
+The encryption key used by the CDK default Asset S3 Bucket.
+
+---
+
##### `autoGenerateIamPermissions`Optional
```typescript
@@ -2867,6 +2909,7 @@ const sopsSyncOptions: SopsSyncOptions = { ... }
| **Name** | **Type** | **Description** |
| --- | --- | --- |
+| assetEncryptionKey | aws-cdk-lib.aws_kms.IKey | The encryption key used by the CDK default Asset S3 Bucket. |
| autoGenerateIamPermissions | boolean | Should this construct automatically create IAM permissions? |
| convertToJSON | boolean | Should the encrypted sops value should be converted to JSON? |
| flatten | boolean | Should the structure be flattened? |
@@ -2884,6 +2927,19 @@ const sopsSyncOptions: SopsSyncOptions = { ... }
---
+##### `assetEncryptionKey`Optional
+
+```typescript
+public readonly assetEncryptionKey: IKey;
+```
+
+- *Type:* aws-cdk-lib.aws_kms.IKey
+- *Default:* Trying to get the key using the CDK Bootstrap context.
+
+The encryption key used by the CDK default Asset S3 Bucket.
+
+---
+
##### `autoGenerateIamPermissions`Optional
```typescript
@@ -3091,6 +3147,7 @@ const sopsSyncProps: SopsSyncProps = { ... }
| **Name** | **Type** | **Description** |
| --- | --- | --- |
+| assetEncryptionKey | aws-cdk-lib.aws_kms.IKey | The encryption key used by the CDK default Asset S3 Bucket. |
| autoGenerateIamPermissions | boolean | Should this construct automatically create IAM permissions? |
| convertToJSON | boolean | Should the encrypted sops value should be converted to JSON? |
| flatten | boolean | Should the structure be flattened? |
@@ -3112,6 +3169,19 @@ const sopsSyncProps: SopsSyncProps = { ... }
---
+##### `assetEncryptionKey`Optional
+
+```typescript
+public readonly assetEncryptionKey: IKey;
+```
+
+- *Type:* aws-cdk-lib.aws_kms.IKey
+- *Default:* Trying to get the key using the CDK Bootstrap context.
+
+The encryption key used by the CDK default Asset S3 Bucket.
+
+---
+
##### `autoGenerateIamPermissions`Optional
```typescript
diff --git a/src/SopsSync.ts b/src/SopsSync.ts
index fcffb5aa..62464345 100644
--- a/src/SopsSync.ts
+++ b/src/SopsSync.ts
@@ -1,13 +1,13 @@
import * as fs from 'fs';
import * as path from 'path';
import {
- SecretValue,
- Duration,
- Lazy,
- Stack,
Annotations,
CustomResource,
+ Duration,
FileSystem,
+ Lazy,
+ SecretValue,
+ Stack,
} from 'aws-cdk-lib';
import { ISecurityGroup, IVpc, SubnetSelection } from 'aws-cdk-lib/aws-ec2';
import {
@@ -17,7 +17,7 @@ import {
PolicyStatement,
} from 'aws-cdk-lib/aws-iam';
import { IKey, Key } from 'aws-cdk-lib/aws-kms';
-import { SingletonFunction, Code, Runtime } from 'aws-cdk-lib/aws-lambda';
+import { Code, Runtime, SingletonFunction } from 'aws-cdk-lib/aws-lambda';
import { Asset } from 'aws-cdk-lib/aws-s3-assets';
import { ISecret } from 'aws-cdk-lib/aws-secretsmanager';
import { Construct } from 'constructs';
@@ -137,6 +137,12 @@ export interface SopsSyncOptions {
* @default true
*/
readonly autoGenerateIamPermissions?: boolean;
+
+ /**
+ * The encryption key used by the CDK default Asset S3 Bucket.
+ * @default - Trying to get the key using the CDK Bootstrap context.
+ */
+ readonly assetEncryptionKey?: IKey;
}
/**
@@ -352,7 +358,12 @@ export class SopsSync extends Construct {
role: provider.role,
sopsFileContent: sopsFileContent.toString(),
});
- Permissions.assetBucket(sopsAsset, provider.role);
+ Permissions.assetBucket(
+ this,
+ sopsAsset,
+ provider.role,
+ props.assetEncryptionKey,
+ );
Permissions.encryptionKey(props.encryptionKey, provider.role);
Permissions.secret(props.secret, provider.role);
Permissions.parameters(this, props.parameterNames, provider.role);
@@ -559,10 +570,32 @@ export namespace Permissions {
/**
* Grants the necessary permissions to read the given asset from S3.
*/
- export function assetBucket(asset: Asset | undefined, target: IGrantable) {
+ export function assetBucket(
+ context: Construct,
+ asset: Asset | undefined,
+ target: IGrantable,
+ assetKey: IKey | undefined,
+ ) {
if (asset === undefined) {
return;
}
asset.bucket.grantRead(target);
+
+ if (assetKey) {
+ assetKey.grantDecrypt(target);
+ } else {
+ try {
+ const qualifier =
+ Stack.of(context).synthesizer.bootstrapQualifier ?? 'hnb659fds'; // hnb659fds is the AWS global default qualifier
+ Key.fromLookup(context, 'AssetBucketKey', {
+ aliasName: `alias/cdk-bootstrap/${qualifier}`,
+ }).grantEncrypt(target);
+ } catch (error) {
+ Annotations.of(context).addWarningV2(
+ 'no-asset-kms-key',
+ `An error occured while retreving the KMS-Key for the Asset S3-Bucket from CDK Bootstrap. Set encryption key manually by using props.assetEncryptionKey. ${error}`,
+ );
+ }
+ }
}
}
diff --git a/test/secret-asset.integ.snapshot/SecretIntegrationAsset.assets.json b/test/secret-asset.integ.snapshot/SecretIntegrationAsset.assets.json
index d65692cd..319ca7e8 100644
--- a/test/secret-asset.integ.snapshot/SecretIntegrationAsset.assets.json
+++ b/test/secret-asset.integ.snapshot/SecretIntegrationAsset.assets.json
@@ -1,16 +1,17 @@
{
"version": "36.0.0",
"files": {
- "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4": {
+ "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e": {
"source": {
- "path": "asset.71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip",
+ "path": "asset.6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip",
"packaging": "file"
},
"destinations": {
- "current_account-current_region": {
- "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip",
- "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+ "123456789-us-east-1": {
+ "bucketName": "cdk-integ-assets-123456789-us-east-1",
+ "objectKey": "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip",
+ "region": "us-east-1",
+ "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
}
}
},
@@ -20,10 +21,11 @@
"packaging": "file"
},
"destinations": {
- "current_account-current_region": {
- "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+ "123456789-us-east-1": {
+ "bucketName": "cdk-integ-assets-123456789-us-east-1",
"objectKey": "2e0bdd84bc2fecdd9795887da1814888ec0b5d184a7324c5fda69c4bd54fa649.json",
- "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+ "region": "us-east-1",
+ "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
}
}
},
@@ -33,10 +35,11 @@
"packaging": "file"
},
"destinations": {
- "current_account-current_region": {
- "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+ "123456789-us-east-1": {
+ "bucketName": "cdk-integ-assets-123456789-us-east-1",
"objectKey": "c0d63dcd2d506c5d270284d70d1805688ff5d3a2e0d7515bfa56b1b3ed416c4f.yaml",
- "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+ "region": "us-east-1",
+ "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
}
}
},
@@ -46,10 +49,11 @@
"packaging": "file"
},
"destinations": {
- "current_account-current_region": {
- "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+ "123456789-us-east-1": {
+ "bucketName": "cdk-integ-assets-123456789-us-east-1",
"objectKey": "313aad921c737076a990ead756b250f1677aecc927177440df0c809cd56bf282.json",
- "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+ "region": "us-east-1",
+ "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
}
}
},
@@ -59,10 +63,11 @@
"packaging": "file"
},
"destinations": {
- "current_account-current_region": {
- "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+ "123456789-us-east-1": {
+ "bucketName": "cdk-integ-assets-123456789-us-east-1",
"objectKey": "4547532a137611d83958d17095c6c2d38ae0036a760c3b79c9dd5957d1c20cf2.yaml",
- "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+ "region": "us-east-1",
+ "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
}
}
},
@@ -72,23 +77,25 @@
"packaging": "file"
},
"destinations": {
- "current_account-current_region": {
- "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+ "123456789-us-east-1": {
+ "bucketName": "cdk-integ-assets-123456789-us-east-1",
"objectKey": "a8aece61894327fcfc2c7fab967a72583c0f795025e4d5f2e87c248b6e916d4b.binary",
- "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+ "region": "us-east-1",
+ "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
}
}
},
- "be9b36c08762ff449b54230ebeb5b0d09e6a0e7737d3eda30a64be5f835d49ad": {
+ "f38430ae989f7328d34b16732c6932c35e9314625fe461dfa174222af079cae3": {
"source": {
"path": "SecretIntegrationAsset.template.json",
"packaging": "file"
},
"destinations": {
- "current_account-current_region": {
- "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "be9b36c08762ff449b54230ebeb5b0d09e6a0e7737d3eda30a64be5f835d49ad.json",
- "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+ "123456789-us-east-1": {
+ "bucketName": "cdk-integ-assets-123456789-us-east-1",
+ "objectKey": "f38430ae989f7328d34b16732c6932c35e9314625fe461dfa174222af079cae3.json",
+ "region": "us-east-1",
+ "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
}
}
}
diff --git a/test/secret-asset.integ.snapshot/SecretIntegrationAsset.template.json b/test/secret-asset.integ.snapshot/SecretIntegrationAsset.template.json
index f459ca54..8b40d860 100644
--- a/test/secret-asset.integ.snapshot/SecretIntegrationAsset.template.json
+++ b/test/secret-asset.integ.snapshot/SecretIntegrationAsset.template.json
@@ -21,9 +21,7 @@
"Ref": "SopsSecretJSON72040543"
},
"SopsS3File": {
- "Bucket": {
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
- },
+ "Bucket": "cdk-integ-assets-123456789-us-east-1",
"Key": "2e0bdd84bc2fecdd9795887da1814888ec0b5d184a7324c5fda69c4bd54fa649.json"
},
"ConvertToJSON": true,
@@ -88,10 +86,7 @@
{
"Ref": "AWS::Partition"
},
- ":s3:::",
- {
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
- }
+ ":s3:::cdk-integ-assets-123456789-us-east-1"
]
]
},
@@ -103,16 +98,17 @@
{
"Ref": "AWS::Partition"
},
- ":s3:::",
- {
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
- },
- "/*"
+ ":s3:::cdk-integ-assets-123456789-us-east-1/*"
]
]
}
]
},
+ {
+ "Action": "kms:Decrypt",
+ "Effect": "Allow",
+ "Resource": "arn:aws:kms:us-east-1:123456789:key/my-key-id"
+ },
{
"Action": [
"secretsmanager:PutSecretValue",
@@ -228,10 +224,8 @@
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
- "S3Bucket": {
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
- },
- "S3Key": "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip"
+ "S3Bucket": "cdk-integ-assets-123456789-us-east-1",
+ "S3Key": "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip"
},
"Environment": {
"Variables": {
@@ -274,9 +268,7 @@
"Ref": "SopsSecretYAMLC392F558"
},
"SopsS3File": {
- "Bucket": {
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
- },
+ "Bucket": "cdk-integ-assets-123456789-us-east-1",
"Key": "c0d63dcd2d506c5d270284d70d1805688ff5d3a2e0d7515bfa56b1b3ed416c4f.yaml"
},
"ConvertToJSON": false,
@@ -310,9 +302,7 @@
"Ref": "SopsSecretYAMLasJSON64419C04"
},
"SopsS3File": {
- "Bucket": {
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
- },
+ "Bucket": "cdk-integ-assets-123456789-us-east-1",
"Key": "c0d63dcd2d506c5d270284d70d1805688ff5d3a2e0d7515bfa56b1b3ed416c4f.yaml"
},
"ConvertToJSON": true,
@@ -346,9 +336,7 @@
"Ref": "SopsComplexSecretJSONAD4C2662"
},
"SopsS3File": {
- "Bucket": {
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
- },
+ "Bucket": "cdk-integ-assets-123456789-us-east-1",
"Key": "313aad921c737076a990ead756b250f1677aecc927177440df0c809cd56bf282.json"
},
"ConvertToJSON": true,
@@ -382,9 +370,7 @@
"Ref": "SopsComplexSecretJSONFlatF5FC1D69"
},
"SopsS3File": {
- "Bucket": {
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
- },
+ "Bucket": "cdk-integ-assets-123456789-us-east-1",
"Key": "313aad921c737076a990ead756b250f1677aecc927177440df0c809cd56bf282.json"
},
"ConvertToJSON": true,
@@ -418,9 +404,7 @@
"Ref": "SopComplexSecretYAMLF52D88F2"
},
"SopsS3File": {
- "Bucket": {
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
- },
+ "Bucket": "cdk-integ-assets-123456789-us-east-1",
"Key": "4547532a137611d83958d17095c6c2d38ae0036a760c3b79c9dd5957d1c20cf2.yaml"
},
"ConvertToJSON": false,
@@ -454,9 +438,7 @@
"Ref": "SopComplexSecretYAMLFlatD9CE8782"
},
"SopsS3File": {
- "Bucket": {
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
- },
+ "Bucket": "cdk-integ-assets-123456789-us-east-1",
"Key": "4547532a137611d83958d17095c6c2d38ae0036a760c3b79c9dd5957d1c20cf2.yaml"
},
"ConvertToJSON": false,
@@ -490,9 +472,7 @@
"Ref": "SopsComplexSecretYAMLasJSONEAE81DB0"
},
"SopsS3File": {
- "Bucket": {
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
- },
+ "Bucket": "cdk-integ-assets-123456789-us-east-1",
"Key": "4547532a137611d83958d17095c6c2d38ae0036a760c3b79c9dd5957d1c20cf2.yaml"
},
"ConvertToJSON": true,
@@ -526,9 +506,7 @@
"Ref": "SopsComplexSecretYAMLasJSONFlat9FD04B78"
},
"SopsS3File": {
- "Bucket": {
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
- },
+ "Bucket": "cdk-integ-assets-123456789-us-east-1",
"Key": "4547532a137611d83958d17095c6c2d38ae0036a760c3b79c9dd5957d1c20cf2.yaml"
},
"ConvertToJSON": true,
@@ -562,9 +540,7 @@
"Ref": "SopsBinaryAsBinary6FB08519"
},
"SopsS3File": {
- "Bucket": {
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
- },
+ "Bucket": "cdk-integ-assets-123456789-us-east-1",
"Key": "a8aece61894327fcfc2c7fab967a72583c0f795025e4d5f2e87c248b6e916d4b.binary"
},
"ConvertToJSON": true,
@@ -977,7 +953,7 @@
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value",
- "Default": "/cdk-bootstrap/hnb659fds/version",
+ "Default": "/cdk-bootstrap/integ/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
diff --git a/test/secret-asset.integ.ts b/test/secret-asset.integ.ts
index bdfa441b..809acc89 100644
--- a/test/secret-asset.integ.ts
+++ b/test/secret-asset.integ.ts
@@ -1,10 +1,25 @@
-import { App, SecretValue, Stack } from 'aws-cdk-lib';
+import { App, DefaultStackSynthesizer, SecretValue, Stack } from 'aws-cdk-lib';
+import { Key } from 'aws-cdk-lib/aws-kms';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { SopsSecret, UploadType } from '../src/index';
const app = new App();
-const stack = new Stack(app, 'SecretIntegrationAsset');
+const stack = new Stack(app, 'SecretIntegrationAsset', {
+ synthesizer: new DefaultStackSynthesizer({
+ qualifier: 'integ',
+ }),
+ env: {
+ account: '123456789',
+ region: 'us-east-1',
+ },
+});
+
+const assetKey = Key.fromKeyArn(
+ stack,
+ 'KmsKey',
+ 'arn:aws:kms:us-east-1:123456789:key/my-key-id',
+);
new SopsSecret(stack, 'SopsSecretJSON', {
sopsFilePath: 'test-secrets/json/sopsfile.enc-age.json',
@@ -13,6 +28,7 @@ new SopsSecret(stack, 'SopsSecretJSON', {
sopsAgeKey: SecretValue.unsafePlainText(
'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
),
+ assetEncryptionKey: assetKey,
});
new SopsSecret(stack, 'SopsSecretYAML', {
@@ -23,6 +39,7 @@ new SopsSecret(stack, 'SopsSecretYAML', {
sopsAgeKey: SecretValue.unsafePlainText(
'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
),
+ assetEncryptionKey: assetKey,
});
new SopsSecret(stack, 'SopsSecretYAMLasJSON', {
@@ -33,6 +50,7 @@ new SopsSecret(stack, 'SopsSecretYAMLasJSON', {
sopsAgeKey: SecretValue.unsafePlainText(
'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
),
+ assetEncryptionKey: assetKey,
});
new SopsSecret(stack, 'SopsComplexSecretJSON', {
@@ -43,6 +61,7 @@ new SopsSecret(stack, 'SopsComplexSecretJSON', {
sopsAgeKey: SecretValue.unsafePlainText(
'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
),
+ assetEncryptionKey: assetKey,
});
const sopsComplexSecretJSONFlat = new SopsSecret(
@@ -56,6 +75,7 @@ const sopsComplexSecretJSONFlat = new SopsSecret(
sopsAgeKey: SecretValue.unsafePlainText(
'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
),
+ assetEncryptionKey: assetKey,
},
);
@@ -68,6 +88,7 @@ new SopsSecret(stack, 'SopComplexSecretYAML', {
sopsAgeKey: SecretValue.unsafePlainText(
'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
),
+ assetEncryptionKey: assetKey,
});
new SopsSecret(stack, 'SopComplexSecretYAMLFlat', {
@@ -79,6 +100,7 @@ new SopsSecret(stack, 'SopComplexSecretYAMLFlat', {
sopsAgeKey: SecretValue.unsafePlainText(
'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
),
+ assetEncryptionKey: assetKey,
});
new SopsSecret(stack, 'SopsComplexSecretYAMLasJSON', {
@@ -90,6 +112,7 @@ new SopsSecret(stack, 'SopsComplexSecretYAMLasJSON', {
sopsAgeKey: SecretValue.unsafePlainText(
'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
),
+ assetEncryptionKey: assetKey,
});
const sopsComplexSecretYAMLasJSONFlat = new SopsSecret(
@@ -104,6 +127,7 @@ const sopsComplexSecretYAMLasJSONFlat = new SopsSecret(
sopsAgeKey: SecretValue.unsafePlainText(
'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
),
+ assetEncryptionKey: assetKey,
},
);
@@ -114,6 +138,7 @@ new SopsSecret(stack, 'SopsBinaryAsBinary', {
sopsAgeKey: SecretValue.unsafePlainText(
'AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3',
),
+ assetEncryptionKey: assetKey,
});
new Function(stack, 'TestFunction', {
diff --git a/test/secret-inline.integ.snapshot/SecretIntegrationInline.assets.json b/test/secret-inline.integ.snapshot/SecretIntegrationInline.assets.json
index cbef6f0f..ed2116ad 100644
--- a/test/secret-inline.integ.snapshot/SecretIntegrationInline.assets.json
+++ b/test/secret-inline.integ.snapshot/SecretIntegrationInline.assets.json
@@ -1,20 +1,20 @@
{
"version": "36.0.0",
"files": {
- "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4": {
+ "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e": {
"source": {
- "path": "asset.71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip",
+ "path": "asset.6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip",
+ "objectKey": "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
},
- "923c03ac17667e1ede779db4e03cde855c2a7e868de1c36506f34013c2c0f0e6": {
+ "3b0bdb64bee0336eb36cc464c1af9cf58a1c325998209d00ee6a7d112c38ad41": {
"source": {
"path": "SecretIntegrationInline.template.json",
"packaging": "file"
@@ -22,7 +22,7 @@
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "923c03ac17667e1ede779db4e03cde855c2a7e868de1c36506f34013c2c0f0e6.json",
+ "objectKey": "3b0bdb64bee0336eb36cc464c1af9cf58a1c325998209d00ee6a7d112c38ad41.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
diff --git a/test/secret-inline.integ.snapshot/SecretIntegrationInline.template.json b/test/secret-inline.integ.snapshot/SecretIntegrationInline.template.json
index a48e5033..6434f5ad 100644
--- a/test/secret-inline.integ.snapshot/SecretIntegrationInline.template.json
+++ b/test/secret-inline.integ.snapshot/SecretIntegrationInline.template.json
@@ -198,7 +198,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
- "S3Key": "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip"
+ "S3Key": "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip"
},
"Environment": {
"Variables": {
diff --git a/test/secret-manual.integ.snapshot/SecretIntegrationAsset.assets.json b/test/secret-manual.integ.snapshot/SecretIntegrationAsset.assets.json
index 8e7b7417..dcb5e985 100644
--- a/test/secret-manual.integ.snapshot/SecretIntegrationAsset.assets.json
+++ b/test/secret-manual.integ.snapshot/SecretIntegrationAsset.assets.json
@@ -1,20 +1,20 @@
{
"version": "36.0.0",
"files": {
- "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4": {
+ "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e": {
"source": {
- "path": "asset.71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip",
+ "path": "asset.6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip",
+ "objectKey": "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
},
- "cbd798901289cce0c6e4c46d57c3c5dc432ce41487704d15c6582549466775a6": {
+ "ceae4c5aae51b63349d9022671dd663ff353a630338cc08e7f00096b4cc05706": {
"source": {
"path": "SecretIntegrationAsset.template.json",
"packaging": "file"
@@ -22,7 +22,7 @@
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "cbd798901289cce0c6e4c46d57c3c5dc432ce41487704d15c6582549466775a6.json",
+ "objectKey": "ceae4c5aae51b63349d9022671dd663ff353a630338cc08e7f00096b4cc05706.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
diff --git a/test/secret-manual.integ.snapshot/SecretIntegrationAsset.template.json b/test/secret-manual.integ.snapshot/SecretIntegrationAsset.template.json
index 21dbd590..3e27f576 100644
--- a/test/secret-manual.integ.snapshot/SecretIntegrationAsset.template.json
+++ b/test/secret-manual.integ.snapshot/SecretIntegrationAsset.template.json
@@ -72,7 +72,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
- "S3Key": "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip"
+ "S3Key": "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip"
},
"Environment": {
"Variables": {
diff --git a/test/secret-multikms.integ.snapshot/SecretMultiKms.assets.json b/test/secret-multikms.integ.snapshot/SecretMultiKms.assets.json
index d6254030..c9198986 100644
--- a/test/secret-multikms.integ.snapshot/SecretMultiKms.assets.json
+++ b/test/secret-multikms.integ.snapshot/SecretMultiKms.assets.json
@@ -1,15 +1,15 @@
{
"version": "36.0.0",
"files": {
- "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4": {
+ "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e": {
"source": {
- "path": "asset.71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip",
+ "path": "asset.6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip",
+ "objectKey": "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
@@ -27,7 +27,7 @@
}
}
},
- "c7ca4322ec89a67d983576a0211a865f3c27ff3ebbafa5d7c0f83da41603ac4e": {
+ "03f53bba5301d6df7d9be45c3a6e68e59652eed2b74f63b1d21c147468d8b0b9": {
"source": {
"path": "SecretMultiKms.template.json",
"packaging": "file"
@@ -35,7 +35,7 @@
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "c7ca4322ec89a67d983576a0211a865f3c27ff3ebbafa5d7c0f83da41603ac4e.json",
+ "objectKey": "03f53bba5301d6df7d9be45c3a6e68e59652eed2b74f63b1d21c147468d8b0b9.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
diff --git a/test/secret-multikms.integ.snapshot/SecretMultiKms.template.json b/test/secret-multikms.integ.snapshot/SecretMultiKms.template.json
index 7c45193e..ed14e217 100644
--- a/test/secret-multikms.integ.snapshot/SecretMultiKms.template.json
+++ b/test/secret-multikms.integ.snapshot/SecretMultiKms.template.json
@@ -336,7 +336,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
- "S3Key": "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip"
+ "S3Key": "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip"
},
"Environment": {
"Variables": {