feat(rds): default DatabaseCluser and DatabaseInstance storageEncrypted to true (under feature flag)
#32695
Conversation
… storageEncrypted
github-actions
bot
added
effort/medium
github-actions
bot
added
the
admired-contributor
| @@ -35,6 +35,8 @@ class TestStack extends cdk.Stack { | |||
| vpc, | |||
There was a problem hiding this comment.
This change affected a lot of integration tests. I opted to use the legacy behaviors for these tests because re-running the creation of all these databases would be extremely slow and expensive.
If someone at AWS with a "free"/"expensed" account would like to rerun all these failing tests, we could go that route, too.
I added explicit new tests for this behavior.
There was a problem hiding this comment.
I think manually adding "StorageEncrypted": true to the templates would make those tests pass without the need to deploy the related resources (we expect the flag to work given that you added the new test).
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #32695 +/- ##
=======================================
Coverage 66.95% 66.96%
=======================================
Files 329 329
Lines 18662 18663 +1
Branches 3257 3257
=======================================
+ Hits 12496 12497 +1
Misses 5839 5839
Partials 327 327
Flags with carried forward coverage won't be shown. Click here to find out more.
|
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
aws-cdk-automation
added
the
pr/needs-community-review
There was a problem hiding this comment.
To provide backward compatibility, this PR also introduces a new property, isStorageLegacyUnencrypted. This allows leaving the StorageEncrypted property unset in the CloudFormation template, to avoid replacing Database instances/clusters.
Shouldn't the default behavior be applied when @aws-cdk/aws-rds:enableEncryptionAtRestByDefault: false? 🤔
The extra variable seems to add unnecessary complexity here.
| @@ -35,6 +35,8 @@ class TestStack extends cdk.Stack { | |||
| vpc, | |||
There was a problem hiding this comment.
I think manually adding "StorageEncrypted": true to the templates would make those tests pass without the need to deploy the related resources (we expect the flag to work given that you added the new test).
aws-cdk-automation
removed
the
pr/needs-community-review
Issue # (if applicable)
Closes #32398
Reason for this change
Today, if you don't remember to pass
storageEncrypted: trueto yourDatabaseInstanceorDatabaseCluster, your database's storage will be unencrypted.In almost all cases, your database storage should be encrypted. Here are reasons I think we should use AWS-managed keys by default:
Description of changes
This PR introduces a new feature flag,
@aws-cdk/aws-rds:enableEncryptionAtRestByDefault. When set totrue,storageEncryptedwill default totrueinstead ofundefined(which means "false").To provide backward compatibility, this PR also introduces a new property,
isStorageLegacyUnencrypted. This allows leaving theStorageEncryptedproperty unset in the CloudFormation template, to avoid replacing Database instances/clusters.Describe any new or updated permissions being added
N/A
Description of how you validated changes
Unit and integration tests.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license