Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(rds): default DatabaseCluser and DatabaseInstance storageEncrypted to true (under feature flag) #32695

Open
wants to merge 25 commits into
base: main
Choose a base branch
from
Open

feat(rds): default DatabaseCluser and DatabaseInstance storageEncrypted to true (under feature flag) #32695

wants to merge 25 commits into from
+5,339 −23

Conversation

blimmer
Copy link
Contributor

@blimmer blimmer commented Dec 31, 2024
edited
Loading

Issue # (if applicable)

Closes #32398

Reason for this change

Today, if you don't remember to pass storageEncrypted: true to your DatabaseInstance or DatabaseCluster, your database's storage will be unencrypted.

In almost all cases, your database storage should be encrypted. Here are reasons I think we should use AWS-managed keys by default:

  • AWS Well-Architected security pillar says all data should be encrypted at rest.
  • There is no additional fee to use the AWS-managed KMS key
  • When creating RDS instances and clusters via the AWS Console UI, encryption with AWS-managed keys is enabled by default.
  • Adding encryption to a previously unencrypted database is an involved process that requires recreating your database from a snapshot. Applying encryption to an unencrypted database is time-consuming and a bad developer and user experience.
  • Other L2 constructs apply encryption by default, including Neptune and DocDb
  • If you don't encrypt your storage, you'll see warnings in the RDS UI telling you that your storage is unencrypted.
  • Users can easily retain the existing behavior.

Description of changes

This PR introduces a new feature flag, @aws-cdk/aws-rds:enableEncryptionAtRestByDefault. When set to true, storageEncrypted will default to true instead of undefined (which means "false").

To provide backward compatibility, this PR also introduces a new property, storageEncryptedLegacyDefaultValue. This allows leaving the StorageEncrypted property unset in the CloudFormation template, to avoid replacing Database instances/clusters.

Describe any new or updated permissions being added

N/A

Description of how you validated changes

Unit and integration tests.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@blimmer blimmer marked this pull request as ready for review December 31, 2024 04:45
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 labels Dec 31, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team December 31, 2024 04:45
@github-actions github-actions bot added the admired-contributor [Pilot] contributed between 13-24 PRs to the CDK label Dec 31, 2024
blimmer
blimmer commented Dec 31, 2024
View reviewed changes
...ges/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-rds-serverlessv2.ts
@@ -35,6 +35,8 @@ class TestStack extends cdk.Stack {
vpc,
Copy link
Contributor Author

@blimmer blimmer Dec 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change affected a lot of integration tests. I opted to use the legacy behaviors for these tests because re-running the creation of all these databases would be extremely slow and expensive.

If someone at AWS with a "free"/"expensed" account would like to rerun all these failing tests, we could go that route, too.

I added explicit new tests for this behavior.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think manually adding "StorageEncrypted": true to the templates would make those tests pass without the need to deploy the related resources (we expect the flag to work given that you added the new test).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the past, I've received PR feedback that you should never manually update snapshot files. I just confirmed that I could add this property manually to the snapshots and that would be an alternative solution to updating the stack definitions.

I'd like a +1 from an approver that this would be OK before I spend the time doing it, based on previous feedback that snapshots should never be manually edited.

Copy link
Contributor

@lpizzinidev lpizzinidev Jan 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've received PR feedback that you should never manually update snapshot files

👍 Sounds good!

About the isStorageLegacyUnencrypted comment.
Thanks for clarifying, I'm not sure why CFN defaults to unencrypted clusters and instances.
However, I left some comments on the implementation for small adjustments.

aws-cdk-automation
aws-cdk-automation previously requested changes Dec 31, 2024
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@codecov Codecov
Copy link

codecov bot commented Dec 31, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.52%. Comparing base (bbdd42c) to head (14795d0).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #32695   +/-   ##
=======================================
  Coverage   81.52%   81.52%           
=======================================
  Files         222      222           
  Lines       13715    13715           
  Branches     2417     2417           
=======================================
  Hits        11181    11181           
  Misses       2254     2254           
  Partials      280      280
Flag Coverage Δ
suite.unit 81.52% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 80.97% <ø> (ø)
packages/aws-cdk-lib/core 82.09% <ø> (ø)

@aws-cdk-automation aws-cdk-automation dismissed their stale review December 31, 2024 18:10

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Dec 31, 2024
@github-actions github-actions bot mentioned this pull request Jan 1, 2025
Open
lpizzinidev
lpizzinidev suggested changes Jan 3, 2025
View reviewed changes
Copy link
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To provide backward compatibility, this PR also introduces a new property, isStorageLegacyUnencrypted. This allows leaving the StorageEncrypted property unset in the CloudFormation template, to avoid replacing Database instances/clusters.

Shouldn't the default behavior be applied when @aws-cdk/aws-rds:enableEncryptionAtRestByDefault: false? 🤔
The extra variable seems to add unnecessary complexity here.

...ges/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-rds-serverlessv2.ts
@@ -35,6 +35,8 @@ class TestStack extends cdk.Stack {
vpc,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think manually adding "StorageEncrypted": true to the templates would make those tests pass without the need to deploy the related resources (we expect the flag to work given that you added the new test).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 3, 2025
@blimmer
Copy link
Contributor Author

blimmer commented Jan 3, 2025
edited
Loading

@lpizzinidev - thanks for the review. I commented on your inline comment, and below is a comment that you requested changed for (it's annoying that GitHub won't let you respond inline to those).

Suggestion to reuse feature flag vs isStorageLegacyUnencrypted

This would work for v2, but if the feature flag is ever removed (it looks like all v1 flags were removed from v2 - see docs), this would no longer work. My understanding is that when v3 is released, the feature flag will be removed, and we will need to remember to re-add something like isStorageLegacyUnencrypted.

This is very similar to the isFromLegacyInstanceProps provided for a similar reason, to prevent replacing database resources (docs).

Unfortunately, because the behavior is to pass undefined today, it makes it a bit challenging to work with. CloudFormation reports that changing undefined -> false causes resource replacement. I feel fairly strongly that the new behavior should be to always explicitly set the value to true or false, which led me to this solution.

If there's another way I should be thinking about this (like retaining that feature flag indefinitely - I don't know if that's an option), let me know.

lpizzinidev
lpizzinidev suggested changes Jan 4, 2025
View reviewed changes
...ges/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-rds-serverlessv2.ts
@@ -35,6 +35,8 @@ class TestStack extends cdk.Stack {
vpc,
Copy link
Contributor

@lpizzinidev lpizzinidev Jan 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've received PR feedback that you should never manually update snapshot files

👍 Sounds good!

About the isStorageLegacyUnencrypted comment.
Thanks for clarifying, I'm not sure why CFN defaults to unencrypted clusters and instances.
However, I left some comments on the implementation for small adjustments.

packages/aws-cdk-lib/aws-rds/lib/instance.ts Outdated Show resolved Hide resolved
packages/aws-cdk-lib/aws-rds/lib/instance.ts Outdated Show resolved Hide resolved
packages/aws-cdk-lib/aws-rds/README.md Show resolved Hide resolved
@blimmer blimmer requested a review from lpizzinidev January 4, 2025 18:14
@blimmer
Copy link
Contributor Author

blimmer commented Jan 4, 2025

@lpizzinidev - thanks for the thorough review and great comments. This is ready for re-review.

lpizzinidev
lpizzinidev suggested changes Jan 5, 2025
View reviewed changes
Copy link
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 🚀 Left comments for some final adjustments

packages/aws-cdk-lib/aws-rds/lib/private/util.ts Outdated Show resolved Hide resolved
packages/aws-cdk-lib/aws-rds/README.md Show resolved Hide resolved
@blimmer blimmer requested a review from lpizzinidev January 6, 2025 21:15
@blimmer
Copy link
Contributor Author

blimmer commented Jan 6, 2025

@lpizzinidev - thanks! should be good to go.

lpizzinidev
lpizzinidev approved these changes Jan 7, 2025
View reviewed changes
Copy link
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 7, 2025
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 14795d0
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lpizzinidev lpizzinidev lpizzinidev approved these changes

@moltar moltar moltar approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
admired-contributor [Pilot] contributed between 13-24 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 pr/needs-maintainer-review This PR needs a review from a Core Team Member
Projects
None yet
Milestone
No milestone
4 participants
@blimmer @aws-cdk-automation @moltar @lpizzinidev