(aws-redshift): KmsKeyId uses KeyArn instead of KeyId #17032

gkubes · 2021-10-18T04:55:10Z

What is the problem?

When a Cluster is created the KmsKeyId property is built using the KeyArn instead of the KeyId.

Reproduction Steps

const encryptionKey = new kms.Key(this, "KMSKey", {
    enabled: true,
    enableKeyRotation: true
});

const wbrCluster = new redshift.Cluster(this, "WBRRedshiftCluster", {
    ...
    encrypted: true,
    encryptionKey: encryptionKey,
    
});

What did you expect to happen?

"KmsKeyId": {
  "Ref": "KMSKey"
},

or

"KmsKeyId": {
  "Fn::GetAtt": [
    "WBRDataKMSKey",
    "KeyId"
  ]
},

What actually happened?

"KmsKeyId": {
  "Fn::GetAtt": [
    "WBRDataKMSKey",
    "Arn"
  ]
},

CDK CLI Version

1.126.0

Framework Version

No response

Node.js Version

12.0

OS

Amazon Linux 2012

Language

Typescript

Language Version

No response

Other information

No response

The text was updated successfully, but these errors were encountered:

njlynch · 2021-10-18T10:36:12Z

Thanks for the bug report.

I suspect this is because the Redshift Cluster construct was largely built off of the RDS Cluster; RDS' KmsKeyId does actually expect the ARN, not the Key ID.

Does this prevent successful deployment? Sometimes the documented standard is the ID, but the ARN is accepted as well.

Either way, this is a simple enough fix. Contributions welcome! Ideally, we'd update the integ test as well to deploy with a Key, to verify the behavior.

gkubes · 2021-10-18T15:23:45Z

I wasn't able to confirm if this prevents successful deployment but it can impact the ability to migrate from vanilla CFN to CDK because the change from KeyId to KeyArn triggers an encryption change in the cluster.

gkubes · 2021-10-18T15:30:20Z

As a workaround, I was able to comment out the encryptionKey property from the cluster definition and provide an override.

(cluster.node.defaultChild as redshift.CfnCluster).addPropertyOverride("KmsKeyId", encryptionKey.keyId);

Field was incorrectly using key arn instead of id. Fixes #17032 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2021-10-25T19:06:56Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Field was incorrectly using key arn instead of id. Fixes aws#17032 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

gkubes added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 18, 2021

github-actions bot added the @aws-cdk/aws-redshift Related to Amazon Redshift label Oct 18, 2021

github-actions bot assigned njlynch Oct 18, 2021

njlynch added effort/small Small work item – less than a day of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Oct 18, 2021

njlynch removed their assignment Oct 18, 2021

njlynch added the good first issue Related to contributions. See CONTRIBUTING.md label Oct 18, 2021

iRoachie mentioned this issue Oct 22, 2021

fix(redshift): cluster uses key ARN instead of key ID #17108

Merged

mergify bot closed this as completed in #17108 Oct 25, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(aws-redshift): KmsKeyId uses KeyArn instead of KeyId #17032

(aws-redshift): KmsKeyId uses KeyArn instead of KeyId #17032

gkubes commented Oct 18, 2021

njlynch commented Oct 18, 2021

gkubes commented Oct 18, 2021

gkubes commented Oct 18, 2021

github-actions bot commented Oct 25, 2021