fix(rds): addProxy can use kms encrypted secrets

aws · Jan 24, 2024 · 1574aca · 1574aca
1 parent 169fd91
commit 1574aca
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 0 deletions.
diff --git a/packages/aws-cdk-lib/aws-rds/lib/proxy.ts b/packages/aws-cdk-lib/aws-rds/lib/proxy.ts
@@ -457,6 +457,9 @@ export class DatabaseProxy extends DatabaseProxyBase
 
     for (const secret of props.secrets) {
       secret.grantRead(role);
+      if (secret.encryptionKey !== undefined) {
+        secret.encryptionKey.grantDecrypt(role);
+      }
     }
 
     const securityGroups = props.securityGroups ?? [

diff --git a/packages/aws-cdk-lib/aws-rds/test/proxy.test.ts b/packages/aws-cdk-lib/aws-rds/test/proxy.test.ts
@@ -1,6 +1,7 @@
 import { Match, Template } from '../../assertions';
 import * as ec2 from '../../aws-ec2';
 import { AccountPrincipal, Role } from '../../aws-iam';
+import { Key } from '../../aws-kms';
 import * as secretsmanager from '../../aws-secretsmanager';
 import * as cdk from '../../core';
 import * as cxapi from '../../cx-api';
@@ -371,6 +372,51 @@ describe('proxy', () => {
     }).toThrow(/When the Proxy contains multiple Secrets, you must pass a dbUser explicitly to grantConnect/);
   });
 
+  test('new Proxy with kms encrypted Secrets has permissions to kms:Decrypt that secret using its key', () => {
+    // GIVEN
+    const cluster = new rds.DatabaseCluster(stack, 'Database', {
+      engine: rds.DatabaseClusterEngine.AURORA,
+      instanceProps: { vpc },
+    });
+
+    const kmsKey = new Key(stack, 'Key');
+
+    const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', { encryptionKey: kmsKey });
+
+    // WHEN
+    new rds.DatabaseProxy(stack, 'Proxy', {
+      proxyTarget: rds.ProxyTarget.fromCluster(cluster),
+      vpc,
+      secrets: [kmsEncryptedSecret],
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'],
+            Effect: 'Allow',
+            Resource: {
+              Ref: 'SecretA720EF05',
+            },
+          },
+          {
+            Action: 'kms:Decrypt',
+            Effect: 'Allow',
+            Resource: {
+              'Fn::GetAtt': [
+                'Key961B73FD',
+                'Arn',
+              ],
+            },
+          },
+        ],
+      },
+      Roles: [{ Ref: 'ProxyIAMRole2FE8AB0F' }],
+    });
+  });
+
   test('DBProxyTargetGroup should have dependency on the proxy targets', () => {
     // GIVEN
     const cluster = new rds.DatabaseCluster(stack, 'cluster', {