aws-cdk-lib/aws-kms/lib/key.js

Version 2 of the AWS Cloud Development Kit library

"use strict";var __decorate=exports&&exports.__decorate||function(decorators,target,key,desc){var c=arguments.length,r=c<3?target:desc===null?desc=Object.getOwnPropertyDescriptor(target,key):desc,d;if(typeof Reflect=="object"&&typeof Reflect.decorate=="function")r=Reflect.decorate(decorators,target,key,desc);else for(var i=decorators.length-1;i>=0;i--)(d=decorators[i])&&(r=(c<3?d(r):c>3?d(target,key,r):d(target,key))||r);return c>3&&r&&Object.defineProperty(target,key,r),r},_a,Key_1;Object.defineProperty(exports,"__esModule",{value:!0}),exports.Key=exports.KeyUsage=exports.KeySpec=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var alias_1=()=>{var tmp=require("./alias");return alias_1=()=>tmp,tmp},kms_generated_1=()=>{var tmp=require("./kms.generated");return kms_generated_1=()=>tmp,tmp},perms=()=>{var tmp=require("./private/perms");return perms=()=>tmp,tmp},iam=()=>{var tmp=require("../../aws-iam");return iam=()=>tmp,tmp},cxschema=()=>{var tmp=require("../../cloud-assembly-schema");return cxschema=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},metadata_resource_1=()=>{var tmp=require("../../core/lib/metadata-resource");return metadata_resource_1=()=>tmp,tmp},prop_injectable_1=()=>{var tmp=require("../../core/lib/prop-injectable");return prop_injectable_1=()=>tmp,tmp},cxapi=()=>{var tmp=require("../../cx-api");return cxapi=()=>tmp,tmp};class KeyBase extends core_1().Resource{constructor(scope,id,props={}){super(scope,id,props),this.aliases=[],this.node.addValidation({validate:()=>this.policy?.validateForResourcePolicy()??[]})}addAlias(aliasName){const aliasId=this.aliases.length>0?`Alias${aliasName}`:"Alias",alias=new(alias_1()).Alias(this,aliasId,{aliasName,targetKey:this});return this.aliases.push(alias),alias}addToResourcePolicy(statement,allowNoOp=!0){const stack=core_1().Stack.of(this);if(!this.policy){if(allowNoOp)return{statementAdded:!1};throw new(core_1()).ValidationError(`Unable to add statement to IAM resource policy for KMS key: ${JSON.stringify(stack.resolve(this.keyArn))}`,this)}return this.policy.addStatements(statement),{statementAdded:!0,policyDependable:this.policy}}grant(grantee,...actions){const granteeStackDependsOnKeyStack=this.granteeStackDependsOnKeyStack(grantee),principal=granteeStackDependsOnKeyStack?new(iam()).AccountPrincipal(granteeStackDependsOnKeyStack):grantee.grantPrincipal,crossAccountAccess=this.isGranteeFromAnotherAccount(grantee),crossRegionAccess=this.isGranteeFromAnotherRegion(grantee),crossEnvironment=crossAccountAccess||crossRegionAccess,grantOptions={grantee,actions,resource:this,resourceArns:[this.keyArn],resourceSelfArns:crossEnvironment?void 0:["*"]};return this.trustAccountIdentities&&!crossEnvironment?iam().Grant.addToPrincipalOrResource(grantOptions):iam().Grant.addToPrincipalAndResource({...grantOptions,resourceArns:crossEnvironment?["*"]:[this.keyArn],resourcePolicyPrincipal:principal})}grantDecrypt(grantee){return this.grant(grantee,...perms().DECRYPT_ACTIONS)}grantEncrypt(grantee){return this.grant(grantee,...perms().ENCRYPT_ACTIONS)}grantEncryptDecrypt(grantee){return this.grant(grantee,...perms().DECRYPT_ACTIONS,...perms().ENCRYPT_ACTIONS)}grantSign(grantee){return this.grant(grantee,...perms().SIGN_ACTIONS)}grantVerify(grantee){return this.grant(grantee,...perms().VERIFY_ACTIONS)}grantSignVerify(grantee){return this.grant(grantee,...perms().SIGN_ACTIONS,...perms().VERIFY_ACTIONS)}grantGenerateMac(grantee){return this.grant(grantee,...perms().GENERATE_HMAC_ACTIONS)}grantVerifyMac(grantee){return this.grant(grantee,...perms().VERIFY_HMAC_ACTIONS)}granteeStackDependsOnKeyStack(grantee){const grantPrincipal=grantee.grantPrincipal;if(!iam().principalIsOwnedResource(grantPrincipal))return;const keyStack=core_1().Stack.of(this),granteeStack=core_1().Stack.of(grantPrincipal);if(keyStack!==granteeStack)return granteeStack.dependencies.includes(keyStack)?granteeStack.account:void 0}isGranteeFromAnotherRegion(grantee){if(!iam().principalIsOwnedResource(grantee.grantPrincipal))return!1;const bucketStack=core_1().Stack.of(this),identityStack=core_1().Stack.of(grantee.grantPrincipal);return core_1().FeatureFlags.of(this).isEnabled(cxapi().KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE)?bucketStack.region!==identityStack.region&&this.env.region!==identityStack.region:bucketStack.region!==identityStack.region}isGranteeFromAnotherAccount(grantee){if(!iam().principalIsOwnedResource(grantee.grantPrincipal))return!1;const bucketStack=core_1().Stack.of(this),identityStack=core_1().Stack.of(grantee.grantPrincipal);return core_1().FeatureFlags.of(this).isEnabled(cxapi().KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE)?bucketStack.account!==identityStack.account&&this.env.account!==identityStack.account:bucketStack.account!==identityStack.account}}var KeySpec;(function(KeySpec2){KeySpec2.SYMMETRIC_DEFAULT="SYMMETRIC_DEFAULT",KeySpec2.RSA_2048="RSA_2048",KeySpec2.RSA_3072="RSA_3072",KeySpec2.RSA_4096="RSA_4096",KeySpec2.ECC_NIST_P256="ECC_NIST_P256",KeySpec2.ECC_NIST_P384="ECC_NIST_P384",KeySpec2.ECC_NIST_P521="ECC_NIST_P521",KeySpec2.ECC_SECG_P256K1="ECC_SECG_P256K1",KeySpec2.HMAC_224="HMAC_224",KeySpec2.HMAC_256="HMAC_256",KeySpec2.HMAC_384="HMAC_384",KeySpec2.HMAC_512="HMAC_512",KeySpec2.SM2="SM2",KeySpec2.ML_DSA_44="ML_DSA_44",KeySpec2.ML_DSA_65="ML_DSA_65",KeySpec2.ML_DSA_87="ML_DSA_87"})(KeySpec||(exports.KeySpec=KeySpec={}));var KeyUsage;(function(KeyUsage2){KeyUsage2.ENCRYPT_DECRYPT="ENCRYPT_DECRYPT",KeyUsage2.SIGN_VERIFY="SIGN_VERIFY",KeyUsage2.GENERATE_VERIFY_MAC="GENERATE_VERIFY_MAC",KeyUsage2.KEY_AGREEMENT="KEY_AGREEMENT"})(KeyUsage||(exports.KeyUsage=KeyUsage={}));let Key=Key_1=class Key2 extends KeyBase{static fromKeyArn(scope,id,keyArn){class Import extends KeyBase{constructor(keyId,props={}){super(scope,id,props),this.keyArn=keyArn,this.policy=void 0,this.trustAccountIdentities=!0,this.keyId=keyId}}const keyResourceName=core_1().Stack.of(scope).splitArn(keyArn,core_1().ArnFormat.SLASH_RESOURCE_NAME).resourceName;if(!keyResourceName)throw new(core_1()).ValidationError(`KMS key ARN must be in the format 'arn:<partition>:kms:<region>:<account>:key/<keyId>', got: '${keyArn}'`,scope);return new Import(keyResourceName,{environmentFromArn:keyArn})}static fromCfnKey(cfnKey){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_kms_CfnKey(cfnKey)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromCfnKey),error}const id="@FromCfnKey",existing=cfnKey.node.tryFindChild(id);if(existing)return existing;let keyPolicy;try{keyPolicy=iam().PolicyDocument.fromJson(cfnKey.keyPolicy)}catch{throw new(core_1()).ValidationError("Could not parse the PolicyDocument of the passed AWS::KMS::Key resource because it contains CloudFormation functions. This makes it impossible to create a mutable IKey from that Policy. You have to use fromKeyArn instead, passing it the ARN attribute property of the low-level CfnKey",cfnKey)}return cfnKey.keyPolicy=core_1().Lazy.any({produce:()=>keyPolicy.toJSON()}),new class extends KeyBase{constructor(){super(...arguments),this.keyArn=cfnKey.attrArn,this.keyId=cfnKey.ref,this.policy=keyPolicy,this.trustAccountIdentities=!1}}(cfnKey,id)}static fromLookup(scope,id,options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_kms_KeyLookupOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromLookup),error}class Import extends KeyBase{constructor(keyId,keyArn){super(scope,id),this.policy=void 0,this.trustAccountIdentities=!0,this.keyId=keyId,this.keyArn=keyArn}}if(core_1().Token.isUnresolved(options.aliasName))throw new(core_1()).ValidationError("All arguments to Key.fromLookup() must be concrete (no Tokens)",scope);const attributes=core_1().ContextProvider.getValue(scope,{provider:cxschema().ContextProvider.KEY_PROVIDER,props:{aliasName:options.aliasName},dummyValue:{keyId:Key_1.DEFAULT_DUMMY_KEY_ID},mustExist:!options.returnDummyKeyOnMissing}).value;return new Import(attributes.keyId,core_1().Arn.format({resource:"key",service:"kms",resourceName:attributes.keyId},core_1().Stack.of(scope)))}static isLookupDummy(key){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_kms_IKey(key)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.isLookupDummy),error}return key.keyId===Key_1.DEFAULT_DUMMY_KEY_ID}constructor(scope,id,props={}){super(scope,id);try{jsiiDeprecationWarnings().aws_cdk_lib_aws_kms_KeyProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,Key2),error}(0,metadata_resource_1().addConstructMetadata)(this,props);const denyLists={[KeyUsage.ENCRYPT_DECRYPT]:[KeySpec.ECC_NIST_P256,KeySpec.ECC_NIST_P384,KeySpec.ECC_NIST_P521,KeySpec.ECC_SECG_P256K1,KeySpec.HMAC_224,KeySpec.HMAC_256,KeySpec.HMAC_384,KeySpec.HMAC_512],[KeyUsage.SIGN_VERIFY]:[KeySpec.SYMMETRIC_DEFAULT,KeySpec.HMAC_224,KeySpec.HMAC_256,KeySpec.HMAC_384,KeySpec.HMAC_512],[KeyUsage.GENERATE_VERIFY_MAC]:[KeySpec.RSA_2048,KeySpec.RSA_3072,KeySpec.RSA_4096,KeySpec.ECC_NIST_P256,KeySpec.ECC_NIST_P384,KeySpec.ECC_NIST_P521,KeySpec.ECC_SECG_P256K1,KeySpec.SYMMETRIC_DEFAULT,KeySpec.SM2],[KeyUsage.KEY_AGREEMENT]:[KeySpec.SYMMETRIC_DEFAULT,KeySpec.RSA_2048,KeySpec.RSA_3072,KeySpec.RSA_4096,KeySpec.ECC_SECG_P256K1,KeySpec.HMAC_224,KeySpec.HMAC_256,KeySpec.HMAC_384,KeySpec.HMAC_512]},keySpec=props.keySpec??KeySpec.SYMMETRIC_DEFAULT,keyUsage=props.keyUsage??KeyUsage.ENCRYPT_DECRYPT;if(denyLists[keyUsage].includes(keySpec))throw new(core_1()).ValidationError(`key spec '${keySpec}' is not valid with usage '${keyUsage}'`,this);if(keySpec.startsWith("HMAC")&&props.enableKeyRotation)throw new(core_1()).ValidationError("key rotation cannot be enabled on HMAC keys",this);if(keySpec!==KeySpec.SYMMETRIC_DEFAULT&&props.enableKeyRotation)throw new(core_1()).ValidationError("key rotation cannot be enabled on asymmetric keys",this);if(this.enableKeyRotation=props.enableKeyRotation,props.rotationPeriod){if(props.enableKeyRotation===!1)throw new(core_1()).ValidationError("'rotationPeriod' cannot be specified when 'enableKeyRotation' is disabled",this);if(props.rotationPeriod.toDays()<90||props.rotationPeriod.toDays()>2560)throw new(core_1()).ValidationError(`'rotationPeriod' value must between 90 and 2650 days. Received: ${props.rotationPeriod.toDays()}`,this);props.enableKeyRotation===void 0&&(this.enableKeyRotation=!0)}const defaultKeyPoliciesFeatureEnabled=core_1().FeatureFlags.of(this).isEnabled(cxapi().KMS_DEFAULT_KEY_POLICIES);if(this.policy=props.policy??new(iam()).PolicyDocument,defaultKeyPoliciesFeatureEnabled){if(props.trustAccountIdentities===!1)throw new(core_1()).ValidationError("`trustAccountIdentities` cannot be false if the @aws-cdk/aws-kms:defaultKeyPolicies feature flag is set",this);this.trustAccountIdentities=!0,props.policy||this.addDefaultAdminPolicy()}else this.trustAccountIdentities=props.trustAccountIdentities??!1,this.trustAccountIdentities?this.addDefaultAdminPolicy():this.addLegacyAdminPolicy();let pendingWindowInDays;if(props.pendingWindow&&(pendingWindowInDays=props.pendingWindow.toDays(),pendingWindowInDays<7||pendingWindowInDays>30))throw new(core_1()).ValidationError(`'pendingWindow' value must between 7 and 30 days. Received: ${pendingWindowInDays}`,this);const resource=new(kms_generated_1()).CfnKey(this,"Resource",{description:props.description,enableKeyRotation:this.enableKeyRotation,rotationPeriodInDays:props.rotationPeriod?.toDays(),enabled:props.enabled,keySpec:props.keySpec,keyUsage:props.keyUsage,keyPolicy:this.policy,multiRegion:props.multiRegion,pendingWindowInDays});this.keyArn=resource.attrArn,this.keyId=resource.ref,resource.applyRemovalPolicy(props.removalPolicy),(props.admins??[]).forEach(p=>this.grantAdmin(p)),props.alias!==void 0&&this.addAlias(props.alias)}grantAdmin(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.grantAdmin),error}return this.grant(grantee,...perms().ADMIN_ACTIONS)}addDefaultAdminPolicy(){this.addToResourcePolicy(new(iam()).PolicyStatement({resources:["*"],actions:["kms:*"],principals:[new(iam()).AccountRootPrincipal]}))}addLegacyAdminPolicy(){const actions=["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion","kms:GenerateDataKey","kms:TagResource","kms:UntagResource"];this.addToResourcePolicy(new(iam()).PolicyStatement({resources:["*"],actions,principals:[new(iam()).AccountRootPrincipal]}))}};exports.Key=Key,_a=JSII_RTTI_SYMBOL_1,Key[_a]={fqn:"aws-cdk-lib.aws_kms.Key",version:"2.213.0"},Key.PROPERTY_INJECTION_ID="aws-cdk-lib.aws-kms.Key",Key.DEFAULT_DUMMY_KEY_ID="1234abcd-12ab-34cd-56ef-1234567890ab",__decorate([(0,metadata_resource_1().MethodMetadata)()],Key.prototype,"grantAdmin",null),exports.Key=Key=Key_1=__decorate([prop_injectable_1().propertyInjectable],Key);