Skip to content
This repository was archived by the owner on Feb 21, 2025. It is now read-only.

feat: Ability to provide custom storage encryption key for database i… #212

Open
wiedsche wants to merge 1 commit into
base: main
Choose a base branch
from
+24 −0
Open

feat: Ability to provide custom storage encryption key for database i… #212

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions API.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions src/keycloak.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import {
aws_rds as rds,
aws_secretsmanager as secretsmanager,
} from 'aws-cdk-lib';
import { IKey } from 'aws-cdk-lib/aws-kms';
import { Construct } from 'constructs';

// regional availibility for aurora serverless
Expand Down Expand Up @@ -276,6 +277,13 @@ export interface KeyCloakProps {
*/
readonly databaseRemovalPolicy?: cdk.RemovalPolicy;

/**
* The storage encryption key, that should be used to encrypt the database.
*
* @default Will create an aws managed key, when unspecified.
*/
readonly storageEncryptionKey?: IKey;

/**
* Overrides the default image
*
Expand Down Expand Up @@ -332,6 +340,7 @@ export class KeyCloak extends Construct {
maxCapacity: props.databaseMaxCapacity,
minCapacity: props.databaseMinCapacity,
removalPolicy: props.databaseRemovalPolicy,
storageEncryptionKey: props.storageEncryptionKey,
});
const keycloakContainerService = this.addKeyCloakContainerService({
database: this.db,
Expand Down Expand Up @@ -447,6 +456,13 @@ export interface DatabaseProps {
* @default RemovalPolicy.RETAIN
*/
readonly removalPolicy?: cdk.RemovalPolicy;

/**
* The storage encryption key, that should be used to encrypt the database.
*
* @default Will create an aws managed key, when unspecified.
*/
readonly storageEncryptionKey?: IKey;
}

/**
Expand Down Expand Up @@ -516,6 +532,7 @@ export class Database extends Construct {
version: rds.MysqlEngineVersion.VER_8_0_34,
}),
storageEncrypted: true,
...(props.storageEncryptionKey && { storageEncryptionKey: props.storageEncryptionKey }),
backupRetention: props.backupRetention ?? cdk.Duration.days(7),
credentials: rds.Credentials.fromGeneratedSecret('admin'),
instanceType: props.instanceType ?? new ec2.InstanceType('r5.large'),
Expand Down Expand Up @@ -560,6 +577,7 @@ export class Database extends Construct {
retention: props.backupRetention ?? cdk.Duration.days(7),
},
storageEncrypted: true,
...(props.storageEncryptionKey && { storageEncryptionKey: props.storageEncryptionKey }),
removalPolicy: props.removalPolicy ?? cdk.RemovalPolicy.RETAIN,
});
return {
Expand Down Expand Up @@ -620,6 +638,7 @@ export class Database extends Construct {
retention: props.backupRetention ?? cdk.Duration.days(7),
},
storageEncrypted: true,
...(props.storageEncryptionKey && { storageEncryptionKey: props.storageEncryptionKey }),
removalPolicy: props.removalPolicy ?? cdk.RemovalPolicy.RETAIN,
});
// Set Serverless V2 Scaling Configuration
Expand Down