update

mazyu36 · mazyu36 · commit f914da98bd6e · 2024-11-05T15:35:15.000+09:00
diff --git a/packages/aws-cdk-lib/aws-synthetics/lib/canary.ts b/packages/aws-cdk-lib/aws-synthetics/lib/canary.ts
@@ -269,7 +269,7 @@ export interface CanaryProps {
    * Artifact encryption is only supported for canaries that use Synthetics runtime
    * version `syn-nodejs-puppeteer-3.3` or later.
    *
-   * @default - Artifacts are encrypted at rest using an AWS managed key
+   * @default - `ArtifactsEncryptionMode.KMS` is set if you specify `artifactS3KmsKey`, otherwise artifacts are encrypted at rest using an AWS managed key
    *
    * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_artifact_encryption.html
    */
@@ -676,7 +676,7 @@ export class Canary extends cdk.Resource implements ec2.IConnectable {
     const isNodeRuntime = props.runtime.family === RuntimeFamily.NODEJS;
 
     if (
-      props.artifactS3EncryptionMode !== ArtifactsEncryptionMode.KMS &&
+      props.artifactS3EncryptionMode === ArtifactsEncryptionMode.S3_MANAGED &&
       props.artifactS3KmsKey
     ) {
       throw new Error(`A customer-managed KMS key was provided, but the encryption mode is not set to SSE-KMS, got: ${props.artifactS3EncryptionMode}.`);
@@ -688,15 +688,27 @@ export class Canary extends cdk.Resource implements ec2.IConnectable {
     }
 
     let encryptionKey: kms.IKey | undefined;
-    if (props.artifactS3EncryptionMode === ArtifactsEncryptionMode.KMS) {
-      encryptionKey = props.artifactS3KmsKey ?? new kms.Key(this, 'Key', { description: `Created by ${this.node.path}` });
+    if (props.artifactS3EncryptionMode === ArtifactsEncryptionMode.KMS && !props.artifactS3KmsKey) {
+      encryptionKey = new kms.Key(this, 'Key', { description: `Created by ${this.node.path}` });
+    } else {
+      encryptionKey = props.artifactS3KmsKey;
     }
 
     encryptionKey?.grantEncryptDecrypt(this.role);
 
+    let encryptionMode: ArtifactsEncryptionMode | undefined;
+    encryptionMode = props.artifactS3EncryptionMode ? props.artifactS3EncryptionMode
+      : props.artifactS3KmsKey ? ArtifactsEncryptionMode.KMS : undefined;
+
+    if (props.artifactS3KmsKey && !props.artifactS3EncryptionMode) {
+      encryptionMode = ArtifactsEncryptionMode.KMS;
+    } else {
+      encryptionMode = props.artifactS3EncryptionMode;
+    }
+
     return {
       s3Encryption: {
-        encryptionMode: props.artifactS3EncryptionMode,
+        encryptionMode,
         kmsKeyArn: encryptionKey?.keyArn,
       },
     };
diff --git a/packages/aws-cdk-lib/aws-synthetics/test/canary.test.ts b/packages/aws-cdk-lib/aws-synthetics/test/canary.test.ts
@@ -1031,24 +1031,33 @@ describe('artifact encryption test', () => {
     });
   });
 
-  test('SSE-S3 with a key throws', () => {
+  test('No artifactS3EncryptionMode setting with a key is set to SSE_KMS', () => {
+    // GIVEN
     const stack = new Stack();
     const key = new kms.Key(stack, 'myKey');
 
-    expect(() => {
-      new synthetics.Canary(stack, 'Canary', {
-        test: synthetics.Test.custom({
-          handler: 'index.handler',
-          code: synthetics.Code.fromInline('/* Synthetics handler code */'),
-        }),
-        runtime: synthetics.Runtime.SYNTHETICS_NODEJS_PUPPETEER_7_0,
-        artifactS3EncryptionMode: synthetics.ArtifactsEncryptionMode.S3_MANAGED,
-        artifactS3KmsKey: key,
-      });
-    }).toThrow('A customer-managed KMS key was provided, but the encryption mode is not set to SSE-KMS, got: SSE_S3.');
+    // WHEN
+    new synthetics.Canary(stack, 'Canary', {
+      test: synthetics.Test.custom({
+        handler: 'index.handler',
+        code: synthetics.Code.fromInline('/* Synthetics handler code */'),
+      }),
+      runtime: synthetics.Runtime.SYNTHETICS_NODEJS_PUPPETEER_7_0,
+      artifactS3KmsKey: key,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::Synthetics::Canary', {
+      ArtifactConfig: {
+        S3Encryption: {
+          EncryptionMode: 'SSE_KMS',
+          KmsKeyArn: stack.resolve(key.keyArn),
+        },
+      },
+    });
   });
 
-  test('No artifactS3EncryptionMode setting with a key throws', () => {
+  test('SSE-S3 with a key throws', () => {
     const stack = new Stack();
     const key = new kms.Key(stack, 'myKey');
 
@@ -1059,9 +1068,10 @@ describe('artifact encryption test', () => {
           code: synthetics.Code.fromInline('/* Synthetics handler code */'),
         }),
         runtime: synthetics.Runtime.SYNTHETICS_NODEJS_PUPPETEER_7_0,
+        artifactS3EncryptionMode: synthetics.ArtifactsEncryptionMode.S3_MANAGED,
         artifactS3KmsKey: key,
       });
-    }).toThrow('A customer-managed KMS key was provided, but the encryption mode is not set to SSE-KMS, got: undefined.');
+    }).toThrow('A customer-managed KMS key was provided, but the encryption mode is not set to SSE-KMS, got: SSE_S3.');
   });
 
   test('Artifact encryption for non-Node.js runtime throws an error', () => {
