feat(pipes-alpha): support for customer-managed KMS keys to encrypt pipe data

[badmintoncryer]

Issue # (if applicable)

None

Reason for this change

AWS Pipes supports for encrypting data by customer managed KMS key instead of Amazon managed key.

https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.html

The L2 Pipe construct does not support this feature now.

Description of changes

• Add kmsKey prop to PipeProps

Describe any new or updated permissions being added

None

Description of how you validated changes

Add both unit and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[badmintoncryer]

Removed several unnecessary spaces.

[aws-cdk-automation]

(This review is outdated)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.17%. Comparing base (8494ad0) to head (9489730).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33546   +/-   ##
=======================================
  Coverage   82.17%   82.17%           
=======================================
  Files         119      119           
  Lines        6862     6862           
  Branches     1158     1158           
=======================================
  Hits         5639     5639           
  Misses       1120     1120           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.17% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.17% <ø> (ø)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 9489730
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mazyu36]

Thanks for your contribution! I think it's mostly fine.
I've added one question.

Also, I previously opened an issue here: #31453.
Would it be possible to link this contribution to that issue?

[mazyu36]

Just a question—did it work correctly even without setting a key policy?

When I previously attempted to contribute to this, I encountered an error without a key policy, but I couldn't come up with a proper way to configure it and had to give up at the time.

It might have been my misunderstanding back then, or something might have changed with an update. If it worked fine, please just ignore this question.

Ref: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-encryption-key-policy.html#eb-encryption-key-policy-pipe

[badmintoncryer]

You are absolutely right.. I misunderstood that this implementation would be work fine. Thank you for your great suggestion.

How about adding the restriction that makes pipeName mandatory when kmsKey is provided?
This idea is not ideal, but it would provide the minimum feature that enables us to configure CMK for Pipes.

[mazyu36]

Thank you for confirming. So that's how it is...
I think your suggested solution is good.​​​​​​​​​​​​​​​​

Personally, I've been considering the following three options:

1. Make name mandatory when kmsKey is specified. This is the same as the suggestion you provided.
2. Instead of setting name to undefined when it's not specified, automatically generate it using Names.uniquid. However, I understand this would be a breaking change.
3. Configure kmsKey using a custom resource. I think this option is not ideal.

Based on the above, I believe option 1 or option 2 would be good, and I think option 1 would be better to avoid a breaking change.