Add KMS alias and removal policies for key to DynamoDbTable construct

kris-szlapa · kris-szlapa · commit 69f1ef4669a7 · 2025-08-14T09:25:20.000Z
diff --git a/packages/cdk/constructs/DynamoDbTable.ts b/packages/cdk/constructs/DynamoDbTable.ts
@@ -6,7 +6,7 @@ import {
   Billing,
   TableEncryptionV2
 } from "aws-cdk-lib/aws-dynamodb"
-import {Key} from "aws-cdk-lib/aws-kms"
+import {Key, Alias} from "aws-cdk-lib/aws-kms"
 
 export interface DynamoDbTableProps {
   readonly tableName: string
@@ -20,13 +20,21 @@ export interface DynamoDbTableProps {
 export class DynamoDbTable extends Construct {
   public readonly table: TableV2
   public readonly kmsKey: Key
+  public readonly kmsAlias: Alias
 
   constructor(scope: Construct, id: string, props: DynamoDbTableProps) {
     super(scope, id)
 
     this.kmsKey = new Key(this, "TableKey", {
       enableKeyRotation: true,
-      description: `KMS key for ${props.tableName} DynamoDB table encryption`
+      description: `KMS key for ${props.tableName} DynamoDB table encryption`,
+      removalPolicy: RemovalPolicy.DESTROY
+    })
+
+    this.kmsAlias = new Alias(this, "TableKeyAlias", {
+      aliasName: `alias/${props.tableName}-dynamodb-key`,
+      targetKey: this.kmsKey,
+      removalPolicy: RemovalPolicy.DESTROY
     })
 
     this.table = new TableV2(this, props.tableName, {
