Move KMS key creation to S3Bucket construct for better encapsulation

Author: kris-szlapa

packages/cdk/constructs/S3Bucket.ts

@@ -10,28 +10,30 @@ import {Key} from "aws-cdk-lib/aws-kms"
 
 export interface S3BucketProps {
   readonly bucketName: string
-  readonly kmsKey: Key
   readonly versioned: boolean
 }
 
 export class S3Bucket extends Construct {
   public readonly bucket: Bucket
-  public readonly kmsKey?: Key
+  public readonly kmsKey: Key
 
   constructor(scope: Construct, id: string, props: S3BucketProps) {
     super(scope, id)
 
+    this.kmsKey = new Key(this, "BucketKey", {
+      enableKeyRotation: true,
+      description: `KMS key for ${props.bucketName} S3 bucket encryption`
+    })
+
     this.bucket = new Bucket(this, props.bucketName, {
       blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
       encryption: BucketEncryption.KMS,
-      encryptionKey: props.kmsKey,
+      encryptionKey: this.kmsKey,
       removalPolicy: RemovalPolicy.DESTROY,
       autoDeleteObjects: true,
       enforceSSL: true,
       versioned: props.versioned ?? false,
       objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED
     })
-
-    this.kmsKey = props.kmsKey
   }
 }

packages/cdk/resources/Storage.ts

@@ -1,5 +1,4 @@
 import {Construct} from "constructs"
-import {Key} from "aws-cdk-lib/aws-kms"
 import {S3Bucket} from "../constructs/S3Bucket"
 
 export interface StorageProps {
@@ -8,21 +7,13 @@ export interface StorageProps {
 
 export class Storage extends Construct {
   public readonly kbDocsBucket: S3Bucket
-  public readonly kbDocsKey: Key
 
   constructor(scope: Construct, id: string, props: StorageProps) {
     super(scope, id)
 
-    // Create customer-managed KMS key for knowledge base document encryption
-    this.kbDocsKey = new Key(this, "KbDocsKey", {
-      enableKeyRotation: true,
-      description: "KMS key for encrypting knowledge base documents"
-    })
-
     // Create S3 bucket for knowledge base documents with encryption
     this.kbDocsBucket = new S3Bucket(this, "DocsBucket", {
       bucketName: `${props.stackName}-Docs`,
-      kmsKey: this.kbDocsKey,
       versioned: true
     })
   }