feat: AWS KMS multi-Region Key support (#216)

CLI now supports Multi-Region Keys (MRKs).
Usage of MRKs is identical to the usage of non-MRK KMS Keys.
Though a KMS Key does not have to be a MRK Key for it to be used.

See https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
for more details about AWS KMS multi-Region Keys.
See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/configure.html#config-mrks
for more details about how the AWS Encryption SDK interoperates
with AWS KMS multi-Region keys.

Author: seebees

CHANGELOG.rst

@@ -2,6 +2,24 @@
 Changelog
 *********
 
+3.0.0 -- 2021-06-16
+===================
+
+Features
+--------
+* AWS KMS multi-Region Key support
+
+  CLI now supports Multi-Region Keys (MRKs).
+  Usage of MRKs is identical to the usage of non-MRK KMS Keys.
+  Though a KMS Key does not have to be a MRK key for it to be used.
+
+  See https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+  for more details about AWS KMS multi-Region Keys.
+
+  See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/configure.html#config-mrks
+  for more details about how the AWS Encryption SDK interoperates
+  with AWS KMS multi-Region keys.
+
 2.2.0 -- 2021-05-27
 ===================
 

api_compatibility_tests/compatibility-requirements/3.0.0

@@ -0,0 +1 @@
+aws-encryption-sdk-cli==3.0.0

api_compatibility_tests/tox.ini

@@ -1,6 +1,6 @@
 [tox]
 envlist =
-    py38-awses_cli_{1.7.0,1.8.0,1.9.0,2.0.0,2.1.0,2.2.0}
+    py38-awses_cli_{1.7.0,1.8.0,1.9.0,2.0.0,2.1.0,2.2.0,3.0.0}
 
 [testenv:base-command]
 commands = pytest --basetemp={envtmpdir} -l test/ {posargs}
@@ -9,13 +9,18 @@ commands = pytest --basetemp={envtmpdir} -l test/ {posargs}
 passenv =
     # Identifies AWS KMS key id to use in integration tests
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID \
+    # Identifies AWS MRK KMS key id to use in integration tests
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1 \
     # Pass through AWS credentials
     AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN \
     # AWS Role access in CodeBuild is via the contaner URI
     AWS_CONTAINER_CREDENTIALS_RELATIVE_URI \
     # Pass through AWS profile name (useful for local testing)
     AWS_PROFILE \
-    # Pass through custom pip config file settings
+    # The region for the MRK aware components
+    AWS_REGION \
+    AWS_DEFAULT_REGION \
+     # Pass through custom pip config file settings
     PIP_CONFIG_FILE
 sitepackages = False
 deps =
@@ -26,6 +31,7 @@ deps =
     awses_cli_2.0.0: -rcompatibility-requirements/2.0.0
     awses_cli_2.1.0: -rcompatibility-requirements/2.1.0
     awses_cli_2.2.0: -rcompatibility-requirements/2.2.0
+    awses_cli_3.0.0: -rcompatibility-requirements/3.0.0
     awses_cli_local: -e {env:AWSES_CLI_LOCAL_PATH}
 commands = 
     {[testenv:base-command]commands}

codebuild/python_27.yml

@@ -5,6 +5,8 @@ env:
     TOXENV: "py27-integ"
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
       arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
 
 phases:
   install:

codebuild/python_35.yml

@@ -5,6 +5,8 @@ env:
     TOXENV: "py35-integ"
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
       arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
 
 phases:
   install:

codebuild/python_36.yml

@@ -5,6 +5,8 @@ env:
     TOXENV: "py36-integ"
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
       arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
 
 phases:
   install:

codebuild/python_37.yml

@@ -5,6 +5,8 @@ env:
     TOXENV: "py37-integ"
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
       arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
 
 phases:
   install:

codebuild/python_38.yml

@@ -5,6 +5,8 @@ env:
     TOXENV: "py38-integ"
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
       arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
 
 phases:
   install:

codebuild/release/validate.yml

@@ -4,6 +4,8 @@ env:
   variables:
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
       arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
 
 phases:
   install:

requirements.txt

@@ -1,4 +1,4 @@
 base64io>=1.0.1
-aws-encryption-sdk~=2.2
+aws-encryption-sdk~=2.3
 setuptools
 attrs>=17.1.0