keystore: add support for custom kms tags #48132
Conversation
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
| // All tags must match for this key to be considered for deletion. | ||
| for k, v := range a.tags { | ||
| if !slices.ContainsFunc(output.Tags, func(tag kmstypes.Tag) bool { | ||
| return aws.ToString(tag.TagKey) == k && aws.ToString(tag.TagValue) == v | ||
| }) { | ||
| return nil | ||
| } | ||
| } |
There was a problem hiding this comment.
Can you please update the tests so TestAWSKMS_DeleteUnusedKeys runs with and without custom tags set? you can turn that whole test into a subtest that takes a tags param I guess
And I want to stress it's going to be very important that some tag that's unique for the cluster gets set. For example, I would hate for some customer to stumble upon this config setting and set their own tag like owner: me - and then every KMS key with that tag will get deleted by this. Can we actually forcibly prevent this somehow? Maybe require at least one tag value to include the cluster name, or add the default TeleportCluster tag if none of the configured tags include the cluster name
There was a problem hiding this comment.
Let me think about this some more. Perhaps the best path is to keep the TeleportCluster tag and have the tags field allow for additional tags.
There was a problem hiding this comment.
What do you think of 730d1dc
It will add the TeleportCluster tag if its not specified in the tag configuration.
Co-authored-by: Nic Klaassen <[email protected]>
Co-authored-by: Nic Klaassen <[email protected]>
Co-authored-by: Nic Klaassen <[email protected]>
dboslee
added
the
no-changelog
Co-authored-by: Nic Klaassen <[email protected]>
Adds support for configuring custom tags which replace the default
TeleportClustertag. This will be used by cloud. Its important to note that changing this configuration for a Teleport cluster already running on AWS KMS could orphan keys as Teleport will only manage keys with the configured set of tags.