feat: add kmsKeyARN support for AWS environments#236
Open
ianaya89 wants to merge 2 commits into
Open
Conversation
Wire up the new AWS-only kmsKeyARN field exposed by the public API: - Env-level `kms_key_arn`: customer KMS key for encrypting Altinity-provisioned data buckets and EBS volumes. Create-only / immutable (absent from AWSEnvUpdateSpecInput), enforced via plan modifier. - Per-bucket `kms_key_arn` on `external_buckets`: customer-managed key granting the ClickHouse IRSA role KMS decrypt/encrypt permissions. Mutable. Regenerate the GraphQL SDK, extend toSDK/toModel mappers and unit tests (both directions), add schema attributes + descriptions, regenerate docs.
ondrej-smola
approved these changes
Jun 3, 2026
Contributor
|
we need to create examples for this |
ondrej-smola
requested changes
Jun 3, 2026
|
|
||
| Optional: | ||
|
|
||
| - `kms_key_arn` (String) Optional ARN of a customer-managed KMS key used to encrypt this bucket. When set, the ClickHouse IRSA role is granted KMS decrypt/encrypt permissions on the key so SSE-KMS-encrypted objects in the bucket can be read and written (e.g. when the bucket backs a ClickHouse external disk). |
Contributor
There was a problem hiding this comment.
this encrypt all storage (EBS, S3 buckets) so the working is not correct
- Regenerate SDK against dev schema (anywhere.dev) - Expand external_buckets kms_key_arn description (customer-owned, bucket-scoped, region-constraint note) - Add customer-managed KMS keys example for env_aws
Member
Author
|
@ondrej-smola updated docs and example. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the new AWS-only
kmsKeyARNfield. Two places in the schema, both wired up:kms_key_arnon the env — KMS key for Altinity-provisioned buckets + EBS. Immutable (create-only).kms_key_arnperexternal_buckets[]entry — customer key for ClickHouse IRSA access. Mutable.Regenerated the SDK, updated mappers/schema/docs, added unit tests both directions.
kmsKeyARN— prod must serve it before release or AWS-env queries break (confirmed on dev).