Add dry_run support to GenerateDataKeyPair/GenerateDataKeyPairWithoutPlaintext. #12505
Conversation
There was a problem hiding this comment.
Welcome to LocalStack! Thanks for raising your first Pull Request and landing in your contributions. Our team will reach out with any reviews or feedbacks that we have shortly. We recommend joining our Slack Community and share your PR on the #community channel to share your contributions with us. Please make sure you are following our contributing guidelines and our Code of Conduct.
|
All contributors have signed the CLA ✍️ ✅ |
3d91e00 to
2fee7cd
Compare
|
I have read the CLA Document and I hereby sign the CLA |
There was a problem hiding this comment.
Thanks a lot for the great contribution! In principal the code is looking great! I just found an issue (only parts of the validations are considered for the dry run), and I posted some more nitpicks and questions.
Once they have been addressed we are good to go! 🚀 💯
There was a problem hiding this comment.
Thanks a lot for addressing the comments! This is already looking great! 🤩
I only have a few more small comments / questions. We need to make sure that the test is validated, and I would like to quickly discuss the UnsupportedOperationException, the rest is just nitpicks / not blocking.
It seems that there is a small conflict though, so maybe you could quickly rebase this PR on the latest changes on master?
…ry run capability in data key pair generation
… generation with dry run support
… dry run operations
…pair generation methods
…in KMS generate data key pair tests
…_capable function
…e all valid key specs
2e96c89 to
32c20c0
Compare
There was a problem hiding this comment.
Thanks a lot for addressing the comments once more! The validation is looking good, and the reasoning on the KmsCryptoKey is sound. I really only want to check that we don't introduce an issue with the switch from the UnsupportedOperationException to the ValidationException in some cases. ;)
…andling in data key pair generation tests
… function for improved encapsulation
… of valid specs for clarity
Motivation
I am adding support for the dry_run parameter to the GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations to align with AWS behavior and enhance validation capabilities.
Reference: AWS KMS Dry Run Documentation
Changes
Before these changes, the GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations in KMS did not take the dry_run parameter into account. This PR updates both operations to properly respect the dry_run flag, aligning their behavior with AWS expectations.
Since IAM permission checks are not yet implemented in KMS, the primary purpose of this functionality is to determine whether a request would succeed (in which case a DryRunOperationException is raised when
dry_run=True) or fail due to validation errors, rather than to enforce or simulate IAM permissionsTesting
You can verify the behavior by executing the following CLI commands:
When the request is valid, these commands should return a DryRunOperationException. If the input is invalid, a validation error will be returned instead.