ferruzzi commented on PR #35839:
URL: https://github.com/apache/airflow/pull/35839#issuecomment-1825971688
At a glance, it looks right. As mentioned, we'll need to adjust it to
accept a KMS key to encrypt the EBS volume. Github makes it a bit of a pain to
collaborate on a PR like this; it would be nice to be able to add a commit to
your PR myself, but as far as I'm aware I can't do that so..... here's what
needs to be done next:
Replace Line 41 with the following block:
```
KMS_KEY_ID_KEY = "KMS_KEY_ID"
sys_test_context_task = (
SystemTestContextBuilder()
.add_variable(KMS_KEY_ID_KEY)
.build()
)
```
then add a line between 97 and 98:
```
kms_key_id = test_context[KMS_KEY_ID_KEY]
```
Then you can use that in the config{}. I'm not positive on this part, but I
/think/ you apply it by changing line 113 to
```
{"DeviceName": "/dev/xvda", "Ebs": {"Encrypted": True, "KmsKeyId":
kms_key_id, "DeleteOnTermination": True}}
```
I would need to test that last part out, but the first few steps are
definitely right and will allow us to store the KMS key in SSM Parameter Store
and fetch it for the test.
Check out the [RDS Export
test](https://github.com/apache/airflow/blob/main/tests/system/providers/amazon/aws/example_rds_export.py)
for a working example of a KMS Key in a system test if I didn't make sense.
Unfortunately, as you mentioned, once you do that it still needs one of us
to actually test running it against the real service using the real KMS key.
But if we merge this as it is, we'll need to make yet another PR to make those
changes.... I'm not sure which is actually more convenient.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
