feat(codepipeline): change default value for crossAccountKeys to false (under feature flag)

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.ts

@@ -52,6 +52,7 @@ const prodStage = {
 };
 
 new codepipeline.Pipeline(stack, 'Pipeline', {
+  crossAccountKeys: true,
   stages: [
     sourceStage,
     prodStage,

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.ts

@@ -20,7 +20,9 @@ new lambda.Function(lambdaStack, 'Lambda', {
 // other resources that your Lambda needs, added to the lambdaStack...
 
 const pipelineStack = new cdk.Stack(app, 'PipelineStack');
-const pipeline = new codepipeline.Pipeline(pipelineStack, 'Pipeline');
+const pipeline = new codepipeline.Pipeline(pipelineStack, 'Pipeline', {
+  crossAccountKeys: true,
+});
 
 // add the source code repository containing this code to your Pipeline,
 // and the source code of the Lambda Function, if they're separate

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-pipeline.ts

@@ -10,7 +10,9 @@ const app = new cdk.App();
 
 const stack = new cdk.Stack(app, 'aws-cdk-codepipeline-lambda');
 
-const pipeline = new codepipeline.Pipeline(stack, 'Pipeline');
+const pipeline = new codepipeline.Pipeline(stack, 'Pipeline', {
+  crossAccountKeys: true,
+});
 
 const sourceStage = pipeline.addStage({ stageName: 'Source' });
 const bucket = new s3.Bucket(stack, 'PipelineBucket', {

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.ts

@@ -39,6 +39,7 @@ const deployStage = {
 };
 
 new codepipeline.Pipeline(stack, 'Pipeline', {
+  crossAccountKeys: true,
   stages: [
     sourceStage,
     deployStage,

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-cfn.ts

@@ -8,7 +8,9 @@ const app = new cdk.App();
 
 const stack = new cdk.Stack(app, 'aws-cdk-codepipeline-cloudformation');
 
-const pipeline = new codepipeline.Pipeline(stack, 'Pipeline');
+const pipeline = new codepipeline.Pipeline(stack, 'Pipeline', {
+  crossAccountKeys: true,
+});
 
 const bucket = new s3.Bucket(stack, 'PipelineBucket', {
   versioned: true,

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.ts

@@ -47,6 +47,7 @@ const testAction = new cpactions.CodeBuildAction({
 });
 
 new codepipeline.Pipeline(stack, 'Pipeline', {
+  crossAccountKeys: true,
   stages: [
     {
       stageName: 'source',

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-custom-event.ts

@@ -32,6 +32,7 @@ const eventPattern
 
 const pipeline = new codepipeline.Pipeline(stack, 'Pipeline', {
   pipelineName: 'IntegCustomEventPipeline',
+  crossAccountKeys: true,
   stages: [
     {
       stageName: 'source',

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-main.ts

@@ -15,6 +15,7 @@ const repo = new codecommit.Repository(stack, 'MyRepo', {
 });
 
 new codepipeline.Pipeline(stack, 'Pipeline', {
+  crossAccountKeys: true,
   stages: [
     {
       stageName: 'source',

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit.ts

@@ -16,6 +16,7 @@ const repo = new codecommit.Repository(stack, 'MyRepo', {
 });
 
 new codepipeline.Pipeline(stack, 'Pipeline', {
+  crossAccountKeys: true,
   stages: [
     {
       stageName: 'source',

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-events.ts

@@ -13,7 +13,9 @@ const app = new cdk.App();
 
 const stack = new cdk.Stack(app, 'aws-cdk-pipeline-event-target');
 
-const pipeline = new codepipeline.Pipeline(stack, 'MyPipeline');
+const pipeline = new codepipeline.Pipeline(stack, 'MyPipeline', {
+  crossAccountKeys: true,
+});
 
 const repository = new codecommit.Repository(stack, 'CodeCommitRepo', {
   repositoryName: 'foo',

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.ts

@@ -15,7 +15,9 @@ const simpleStateMachine = new stepfunctions.StateMachine(stack, 'SimpleStateMac
   definition: startState,
 });
 
-const pipeline = new codepipeline.Pipeline(stack, 'MyPipeline');
+const pipeline = new codepipeline.Pipeline(stack, 'MyPipeline', {
+  crossAccountKeys: true,
+});
 pipeline.addStage({
   stageName: 'Source',
   actions: [

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-replication.ts

@@ -31,6 +31,7 @@ const bucket = new Bucket(stack1, 'ReplicationBucket', {
 
 const artifact = new Artifact();
 const pipeline = new Pipeline(stack2, 'Pipeline', {
+  crossAccountKeys: true,
   crossRegionReplicationBuckets: {
     'us-east-1': bucket,
   },

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/s3/integ.source-bucket-events-cross-stack-same-env.ts

@@ -16,6 +16,7 @@ const bucket = new s3.Bucket(bucketStack, 'Bucket', {
 const pipelineStack = new Stack(app, 'PipelineStack');
 const sourceOutput = new codepipeline.Artifact();
 new codepipeline.Pipeline(pipelineStack, 'Pipeline', {
+  crossAccountKeys: true,
   stages: [
     {
       stageName: 'Source',

packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/codepipeline/integ.pipeline-event-target.ts

@@ -38,7 +38,9 @@ const repo = new codecommit.Repository(stack, 'Repo', {
   repositoryName: 'TestRepository',
 });
 
-const pipeline = new codepipeline.Pipeline(stack, 'pipelinePipeline22F2A91D');
+const pipeline = new codepipeline.Pipeline(stack, 'pipelinePipeline22F2A91D', {
+  crossAccountKeys: true,
+});
 
 const srcArtifact = new codepipeline.Artifact('Src');
 pipeline.addStage({

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.ts

@@ -44,6 +44,7 @@ export class TestCdkStack extends Stack {
     });
 
     const pipeline = new cdkp.CdkPipeline(this, 'TestPipeline', {
+      crossAccountKeys: true,
       selfMutating: false,
       pipelineName: 'TestPipeline',
       cloudAssemblyArtifact,

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts

@@ -47,6 +47,7 @@ class CdkpipelinesDemoPipelineStack extends Stack {
       autoDeleteObjects: true,
     });
     const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', {
+      crossAccountKeys: true,
       cloudAssemblyArtifact,
       singlePublisherPerType: true,
 

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts

@@ -47,6 +47,7 @@ class CdkpipelinesDemoPipelineStack extends Stack {
       autoDeleteObjects: true,
     });
     const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', {
+      crossAccountKeys: true,
       cloudAssemblyArtifact,
 
       // Where the source can be found

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts

@@ -37,6 +37,7 @@ class CdkpipelinesDemoPipelineStack extends Stack {
       autoDeleteObjects: true,
     });
     const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', {
+      crossAccountKeys: true,
       cloudAssemblyArtifact,
 
       // Where the source can be found

packages/@aws-cdk/aws-appconfig-alpha/test/integ.configuration.ts

@@ -199,6 +199,7 @@ const deployAction = new S3DeployAction({
   extract: true,
 });
 const pipeline = new Pipeline(stack, 'MyPipeline', {
+  crossAccountKeys: true,
   stages: [
     {
       stageName: 'beta',

packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.codepipeline-start-pipeline-execution.ts

@@ -58,6 +58,7 @@ const deployment = new BucketDeployment(stack, 'BucketDeployment', {
   ],
 });
 const pipeline = new Pipeline(stack, 'Pipeline', {
+  crossAccountKeys: true,
   stages: [
     {
       stageName: 'source',

packages/@aws-cdk/cx-api/FEATURE_FLAGS.md

@@ -64,6 +64,7 @@ Flags come in three types:
 | [@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials](#aws-cdkaws-rdspreventrenderingdeprecatedcredentials) | When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials. | 2.98.0 | (fix) |
 | [@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource](#aws-cdkaws-codepipeline-actionsusenewdefaultbranchforcodecommitsource) | When enabled, the CodeCommit source action is using the default branch name 'main'. | 2.103.1 | (fix) |
 | [@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction](#aws-cdkaws-cloudwatch-actionschangelambdapermissionlogicalidforlambdaaction) | When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID. | 2.124.0 | (fix) |
+| [@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse](#aws-cdkaws-codepipelinecrossaccountkeysdefaultvaluetofalse) | Enables Pipeline to set the default value for crossAccountKeys to false. | V2NEXT | (default) |
 
 <!-- END table -->
 
@@ -118,7 +119,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
     "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
     "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
-    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true
   }
 }
 ```
@@ -1213,4 +1215,20 @@ If the flag is set to false then it can only make one alarm for the Lambda with
 | 2.124.0 | `false` | `true` |
 
 
+### @aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse
+
+*Enables Pipeline to set the default value for crossAccountKeys to false.* (default)
+
+When this feature flag is enabled, and the `crossAccountKeys` property is not provided in a `Pipeline`
+construct, the construct automatically defaults the value of this property to false.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2NEXT | `false` | `true` |
+
+**Compatibility with old behavior:** Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior.
+
+
 <!-- END details -->

packages/aws-cdk-lib/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.ts

@@ -52,6 +52,7 @@ const prodStage = {
 };
 
 new codepipeline.Pipeline(stack, 'Pipeline', {
+  crossAccountKeys: true,
   stages: [
     sourceStage,
     prodStage,

packages/aws-cdk-lib/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.ts

@@ -19,7 +19,9 @@ new lambda.Function(lambdaStack, 'Lambda', {
 // other resources that your Lambda needs, added to the lambdaStack...
 
 const pipelineStack = new cdk.Stack(app, 'PipelineStack');
-const pipeline = new codepipeline.Pipeline(pipelineStack, 'Pipeline');
+const pipeline = new codepipeline.Pipeline(pipelineStack, 'Pipeline', {
+  crossAccountKeys: true,
+});
 
 // add the source code repository containing this code to your Pipeline,
 // and the source code of the Lambda Function, if they're separate

packages/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts

@@ -153,7 +153,8 @@ export interface PipelineProps {
    * encrypted with an AWS-managed key). However, cross-account deployments will
    * no longer be possible.
    *
-   * @default true
+   * @default false - false if the feature flag `CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE`
+   * is true, true otherwise
    */
   readonly crossAccountKeys?: boolean;
 
@@ -386,8 +387,9 @@ export class Pipeline extends PipelineBase {
       throw new Error('Only one of artifactBucket and crossRegionReplicationBuckets can be specified!');
     }
 
-    // @deprecated(v2): switch to default false
-    this.crossAccountKeys = props.crossAccountKeys ?? true;
+    // The feature flag is set to true by default for new projects, otherwise false.
+    this.crossAccountKeys = props.crossAccountKeys
+      ?? (FeatureFlags.of(this).isEnabled(cxapi.CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE) ? false : true);
     this.enableKeyRotation = props.enableKeyRotation;
 
     // Cross account keys must be set for key rotation to be enabled

packages/aws-cdk-lib/aws-codepipeline/test/pipeline.test.ts

@@ -495,6 +495,49 @@ describe('', () => {
           'EnableKeyRotation': true,
         });
       });
+
+      test('crossAccountKeys as default value is set to false when feature flag is enabled', () => {
+        const app = new cdk.App();
+        app.node.setContext(cxapi.CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE, true);
+
+        const stack = new cdk.Stack(app, 'PipelineStack');
+        const sourceOutput = new codepipeline.Artifact();
+        new codepipeline.Pipeline(stack, 'Pipeline', {
+          stages: [
+            {
+              stageName: 'Source',
+              actions: [new FakeSourceAction({ actionName: 'Source', output: sourceOutput })],
+            },
+            {
+              stageName: 'Build',
+              actions: [new FakeBuildAction({ actionName: 'Build', input: sourceOutput })],
+            },
+          ],
+        });
+
+        Template.fromStack(stack).resourceCountIs('AWS::KMS::Key', 0);
+      });
+
+      test('crossAccountKeys as default value is set to true when feature flag is not set', () => {
+        const app = new cdk.App();
+
+        const stack = new cdk.Stack(app, 'PipelineStack');
+        const sourceOutput = new codepipeline.Artifact();
+        new codepipeline.Pipeline(stack, 'Pipeline', {
+          stages: [
+            {
+              stageName: 'Source',
+              actions: [new FakeSourceAction({ actionName: 'Source', output: sourceOutput })],
+            },
+            {
+              stageName: 'Build',
+              actions: [new FakeBuildAction({ actionName: 'Build', input: sourceOutput })],
+            },
+          ],
+        });
+
+        Template.fromStack(stack).resourceCountIs('AWS::KMS::Key', 1);
+      });
     });
   });
 

packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md

@@ -64,6 +64,7 @@ Flags come in three types:
 | [@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials](#aws-cdkaws-rdspreventrenderingdeprecatedcredentials) | When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials. | 2.98.0 | (fix) |
 | [@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource](#aws-cdkaws-codepipeline-actionsusenewdefaultbranchforcodecommitsource) | When enabled, the CodeCommit source action is using the default branch name 'main'. | 2.103.1 | (fix) |
 | [@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction](#aws-cdkaws-cloudwatch-actionschangelambdapermissionlogicalidforlambdaaction) | When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID. | 2.124.0 | (fix) |
+| [@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse](#aws-cdkaws-codepipelinecrossaccountkeysdefaultvaluetofalse) | Enables Pipeline to set the default value for crossAccountKeys to false. | V2NEXT | (default) |
 
 <!-- END table -->
 
@@ -118,7 +119,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
     "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
     "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
-    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true
   }
 }
 ```
@@ -1213,4 +1215,20 @@ If the flag is set to false then it can only make one alarm for the Lambda with
 | 2.124.0 | `false` | `true` |
 
 
+### @aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse
+
+*Enables Pipeline to set the default value for crossAccountKeys to false.* (default)
+
+When this feature flag is enabled, and the `crossAccountKeys` property is not provided in a `Pipeline`
+construct, the construct automatically defaults the value of this property to false.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2NEXT | `false` | `true` |
+
+**Compatibility with old behavior:** Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior.
+
+
 <!-- END details -->

packages/aws-cdk-lib/cx-api/README.md

@@ -258,3 +258,20 @@ _cdk.json_
   }
 }
 ```
+
+* `@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse`
+
+Enables Pipeline to set the default value for `crossAccountKeys` to false.
+
+When this feature flag is enabled, and the `crossAccountKeys` property is not provided in a `Pipeline`
+construct, the construct automatically defaults the value of this property to false.
+
+_cdk.json_
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true
+  }
+}
+```

packages/aws-cdk-lib/cx-api/lib/features.ts

@@ -98,6 +98,7 @@ export const AURORA_CLUSTER_CHANGE_SCOPE_OF_INSTANCE_PARAMETER_GROUP_WITH_EACH_P
 export const APPSYNC_ENABLE_USE_ARN_IDENTIFIER_SOURCE_API_ASSOCIATION = '@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier';
 export const CODECOMMIT_SOURCE_ACTION_DEFAULT_BRANCH_NAME = '@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource';
 export const LAMBDA_PERMISSION_LOGICAL_ID_FOR_LAMBDA_ACTION = '@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction';
+export const CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE = '@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse';
 
 export const FLAGS: Record<string, FlagInfo> = {
   //////////////////////////////////////////////////////////////////////
@@ -993,6 +994,19 @@ export const FLAGS: Record<string, FlagInfo> = {
     introducedIn: { v2: '2.124.0' },
     recommendedValue: true,
   },
+
+  //////////////////////////////////////////////////////////////////////
+  [CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE]: {
+    type: FlagType.ApiDefault,
+    summary: 'Enables Pipeline to set the default value for crossAccountKeys to false.',
+    detailsMd: `
+      When this feature flag is enabled, and the \`crossAccountKeys\` property is not provided in a \`Pipeline\`
+      construct, the construct automatically defaults the value of this property to false.
+    `,
+    introducedIn: { v2: 'V2NEXT' },
+    recommendedValue: true,
+    compatibilityWithOldBehaviorMd: 'Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior.',
+  },
 };
 
 const CURRENT_MV = 'v2';