feat(apprunner): add kmsKey property for the AppRunner Service class (#30352)

### Issue # (if applicable)

Close #30365.

### Reason for this change
AppRunner supports for using a customer managed key to encrypt  all stored copies of your application source image or source bundle.

https://docs.aws.amazon.com/apprunner/latest/dg/security-data-protection-encryption.html

But L2 Construct (alpha module) cannot use a customer managed key.


### Description of changes
Add kmsKey property to the Service class.


### Description of how you validated changes
Add unit tests and integ tests


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: mazyu36

packages/@aws-cdk/aws-apprunner-alpha/README.md

@@ -32,7 +32,7 @@ The `Service` construct allows you to create AWS App Runner services with `ECR P
 - `Source.fromEcr()` - To define the source repository from `ECR`.
 - `Source.fromEcrPublic()` - To define the source repository from `ECR Public`.
 - `Source.fromGitHub()` - To define the source repository from the `Github repository`.
-- `Source.fromAsset()` - To define the source from local asset directory. 
+- `Source.fromAsset()` - To define the source from local asset directory.
 
 
 The `Service` construct implements `IGrantable`.
@@ -183,7 +183,7 @@ new apprunner.Service(this, 'Service', {
 ## Secrets Manager
 
 To include environment variables integrated with AWS Secrets Manager, use the `environmentSecrets` attribute.
-You can use the `addSecret` method from the App Runner `Service` class to include secrets from outside the 
+You can use the `addSecret` method from the App Runner `Service` class to include secrets from outside the
 service definition.
 
 ```ts
@@ -216,6 +216,24 @@ const service = new apprunner.Service(stack, 'Service', {
 service.addSecret('LATER_SECRET', apprunner.Secret.fromSecretsManager(secret, 'field'));
 ```
 
+## Use a customer managed key
+
+To use a customer managed key for your source encryption, use the `kmsKey` attribute.
+
+```ts
+import * as kms from 'aws-cdk-lib/aws-kms';
+
+declare const kmsKey: kms.IKey;
+
+new apprunner.Service(this, 'Service', {
+  source: apprunner.Source.fromEcrPublic({
+    imageConfiguration: { port: 8000 },
+    imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest',
+  }),
+  kmsKey,
+});
+```
+
 ## HealthCheck
 
 To configure the health check for the service, use the `healthCheck` attribute.

packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts

@@ -1,6 +1,7 @@
 import * as ecr from 'aws-cdk-lib/aws-ecr';
 import * as assets from 'aws-cdk-lib/aws-ecr-assets';
 import * as iam from 'aws-cdk-lib/aws-iam';
+import * as kms from 'aws-cdk-lib/aws-kms';
 import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
 import * as ssm from 'aws-cdk-lib/aws-ssm';
 import * as cdk from 'aws-cdk-lib/core';
@@ -79,7 +80,7 @@ export class Cpu {
    *
    * @param unit The unit of CPU.
    */
-  private constructor(public readonly unit: string) {}
+  private constructor(public readonly unit: string) { }
 }
 
 /**
@@ -715,6 +716,13 @@ export interface ServiceProps {
    * @default - no health check configuration
    */
   readonly healthCheck?: HealthCheck;
+
+  /**
+   * The customer managed key that AWS App Runner uses to encrypt copies of the source repository and service logs.
+   *
+   * @default - Use an AWS managed key
+   */
+  readonly kmsKey?: kms.IKey;
 }
 
 /**
@@ -1239,6 +1247,9 @@ export class Service extends cdk.Resource implements iam.IGrantable {
           this.renderCodeConfiguration(this.source.codeRepository!.codeConfiguration.configurationValues!) :
           undefined,
       },
+      encryptionConfiguration: this.props.kmsKey ? {
+        kmsKey: this.props.kmsKey.keyArn,
+      } : undefined,
       networkConfiguration: {
         egressConfiguration: {
           egressType: this.props.vpcConnector ? 'VPC' : 'DEFAULT',

packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-encryption.js.snapshot/AppRunnerEncryptionDefaultTestDeployAssert21640739.assets.json

@@ -0,0 +1,146 @@
+{
+ "Resources": {
+  "Key961B73FD": {
+   "Type": "AWS::KMS::Key",
+   "Properties": {
+    "KeyPolicy": {
+     "Statement": [
+      {
+       "Action": "kms:*",
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       },
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "ServiceInstanceRoleDFA90CEC": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "tasks.apprunner.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "ServiceDBC79909": {
+   "Type": "AWS::AppRunner::Service",
+   "Properties": {
+    "EncryptionConfiguration": {
+     "KmsKey": {
+      "Fn::GetAtt": [
+       "Key961B73FD",
+       "Arn"
+      ]
+     }
+    },
+    "InstanceConfiguration": {
+     "InstanceRoleArn": {
+      "Fn::GetAtt": [
+       "ServiceInstanceRoleDFA90CEC",
+       "Arn"
+      ]
+     }
+    },
+    "NetworkConfiguration": {
+     "EgressConfiguration": {
+      "EgressType": "DEFAULT"
+     }
+    },
+    "ServiceName": "service",
+    "SourceConfiguration": {
+     "AuthenticationConfiguration": {},
+     "AutoDeploymentsEnabled": false,
+     "ImageRepository": {
+      "ImageConfiguration": {
+       "Port": "8000"
+      },
+      "ImageIdentifier": "public.ecr.aws/aws-containers/hello-app-runner:latest",
+      "ImageRepositoryType": "ECR_PUBLIC"
+     }
+    }
+   }
+  }
+ },
+ "Outputs": {
+  "URL": {
+   "Value": {
+    "Fn::Join": [
+     "",
+     [
+      "https://",
+      {
+       "Fn::GetAtt": [
+        "ServiceDBC79909",
+        "ServiceUrl"
+       ]
+      }
+     ]
+    ]
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}