feat(aws-iam)!: change IEncryptedResource to extend IEnvironmentAware

mrgrain · mrgrain · commit 4ef156b10c6e · 2026-01-23T13:57:19.000Z
BREAKING CHANGE: `IEncryptedResource` now extends `IEnvironmentAware` instead of `cdk.IResource`. The `GrantableResources.isEncryptedResource()` method now requires an `IEnvironmentAware` parameter instead of `IConstruct`.
diff --git a/allowed-breaking-changes.txt b/allowed-breaking-changes.txt
@@ -4142,3 +4142,12 @@ changed-type:aws-cdk-lib.aws_ses.EventDestination.bus
 # CloudFormation has always required SecurityGroups for ManagedInstancesCapacityProvider.
 # Making it required in TypeScript catches the error at compile time instead of deploy time.
 strengthened:aws-cdk-lib.aws_ecs.ManagedInstancesCapacityProviderProps
+
+# IEncryptedResource was too strongly typed for practical use.
+# We need to weaken it and align with other traits.
+# See: https://github.com/aws/aws-cdk/pull/36787
+incompatible-argument:aws-cdk-lib.aws_iam.GrantableResources.isEncryptedResource
+base-types:aws-cdk-lib.aws_iam.IEncryptedResource
+removed:aws-cdk-lib.aws_iam.IEncryptedResource.applyRemovalPolicy
+removed:aws-cdk-lib.aws_iam.IEncryptedResource.node
+removed:aws-cdk-lib.aws_iam.IEncryptedResource.stack
diff --git a/packages/aws-cdk-lib/aws-iam/lib/grant.ts b/packages/aws-cdk-lib/aws-iam/lib/grant.ts
@@ -433,11 +433,9 @@ export interface GrantOnKeyResult {
 }
 
 /**
- * A resource that contains data that can be encrypted, using a KMS key.
- *
- * [awslint:interface-extends-ref]
+ * A resource that contains data that can be encrypted, using a KMS key.s
  */
-export interface IEncryptedResource extends cdk.IResource {
+export interface IEncryptedResource extends IEnvironmentAware {
   /**
    * Gives permissions to a grantable entity to perform actions on the encryption key.
    */
@@ -468,7 +466,7 @@ export class GrantableResources {
   /**
    * Whether this resource holds data that can be encrypted using a KMS key.
    */
-  static isEncryptedResource(resource: IConstruct): resource is iam.IEncryptedResource {
+  static isEncryptedResource(resource: IEnvironmentAware): resource is iam.IEncryptedResource {
     return (resource as unknown as iam.IEncryptedResource).grantOnKey !== undefined;
   }
 }
