Cannot change DynamoDB serverSideEncryption from true to false

[kennu]

When you have already deployed a DynamoDB table with serverSideEncryption: true, you cannot change it to false. Changing it to false results in a CloudFormation deploy error. This most likely happens because AWS CDK removes the underlying CloudFormation property SSESpecification / SSEEnabled instead of setting it to false at https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-dynamodb/lib/table.ts#L1355

I have successfully changed the CloudFormation property SSESpecification / SSEEnabled: true to false when using CloudFormation directly. And I also get the same error if I try to remove the property completely.

I think AWS CDK needs some way to configure DynamoDB Tables so that the SSESpecification / SSEEnabled: false property is included in the CloudFormation stack.

PS: The reason to change serverSideEncryption to false is that it results in DEFAULT encryption being used, which doesn't cost anything. When serverSideEncryption is true, the mode is KMS - AWS managed CMK and AWS charges you for it. At least that's what the DynamoDB console says.

Reproduction Steps

1. Deploy a DynamoDB table with serverSideEncryption: true
2. Change it to serverSideEncryption: false and try to deploy the update

Error Log

CloudFormation error when deploying update:

At least one of ProvisionedThroughput, BillingMode, UpdateStreamEnabled, GlobalSecondaryIndexUpdates or SSESpecification or ReplicaUpdates is required (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: ValidationException

Environment

• CLI Version : 1.42.0 (build 3b64241)
• Framework Version: 1.42.0
• OS : Linux
• Language : TypeScript

Other

---

This is 🐛 Bug Report

[RomainMuller]

Oh in my previous works there I tried to specifically avoid setting the key (because changing that property is documented to cause "some interruption"). It's pretty unfortunate that removing the key causes breakage, especially since for recent tables, "not specified" defaults to false.

[kennu]

It is definitely a good idea to originally not set the key at all. Unfortunately in my case I have a lot of tables that have set the key to true, which I'm now trying to set to false.

[RomainMuller]

@kennu - I wonder if we can have it not set when the default is in use, and set to false when the user was explicit about it. That seems consistent with intent and would get you out of trouble, right?

[kennu]

That sounds good to me, mirroring how it works in CloudFormation.

[jogold]

Has this CF behavior been updated in v15.1.0 maybe? https://github.com/aws/aws-cdk/blob/50f4a21f1b103910f029328d84347c5bfa0c7d56/packages/%40aws-cdk/cfnspec/CHANGELOG.md

• AWS::DynamoDB::Table SSESpecification.UpdateType (changed)
  • Old: Conditional
  • New: Mutable

[RomainMuller]

@kennu - would you be able to verify?

[kennu]

Hmm... What should I be checking? Latest AWS CDK 1.47.0 still removes the {"SSEEnabled":true} attribute and gives the same "At least one of..." error on deployment if I set serverSideEncryption to false.

[qchero]

The other question is why the removal of SSESpecification cause issues? SSESpecification is an optional key. Setting it
with SSEEnabled: false or removing it has the same effect.

The error message doesn't make sense, because ProvisionedThroughput or BillingMode is still there.

At least one of ProvisionedThroughput, BillingMode, UpdateStreamEnabled, GlobalSecondaryIndexUpdates or SSESpecification or ReplicaUpdates is required (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: ValidationException

Is this a bug in DynamoDB CloudFormation?

[kennu]

I finally realized how this works. I replaced this:

      serverSideEncryption: true,

with this:

      encryption: TableEncryption.DEFAULT,

And now I'm able to restore the default encryption mode for my tables. Thanks for fixing it.