-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot change DynamoDB serverSideEncryption from true to false #8286
Comments
Oh in my previous works there I tried to specifically avoid setting the key (because changing that property is documented to cause "some interruption"). It's pretty unfortunate that removing the key causes breakage, especially since for recent tables, "not specified" defaults to |
It is definitely a good idea to originally not set the key at all. Unfortunately in my case I have a lot of tables that have set the key to true, which I'm now trying to set to false. |
@kennu - I wonder if we can have it not set when the default is in use, and set to false when the user was explicit about it. That seems consistent with intent and would get you out of trouble, right? |
When a table was deployed with `serverSideEncryption` set to `true` (by requesting `AWS_MANAGED` or `CUSTOM` server side encryption), it was not possible to switch back to `DEFAULT` as this could drop the `serverSideEncryption` configuration altogether, which CloudFormation will not allow. This changes makes `Table` continue to not set the `serverSideEncryption` configuration if nothing was configured (the user chose the implicit default behavior), but to actually set the value explicitly to `false` if the user *explicitly* requests `DEFAULT` encryption. This makes it possible to flip away from `AWS_MANAGED` and `CUSTOM` encryption to the cheaper alternative that is `DEFAULT`. Fixes #8286
That sounds good to me, mirroring how it works in CloudFormation. |
Has this CF behavior been updated in v15.1.0 maybe? https://github.com/aws/aws-cdk/blob/50f4a21f1b103910f029328d84347c5bfa0c7d56/packages/%40aws-cdk/cfnspec/CHANGELOG.md
|
@kennu - would you be able to verify? |
Hmm... What should I be checking? Latest AWS CDK 1.47.0 still removes the {"SSEEnabled":true} attribute and gives the same "At least one of..." error on deployment if I set serverSideEncryption to false. |
The other question is why the removal of The error message doesn't make sense, because
Is this a bug in DynamoDB CloudFormation? |
…8450) When a table was deployed with `serverSideEncryption` set to `true` (by requesting `AWS_MANAGED` or `CUSTOM` server side encryption), it was not possible to switch back to `DEFAULT` as this could drop the `serverSideEncryption` configuration altogether, which CloudFormation will not allow. This changes makes `Table` continue to not set the `serverSideEncryption` configuration if nothing was configured (the user chose the implicit default behavior), but to actually set the value explicitly to `false` if the user *explicitly* requests `DEFAULT` encryption. This makes it possible to flip away from `AWS_MANAGED` and `CUSTOM` encryption to the cheaper alternative that is `DEFAULT`. Fixes #8286 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
I finally realized how this works. I replaced this:
with this:
And now I'm able to restore the default encryption mode for my tables. Thanks for fixing it. |
When you have already deployed a DynamoDB table with
serverSideEncryption: true
, you cannot change it tofalse
. Changing it to false results in a CloudFormation deploy error. This most likely happens because AWS CDK removes the underlying CloudFormation propertySSESpecification / SSEEnabled
instead of setting it to false at https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-dynamodb/lib/table.ts#L1355I have successfully changed the CloudFormation property
SSESpecification / SSEEnabled: true
tofalse
when using CloudFormation directly. And I also get the same error if I try to remove the property completely.I think AWS CDK needs some way to configure DynamoDB Tables so that the
SSESpecification / SSEEnabled: false
property is included in the CloudFormation stack.PS: The reason to change serverSideEncryption to false is that it results in DEFAULT encryption being used, which doesn't cost anything. When serverSideEncryption is true, the mode is KMS - AWS managed CMK and AWS charges you for it. At least that's what the DynamoDB console says.
Reproduction Steps
Error Log
CloudFormation error when deploying update:
At least one of ProvisionedThroughput, BillingMode, UpdateStreamEnabled, GlobalSecondaryIndexUpdates or SSESpecification or ReplicaUpdates is required (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: ValidationException
Environment
Other
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: