Cannot change DynamoDB serverSideEncryption from true to false
See original GitHub issueWhen you have already deployed a DynamoDB table with serverSideEncryption: true
, you cannot change it to false
. Changing it to false results in a CloudFormation deploy error. This most likely happens because AWS CDK removes the underlying CloudFormation property SSESpecification / SSEEnabled
instead of setting it to false at https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-dynamodb/lib/table.ts#L1355
I have successfully changed the CloudFormation property SSESpecification / SSEEnabled: true
to false
when using CloudFormation directly. And I also get the same error if I try to remove the property completely.
I think AWS CDK needs some way to configure DynamoDB Tables so that the SSESpecification / SSEEnabled: false
property is included in the CloudFormation stack.
PS: The reason to change serverSideEncryption to false is that it results in DEFAULT encryption being used, which doesn’t cost anything. When serverSideEncryption is true, the mode is KMS - AWS managed CMK and AWS charges you for it. At least that’s what the DynamoDB console says.
Reproduction Steps
- Deploy a DynamoDB table with serverSideEncryption: true
- Change it to serverSideEncryption: false and try to deploy the update
Error Log
CloudFormation error when deploying update:
At least one of ProvisionedThroughput, BillingMode, UpdateStreamEnabled, GlobalSecondaryIndexUpdates or SSESpecification or ReplicaUpdates is required (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: ValidationException
Environment
- CLI Version : 1.42.0 (build 3b64241)
- Framework Version: 1.42.0
- OS : Linux
- Language : TypeScript
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:9 (4 by maintainers)
Top GitHub Comments
Has this CF behavior been updated in v15.1.0 maybe? https://github.com/aws/aws-cdk/blob/50f4a21f1b103910f029328d84347c5bfa0c7d56/packages/%40aws-cdk/cfnspec/CHANGELOG.md
I finally realized how this works. I replaced this:
with this:
And now I’m able to restore the default encryption mode for my tables. Thanks for fixing it.