fix(cdk): resolve #37783 by fixing missing top-level sseSpecification…#37982
fix(cdk): resolve #37783 by fixing missing top-level sseSpecification…#37982gingeekrishna wants to merge 2 commits into
Conversation
…ion for TableV2MultiAccountReplica
gingeekrishna
had a problem deploying
to
automation
GitHub Actions
Failure
github-actions
Bot
added
beginning-contributor
|
👋 It looks like your PR description references an issue, but not in the expected location. The issue number must appear in the first section of the description (the first two lines), following the template format: Please move your issue reference to the top of the description. |
There was a problem hiding this comment.
Pull request overview
Fixes DynamoDB TableV2MultiAccountReplica synthesis for customer-managed KMS encryption by ensuring the generated AWS::DynamoDB::GlobalTable includes the required top-level SSESpecification, preventing CloudFormation validation failures when replica-level KMS key settings are present.
Changes:
- Render top-level
sseSpecificationforTableV2MultiAccountReplicausing the existing encryption helper (_renderSseSpecification()). - Extend the existing regression test to assert
SSESpecificationincludesSSEEnabled: trueandSSEType: KMSfor the multi-account replica custom-encryption case.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| packages/aws-cdk-lib/aws-dynamodb/lib/table-v2.ts | Adds top-level sseSpecification rendering to TableV2MultiAccountReplica to match required CloudFormation behavior for KMS encryption. |
| packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts | Updates the multi-account replica encryption test to assert presence of top-level SSESpecification (KMS). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ryption Adds regression test coverage for TableV2MultiAccountReplica with customer-managed encryption, validating that the top-level SSESpecification is correctly set. This test demonstrates the fix for aws#37783.
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
| * b. `export CDK_INTEG_MULTI_ACCOUNT=222222222222` | ||
| * | ||
| * 3. Run the integ test (from the @aws-cdk-testing/framework-integ/test directory) | ||
| * a. `yarn integ aws-dynamodb/test/integ.dynamodb-v2.cross-account-replica-kms.js` |
… for TableV2MultiAccountReplica
Issue # (if applicable)
Closes #37783 .
Reason for this change
TableV2MultiAccountReplica did not set the top-level SSESpecification when using TableEncryptionV2.customerManagedKey(...). As a result, the generated AWS::DynamoDB::GlobalTable could include replica-level SSE key settings without declaring top-level SSE mode, which causes CloudFormation validation and deployment failure.
Description of changes
Added top-level SSE specification rendering in TableV2MultiAccountReplica:
sseSpecification: props.encryption?._renderSseSpecification()
Kept existing replica-level SSE rendering unchanged.
Updated regression test coverage to assert top-level SSESpecification includes:
SSEEnabled: true
SSEType: KMS
Why this fixes the issue:
GlobalTable encryption mode must be declared at the top level when using KMS encryption. Rendering top-level SSESpecification aligns TableV2MultiAccountReplica behavior with TableV2 and prevents the validation failure.
Alternatives considered:
User-side escape hatch overrides were rejected since they require per-app manual patching and do not fix library behavior.
API changes were rejected as unnecessary and potentially breaking.
Design decisions:
Minimal, backward-compatible change with no public API modifications.
Reused existing encryption rendering helper logic.
Describe any new or updated permissions being added
No new or updated IAM permissions are added.
This change only affects synthesized DynamoDB GlobalTable encryption properties.
Description of how you validated changes
Added/updated unit regression assertions in the DynamoDB TableV2 test suite for multi-account replica custom encryption.
Verified branch contains only the intended code and test changes.
Local focused test execution in this Windows environment encountered Jest discovery/config path issues; regression assertion update is included and scoped to this behavior.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license