amplify-category-api icon indicating copy to clipboard operation
amplify-category-api copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

updating KMS key of DynamoDB tables does not take effect

Open zxkane opened this issue 7 months ago • 5 comments

Environment information

System:
  OS: Linux 6.8 Ubuntu 22.04.5 LTS 22.04.5 LTS (Jammy Jellyfish)
  CPU: (8) x64 Intel(R) Xeon(R) Platinum 8488C
  Memory: 24.58 GB / 30.82 GB
  Shell: /usr/bin/zsh
Binaries:
  Node: 20.18.0 - ~/.nvm/versions/node/v20.18.0/bin/node
  Yarn: 1.22.22 - ~/.linuxbrew/homebrew/bin/yarn
  npm: 10.8.2 - ~/.nvm/versions/node/v20.18.0/bin/npm
  pnpm: 9.15.4 - ~/.nvm/versions/node/v20.18.0/bin/pnpm
NPM Packages:
  @aws-amplify/auth-construct: 1.6.0
  @aws-amplify/backend: 1.14.1
  @aws-amplify/backend-ai: Not Found
  @aws-amplify/backend-auth: 1.5.0
  @aws-amplify/backend-cli: 1.4.11
  @aws-amplify/backend-data: 1.4.0
  @aws-amplify/backend-deployer: 1.1.17
  @aws-amplify/backend-function: 1.12.2
  @aws-amplify/backend-output-schemas: 1.4.0
  @aws-amplify/backend-output-storage: 1.1.4
  @aws-amplify/backend-secret: 1.1.6
  @aws-amplify/backend-storage: 1.2.4
  @aws-amplify/cli-core: 1.2.4
  @aws-amplify/client-config: 1.5.7
  @aws-amplify/data-construct: 1.14.6
  @aws-amplify/data-schema: 1.17.4
  @aws-amplify/deployed-backend-client: 1.5.0
  @aws-amplify/form-generator: 1.0.4
  @aws-amplify/model-generator: 1.0.12
  @aws-amplify/platform-core: 1.6.3
  @aws-amplify/plugin-types: 1.8.0
  @aws-amplify/sandbox: 1.2.11
  @aws-amplify/schema-generator: 1.2.7
  aws-amplify: 6.13.1
  aws-cdk: 2.1000.2
  aws-cdk-lib: 2.180.0
  typescript: 5.7.3
No AWS environment variables
No CDK environment variables

Data packages

[email protected] /data/git/ivt-portal
├─┬ @aws-amplify/[email protected]
│ └─┬ @aws-amplify/[email protected]
│   └── @aws-amplify/[email protected]
└─┬ @aws-amplify/[email protected]
  └─┬ @aws-amplify/[email protected]
    └── @aws-amplify/[email protected]

Description

I'm configuring the DDB zero-ETL to Redshift, which requires the DDB tables not to use the AWS-managed KMS key. So I created a KMS key and specified it to the table, but it does not take effect after updating the stack.

The example code looks like below:

const key = new Key(backend.stack, "My-Key", {
  enableKeyRotation: true,
  removalPolicy: RemovalPolicy.DESTROY,
  pendingWindow: Duration.days(7),
});
const { amplifyDynamoDbTables } = backend.data.resources.cfnResources;
for (const amplifyTable of Object.values(amplifyDynamoDbTables)) {
  amplifyTable.pointInTimeRecoveryEnabled = true;
  amplifyTable.sseSpecification = {
    kmsMasterKeyId: key.keyArn,
    sseEnabled: true,
  };
}

Due to the DDB in the data module being managed by the custom resource Custom::AmplifyDynamoDBTable, I did see the event parameter with the new key ID in the log, but the function did not update the table with the new KMS key.

zxkane avatar Mar 23 '25 04:03 zxkane