Aws-cdk: aws_s3.CfnBucket "bucket_encryption" required properties not implemented in Python

Created on 7 Nov 2019  路  6Comments  路  Source: aws/aws-cdk

Hi,

I'm trying to set the default server-side encryption in S3, using the aws_s3.CfnBucket module.

The problem is that if I implement a setting of the type AWS::S3::Bucket.BucketEncryption in the bucket_encryption parameter (as stated here in the docs), using a value like {"ServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}} throws out an error, saying that it expects an object reference.

The problem is that I also tried to use the same object as used in the aws_s3.Bucket Construct (e.g. aws_s3.BucketEncryption.S3_MANAGED), but it is not recognised as well - it seems to me that this reference (@aws-cdk/aws-s3.CfnBucket.BucketEncryptionProperty: serverSideEncryptionConfiguration) is not correctly implemented for Python.

Reproduction Steps

Create a CDK App using Python and add the following code inside the Stack:

bucket = aws_s3.CfnBucket(
    self,
    "bucket",
    bucket_name="my_bucket",
    bucket_encryption={"ServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}},
)

Then try to run any CDK command, like cdk ls or cdk synth.

Error Log

When using a direct reference:

jsii.errors.JSIIError: Value did not match any type in union: Expected object reference, got {"ServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}},Missing required properties for @aws-cdk/aws-s3.CfnBucket.BucketEncryptionProperty: serverSideEncryptionConfiguration

When using aws_s3.BucketEncryption:

jsii.errors.JSIIError: Value did not match any type in union: Expected object reference, got {"$jsii.enum":"@aws-cdk/aws-s3.BucketEncryption/S3_MANAGED"},Missing required properties for @aws-cdk/aws-s3.CfnBucket.BucketEncryptionProperty: serverSideEncryptionConfiguration

Environment

  • CLI Version : 1.15.0 (build bdbe3aa)
  • Framework Version: 1.15.0
  • OS : MacOS X Mojave
  • Language : Python/3.7.5

### Other

This is :bug: Bug Report

@aws-cdaws-s3 bug causpython-no-types languagpython response-requested
Source
picture eduardohki

Most helpful comment

@eduardohki it should still be possible to use s3.Bucket and only patch the specific properties using escape hatches.

@RomainMuller what would it take to support passing this by-value in Python?

picture eladb on 10 Nov 2019
👍2

All 6 comments

As seen in https://github.com/aws/aws-cdk/issues/4900, the Interface exists, but it's not documented in Python's implementation.

eduardohki picture eduardohki on 7 Nov 2019

I was able to find the correct usage using the TS docs (lots of trial and error involved):

bucket_encryption=s3.CfnBucket.BucketEncryptionProperty(
     server_side_encryption_configuration=[
          s3.CfnBucket.ServerSideEncryptionRuleProperty(
               server_side_encryption_by_default=s3.CfnBucket.ServerSideEncryptionByDefaultProperty(
                    sse_algorithm="AES256"
               )
          )
     ]
),
eduardohki picture eduardohki on 8 Nov 2019

@eduardohki glad you got it working. Are you OK with closing this issue?

(BTW, can I ask why you're using the L1 construct (CfnBucket) instead of the L2 one (Bucket)?)

skinny85 picture skinny85 on 8 Nov 2019

@skinny85 feel free to close it.

I used the L1 construct because I needed a bucket with Access Logging enabled - which I didn't find in the L2 construct.

eduardohki picture eduardohki on 8 Nov 2019

@eduardohki it should still be possible to use s3.Bucket and only patch the specific properties using escape hatches.

@RomainMuller what would it take to support passing this by-value in Python?

eladb picture eladb on 10 Nov 2019
👍2

Closing for now. Please reopen if this is still an issue

eladb picture eladb on 11 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sudoforge picture sudoforge  路  3Comments
schof picture schof  路  3Comments
abelmokadem picture abelmokadem  路  3Comments
PaulMaddox picture PaulMaddox  路  3Comments
vgribok picture vgribok  路  3Comments