fix(aws-s3-deployment): fix server side encryption parameters (#6006)

fixes #6002

packages/@aws-cdk/aws-s3-deployment/lambda/src/index.py

@@ -158,7 +158,7 @@ def create_metadata_args(raw_user_metadata, raw_system_metadata):
         return []
 
     format_system_metadata_key = lambda k: k.lower()
-    format_user_metadata_key = lambda k: k.lower() if k.lower().startswith("x-amzn-meta-") else f"x-amzn-meta-{k.lower()}" 
+    format_user_metadata_key = lambda k: k.lower() if k.lower().startswith("x-amzn-meta-") else f"x-amzn-meta-{k.lower()}"
 
     system_metadata = { format_system_metadata_key(k): v for k, v in raw_system_metadata.items() }
     user_metadata = { format_user_metadata_key(k): v for k, v in raw_user_metadata.items() }

packages/@aws-cdk/aws-s3-deployment/lib/bucket-deployment.ts

@@ -147,8 +147,9 @@ export interface BucketDeploymentProps {
   readonly serverSideEncryptionAwsKmsKeyId?: string;
   /**
    * System-defined x-amz-server-side-encryption-customer-algorithm metadata to be set on all objects in the deployment.
+   * Warning: This is not a useful parameter until this bug is fixed: https://github.com/aws/aws-cdk/issues/6080
    * @default - Not set.
-   * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html#SysMetadata
+   * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html#sse-c-how-to-programmatically-intro
    */
   readonly serverSideEncryptionCustomerAlgorithm?: string;
 }
@@ -262,11 +263,11 @@ function mapSystemMetadata(metadata: BucketDeploymentProps) {
   if (metadata.contentEncoding) { res["content-encoding"] = metadata.contentEncoding; }
   if (metadata.contentLanguage) { res["content-language"] = metadata.contentLanguage; }
   if (metadata.contentType) { res["content-type"] = metadata.contentType; }
-  if (metadata.serverSideEncryption) { res["server-side-encryption"] = metadata.serverSideEncryption; }
+  if (metadata.serverSideEncryption) { res.sse = metadata.serverSideEncryption; }
   if (metadata.storageClass) { res["storage-class"] = metadata.storageClass; }
-  if (metadata.websiteRedirectLocation) { res["website-redirect-location"] = metadata.websiteRedirectLocation; }
-  if (metadata.serverSideEncryptionAwsKmsKeyId) { res["ssekms-key-id"] = metadata.serverSideEncryptionAwsKmsKeyId; }
-  if (metadata.serverSideEncryptionCustomerAlgorithm) { res["sse-customer-algorithm"] = metadata.serverSideEncryptionCustomerAlgorithm; }
+  if (metadata.websiteRedirectLocation) { res["website-redirect"] = metadata.websiteRedirectLocation; }
+  if (metadata.serverSideEncryptionAwsKmsKeyId) { res["sse-kms-key-id"] = metadata.serverSideEncryptionAwsKmsKeyId; }
+  if (metadata.serverSideEncryptionCustomerAlgorithm) { res["sse-c-copy-source"] = metadata.serverSideEncryptionCustomerAlgorithm; }
 
   return Object.keys(res).length === 0 ? undefined : res;
 }

packages/@aws-cdk/aws-s3-deployment/test/integ.bucket-deployment-cloudfront.expected.json

@@ -248,7 +248,7 @@
       "Properties": {
         "Code": {
           "S3Bucket": {
-            "Ref": "AssetParameters6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430S3Bucket13DFEC6A"
+            "Ref": "AssetParameters53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412S3Bucket1FAE0333"
           },
           "S3Key": {
             "Fn::Join": [
@@ -261,7 +261,7 @@
                       "Fn::Split": [
                         "||",
                         {
-                          "Ref": "AssetParameters6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430S3VersionKeyED938FBC"
+                          "Ref": "AssetParameters53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412S3VersionKeyE18B22C3"
                         }
                       ]
                     }
@@ -274,7 +274,7 @@
                       "Fn::Split": [
                         "||",
                         {
-                          "Ref": "AssetParameters6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430S3VersionKeyED938FBC"
+                          "Ref": "AssetParameters53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412S3VersionKeyE18B22C3"
                         }
                       ]
                     }
@@ -301,17 +301,17 @@
     }
   },
   "Parameters": {
-    "AssetParameters6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430S3Bucket13DFEC6A": {
+    "AssetParameters53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412S3Bucket1FAE0333": {
       "Type": "String",
-      "Description": "S3 bucket for asset \"6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430\""
+      "Description": "S3 bucket for asset \"53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412\""
     },
-    "AssetParameters6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430S3VersionKeyED938FBC": {
+    "AssetParameters53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412S3VersionKeyE18B22C3": {
       "Type": "String",
-      "Description": "S3 key for asset version \"6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430\""
+      "Description": "S3 key for asset version \"53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412\""
     },
-    "AssetParameters6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430ArtifactHash55E30580": {
+    "AssetParameters53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412ArtifactHashA605283F": {
       "Type": "String",
-      "Description": "Artifact hash for asset \"6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430\""
+      "Description": "Artifact hash for asset \"53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412\""
     },
     "AssetParametersfc4481abf279255619ff7418faa5d24456fef3432ea0da59c95542578ff0222eS3Bucket9CD8B20A": {
       "Type": "String",

packages/@aws-cdk/aws-s3-deployment/test/integ.bucket-deployment.expected.json

@@ -258,7 +258,7 @@
       "Properties": {
         "Code": {
           "S3Bucket": {
-            "Ref": "AssetParameters6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430S3Bucket13DFEC6A"
+            "Ref": "AssetParameters53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412S3Bucket1FAE0333"
           },
           "S3Key": {
             "Fn::Join": [
@@ -271,7 +271,7 @@
                       "Fn::Split": [
                         "||",
                         {
-                          "Ref": "AssetParameters6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430S3VersionKeyED938FBC"
+                          "Ref": "AssetParameters53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412S3VersionKeyE18B22C3"
                         }
                       ]
                     }
@@ -284,7 +284,7 @@
                       "Fn::Split": [
                         "||",
                         {
-                          "Ref": "AssetParameters6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430S3VersionKeyED938FBC"
+                          "Ref": "AssetParameters53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412S3VersionKeyE18B22C3"
                         }
                       ]
                     }
@@ -374,17 +374,17 @@
     }
   },
   "Parameters": {
-    "AssetParameters6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430S3Bucket13DFEC6A": {
+    "AssetParameters53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412S3Bucket1FAE0333": {
       "Type": "String",
-      "Description": "S3 bucket for asset \"6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430\""
+      "Description": "S3 bucket for asset \"53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412\""
     },
-    "AssetParameters6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430S3VersionKeyED938FBC": {
+    "AssetParameters53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412S3VersionKeyE18B22C3": {
       "Type": "String",
-      "Description": "S3 key for asset version \"6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430\""
+      "Description": "S3 key for asset version \"53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412\""
     },
-    "AssetParameters6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430ArtifactHash55E30580": {
+    "AssetParameters53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412ArtifactHashA605283F": {
       "Type": "String",
-      "Description": "Artifact hash for asset \"6416c21be320b522db64c705872c0a54d788e3df57b34a5f0d1e8602d7521430\""
+      "Description": "Artifact hash for asset \"53a43f436014c307dccbd4ca1172459431a2a8dee8a2c318ee65991c2a8d4412\""
     },
     "AssetParametersfc4481abf279255619ff7418faa5d24456fef3432ea0da59c95542578ff0222eS3Bucket9CD8B20A": {
       "Type": "String",

packages/@aws-cdk/aws-s3-deployment/test/test.bucket-deployment.ts

@@ -235,32 +235,63 @@ export = {
       sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website.zip'))],
       destinationBucket: bucket,
       metadata: { "A": "1", "b": "2" },
+    });
+
+    // THEN
+    expect(stack).to(haveResource('Custom::CDKBucketDeployment', {
+      UserMetadata: { 'x-amzn-meta-a': '1', 'x-amzn-meta-b': '2' }
+    }));
+
+    test.done();
+  },
+
+  'system metadata is correctly transformed'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const bucket = new s3.Bucket(stack, 'Dest');
+
+    // WHEN
+    new s3deploy.BucketDeployment(stack, 'Deploy', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website.zip'))],
+      destinationBucket: bucket,
       contentType: "text/html",
       contentLanguage: "en",
       storageClass: s3deploy.StorageClass.INTELLIGENT_TIERING,
       contentDisposition: "inline",
-      serverSideEncryption: s3deploy.ServerSideEncryption.AES_256,
+      serverSideEncryption: s3deploy.ServerSideEncryption.AWS_KMS,
+      serverSideEncryptionAwsKmsKeyId: "mykey",
+      serverSideEncryptionCustomerAlgorithm: "rot13",
+      websiteRedirectLocation: "example",
       cacheControl: [s3deploy.CacheControl.setPublic(), s3deploy.CacheControl.maxAge(cdk.Duration.hours(1))],
-      expires: s3deploy.Expires.after(cdk.Duration.hours(12))
+      expires: s3deploy.Expires.after(cdk.Duration.hours(12)),
     });
 
     // THEN
     expect(stack).to(haveResource('Custom::CDKBucketDeployment', {
-      UserMetadata: { 'x-amzn-meta-a': '1', 'x-amzn-meta-b': '2' },
       SystemMetadata: {
         'content-type': 'text/html',
         'content-language': 'en',
         'content-disposition': 'inline',
         'storage-class': 'INTELLIGENT_TIERING',
-        'server-side-encryption': 'AES256',
+        'sse': 'aws:kms',
+        'sse-kms-key-id': 'mykey',
         'cache-control': 'public, max-age=3600',
-        'expires': s3deploy.Expires.after(cdk.Duration.hours(12)).value
+        'expires': s3deploy.Expires.after(cdk.Duration.hours(12)).value,
+        'sse-c-copy-source': 'rot13',
+        'website-redirect': 'example'
       }
     }));
 
     test.done();
   },
 
+  'server side encryption type has correct values'(test: Test) {
+    test.equal(s3deploy.ServerSideEncryption.AES_256, 'AES256');
+    test.equal(s3deploy.ServerSideEncryption.AWS_KMS, 'aws:kms');
+
+    test.done();
+  },
+
   'distribution can be used to provide a CloudFront distribution for invalidation'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();