(redshift): clusters created with encryption key arn break after v1.130.0

[peterwoodworth]

Describe the bug

This commit sets the key to always be the key ID (as requested by cfn docs). Since these docs say update requires "no interruption", this change was pushed through as it was assumed it wouldn't break users who created clusters with the key arn rather than the key id.

Despite all this, users are running into errors. One user posted a comment on the PR indicating failure, and another customer reported internally that deployment is failing (P62432664)

Expected Behavior

Successful deployment when upgrading versions

Current Behavior

Deployment fails due to Cfn not being able to handle being given the key id if it first received the key arn from a previous deployment.

Specific error is This encryption info combination is invalid

Reproduction Steps

I was able to reproduce this error.

First, Create a redshift cluster with an encryption key pre v1.130.0
Then, upgrade to v1.130.0 or above and deploy

Possible Solution

No response

Additional Information/Context

You can work around this using escape hatches.

Override the KmsKeyId property on the underlying CfnCluster to what it was before.

(cluster.node.defaultChild as redshift.CfnCluster).addPropertyOverride("KmsKeyId", encryptionKey.keyArn);

Note that if this still results in a different template, then you should probably not pass the key into the L2 Cluster construct at all

CDK CLI Version

1.130.0

Framework Version

No response

Node.js Version

16

OS

mac

Language

Typescript

Language Version

No response

Other information

No response

[skinny85]

@peterwoodworth should we revert the commit that made that change? Or open an issue to the Redshift team?

Just curious what's happening with this issue.

[github-actions]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.