copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Support storage encryption in Aurora storage add-on

Open erno opened this issue 2 years ago • 3 comments

This would be a good default (or even option) to have when creating a DB since enabling it later seems to require recreating the cluster and restoring from snapshot.

erno avatar May 31 '23 09:05 erno

Hey @erno, thanks for the feature request! Just wanted to note that you can enable storage encryption by adding the following property to the <cluster name>DBCluster resource generated by copilot storage init:

StorageEncrypted: true

I was able to add the field to my addon configuration after deploying an unencrypted version at first, but CloudFormation does end up recreating the cluster, and I'm not sure if that requires restoring from a snapshot, or if CloudFormation takes care of that.

dannyrandall avatar Jun 02 '23 21:06 dannyrandall

Maybe this is a difference in the flavours eg vs MySQL? I think I observed this recreation and needed to toggle off deletion protection too. I'm using aurora serverless v2 postgresql. Also the CF doc for DBCluster in https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html says that Update requires replacement.

But it would be a good feature addition even if this was not the case.

erno avatar Jun 12 '23 11:06 erno

Is there a reason this is not default? This is unobvious and seems like it should be the safe default. I assumed this is just best practice and would be default.

jetaggart avatar Apr 18 '24 18:04 jetaggart