Cloudformation - AWS::RDS::DBInstance.Properties.StorageEncrypted behavior change

Question

Until a couple of weeks ago CF was able to successfully create an RDS passing an empty string to `AWS::RDS::DBInstance.Properties.StorageEncrypted`, e.g:
```
    "Instance": {
      "Type": "AWS::RDS::DBInstance",
      "DeletionPolicy": "Snapshot",
      "Properties": {
         ...
        "StorageEncrypted": "",
      }
    } 
```
``

It seems that this behavior was changed and now we explicitly need to pass `true/false`.

Can anyone confirm that the behavior actually changed?

This is causing a lot of pain for us because on every deployment we apply the respective CF template.
For all the DBs we have created with `StorageEncrypted: ""`  CF now fails with the error `Properties validation failed for resource Instance with message: #/StorageEncrypted: expected type: Boolean, found: String`

If we replace `StorageEncrypted: ""` by `StorageEncrypted: false`  it will recreate the DB instance - which obviously we don't want to happen.

Answer

Have you tried removing StorageEncrypted: "" entirely?  The default is "false" and if you're lucky this won't trigger a stack update.  Worth a try I think.

The best solution though, when you've got time, is to convert your DB to encrypted for best practice.  The process is in summary:
 - snapshot the DB, encrypt the snapshot, then restore (and if you can’t tolerate an outage that long, you’ll need a more complex process involving DMS)
 - resolve stack drift by updating the stack with “DeletionPolicy: Retain” on the DBInstance, then updating the stack with the DBInstance removed, then importing the DBInstance into the stack with “StorageEncrypted: true”.

Cloudformation - AWS::RDS::DBInstance.Properties.StorageEncrypted behavior change

Relevanter Inhalt