aws-cdk.app-staging-synthesizer-alpha 2.127.0a0__py3-none-any.whl → 2.128.0a0__py3-none-any.whl

aws_cdk/app_staging_synthesizer_alpha/__init__.py

@@ -32,9 +32,13 @@ are as follows:
 To get started, update your CDK App with a new `defaultStackSynthesizer`:
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
-        app_id="my-app-id"
+        app_id="my-app-id",  # put a unique id here
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED
     )
 )
 ```
@@ -94,9 +98,13 @@ synthesizer will create a new Staging Stack in each environment the CDK App is d
 its staging resources. To use this kind of synthesizer, use `AppStagingSynthesizer.defaultResources()`.
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
 
         # The following line is optional. By default it is assumed you have bootstrapped in the same
         # region(s) as the stack(s) you are deploying.
@@ -117,8 +125,14 @@ source code. As part of the `DefaultStagingStack`, an S3 bucket and IAM role wil
 used to upload the asset to S3.
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
-    default_stack_synthesizer=AppStagingSynthesizer.default_resources(app_id="my-app-id")
+    default_stack_synthesizer=AppStagingSynthesizer.default_resources(
+        app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED
+    )
 )
 
 stack = Stack(app, "my-stack")
@@ -138,9 +152,13 @@ You can customize some or all of the roles you'd like to use in the synthesizer
 if all you need is to supply custom roles (and not change anything else in the `DefaultStagingStack`):
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
         deployment_identities=DeploymentIdentities.specify_roles(
             cloud_formation_execution_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/Execute"),
             deployment_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/Deploy"),
@@ -158,9 +176,13 @@ and `CloudFormationExecutionRole` in the
 [bootstrap template](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml).
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
         deployment_identities=DeploymentIdentities.cli_credentials()
     )
 )
@@ -171,9 +193,13 @@ assumable by the deployment role. You can also specify an existing IAM role for
 `fileAssetPublishingRole` or `imageAssetPublishingRole`:
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
         file_asset_publishing_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/S3Access"),
         image_asset_publishing_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/ECRAccess")
     )
@@ -225,9 +251,13 @@ to a previous version of an application just by doing a CloudFormation deploymen
 template, without rebuilding and republishing assets.
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
         deploy_time_file_asset_lifetime=Duration.days(100)
     )
 )
@@ -243,9 +273,13 @@ purged.
 To change the number of revisions stored, use `imageAssetVersionCount`:
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
         image_asset_version_count=10
     )
 )
@@ -259,9 +293,13 @@ or `emptyOnDelete` turned on. This creates custom resources under the hood to fa
 cleanup. To turn this off, specify `autoDeleteStagingAssets: false`.
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
         auto_delete_staging_assets=False
     )
 )
@@ -269,20 +307,20 @@ app = App(
 
 ### Staging Bucket Encryption
 
-By default, the staging resources will be stored in an S3 Bucket with KMS encryption. To use
-SSE-S3, set `stagingBucketEncryption` to `BucketEncryption.S3_MANAGED`.
+You must explicitly specify the encryption type for the staging bucket via the `stagingBucketEncryption` property. In
+future versions of this package, the default will be `BucketEncryption.S3_MANAGED`.
 
-```python
-from aws_cdk.aws_s3 import BucketEncryption
+In previous versions of this package, the default was to use KMS encryption for the staging bucket. KMS keys cost
+$1/month, which could result in unexpected costs for users who are not aware of this. As we stabilize this module
+we intend to make the default S3-managed encryption, which is free. However, the migration path from KMS to S3
+managed encryption for existing buckets is not straightforward. Therefore, for now, this property is required.
 
+If you have an existing staging bucket encrypted with a KMS key, you will likely want to set this property to
+`BucketEncryption.KMS`. If you are creating a new staging bucket, you can set this property to
+`BucketEncryption.S3_MANAGED` to avoid the cost of a KMS key.
 
-app = App(
-    default_stack_synthesizer=AppStagingSynthesizer.default_resources(
-        app_id="my-app-id",
-        staging_bucket_encryption=BucketEncryption.S3_MANAGED
-    )
-)
-```
+You can learn more about choosing a bucket encryption type in the
+[S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html).
 
 ## Using a Custom Staging Stack per Environment
 
@@ -483,12 +521,12 @@ class AppStagingSynthesizer(
         bootstrap_qualifier: typing.Optional[builtins.str] = None,
         deployment_identities: typing.Optional["DeploymentIdentities"] = None,
         app_id: builtins.str,
+        staging_bucket_encryption: _aws_cdk_aws_s3_ceddda9d.BucketEncryption,
         auto_delete_staging_assets: typing.Optional[builtins.bool] = None,
         deploy_time_file_asset_lifetime: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
         file_asset_publishing_role: typing.Optional["BootstrapRole"] = None,
         image_asset_publishing_role: typing.Optional["BootstrapRole"] = None,
         image_asset_version_count: typing.Optional[jsii.Number] = None,
-        staging_bucket_encryption: typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption] = None,
         staging_bucket_name: typing.Optional[builtins.str] = None,
         staging_stack_name_prefix: typing.Optional[builtins.str] = None,
     ) -> "AppStagingSynthesizer":
@@ -497,12 +535,12 @@ class AppStagingSynthesizer(
         :param bootstrap_qualifier: (experimental) Qualifier to disambiguate multiple bootstrapped environments in the same account. This qualifier is only used to reference bootstrapped resources. It will not be used in the creation of app-specific staging resources: ``appId`` is used for that instead. Default: - Value of context key '@aws-cdk/core:bootstrapQualifier' if set, otherwise ``DEFAULT_QUALIFIER``
         :param deployment_identities: (experimental) What roles to use to deploy applications. These are the roles that have permissions to interact with CloudFormation on your behalf. By default these are the standard bootstrapped CDK roles, but you can customize them or turn them off and use the CLI credentials to deploy. Default: - The standard bootstrapped CDK roles
         :param app_id: (experimental) A unique identifier for the application that the staging stack belongs to. This identifier will be used in the name of staging resources created for this application, and should be unique across CDK apps. The identifier should include lowercase characters and dashes ('-') only and have a maximum of 20 characters.
+        :param staging_bucket_encryption: (experimental) Encryption type for staging bucket. In future versions of this package, the default will be BucketEncryption.S3_MANAGED. In previous versions of this package, the default was to use KMS encryption for the staging bucket. KMS keys cost $1/month, which could result in unexpected costs for users who are not aware of this. As we stabilize this module we intend to make the default S3-managed encryption, which is free. However, the migration path from KMS to S3 managed encryption for existing buckets is not straightforward. Therefore, for now, this property is required. If you have an existing staging bucket encrypted with a KMS key, you will likely want to set this property to BucketEncryption.KMS. If you are creating a new staging bucket, you can set this property to BucketEncryption.S3_MANAGED to avoid the cost of a KMS key.
         :param auto_delete_staging_assets: (experimental) Auto deletes objects in the staging S3 bucket and images in the staging ECR repositories. Default: true
         :param deploy_time_file_asset_lifetime: (experimental) The lifetime for deploy time file assets. Assets that are only necessary at deployment time (for instance, CloudFormation templates and Lambda source code bundles) will be automatically deleted after this many days. Assets that may be read from the staging bucket during your application's run time will not be deleted. Set this to the length of time you wish to be able to roll back to previous versions of your application without having to do a new ``cdk synth`` and re-upload of assets. Default: - Duration.days(30)
         :param file_asset_publishing_role: (experimental) Pass in an existing role to be used as the file publishing role. Default: - a new role will be created
         :param image_asset_publishing_role: (experimental) Pass in an existing role to be used as the image publishing role. Default: - a new role will be created
         :param image_asset_version_count: (experimental) The maximum number of image versions to store in a repository. Previous versions of an image can be stored for rollback purposes. Once a repository has more than 3 image versions stored, the oldest version will be discarded. This allows for sensible garbage collection while maintaining a few previous versions for rollback scenarios. Default: - up to 3 versions stored
-        :param staging_bucket_encryption: (experimental) Encryption type for staging bucket. Default: - s3.BucketEncryption.KMS
         :param staging_bucket_name: (experimental) Explicit name for the staging bucket. Default: - a well-known name unique to this app/env.
         :param staging_stack_name_prefix: (experimental) Specify a custom prefix to be used as the staging stack name and construct ID. The prefix will be appended before the appId, which is required to be part of the stack name and construct ID to ensure uniqueness. Default: 'StagingStack'
 
@@ -512,12 +550,12 @@ class AppStagingSynthesizer(
             bootstrap_qualifier=bootstrap_qualifier,
             deployment_identities=deployment_identities,
             app_id=app_id,
+            staging_bucket_encryption=staging_bucket_encryption,
             auto_delete_staging_assets=auto_delete_staging_assets,
             deploy_time_file_asset_lifetime=deploy_time_file_asset_lifetime,
             file_asset_publishing_role=file_asset_publishing_role,
             image_asset_publishing_role=image_asset_publishing_role,
             image_asset_version_count=image_asset_version_count,
-            staging_bucket_encryption=staging_bucket_encryption,
             staging_bucket_name=staging_bucket_name,
             staging_stack_name_prefix=staging_stack_name_prefix,
         )
@@ -804,9 +842,13 @@ class BootstrapRole(
 
     Example::
 
+        from aws_cdk.aws_s3 import BucketEncryption
+        
+        
         app = App(
             default_stack_synthesizer=AppStagingSynthesizer.default_resources(
                 app_id="my-app-id",
+                staging_bucket_encryption=BucketEncryption.S3_MANAGED,
                 deployment_identities=DeploymentIdentities.specify_roles(
                     cloud_formation_execution_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/Execute"),
                     deployment_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/Deploy"),
@@ -876,9 +918,13 @@ class BootstrapRoles:
 
         Example::
 
+            from aws_cdk.aws_s3 import BucketEncryption
+            
+            
             app = App(
                 default_stack_synthesizer=AppStagingSynthesizer.default_resources(
                     app_id="my-app-id",
+                    staging_bucket_encryption=BucketEncryption.S3_MANAGED,
                     deployment_identities=DeploymentIdentities.specify_roles(
                         cloud_formation_execution_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/Execute"),
                         deployment_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/Deploy"),
@@ -1193,9 +1239,13 @@ class DefaultBootstrapRolesOptions:
 
         Example::
 
+            from aws_cdk.aws_s3 import BucketEncryption
+            
+            
             app = App(
                 default_stack_synthesizer=AppStagingSynthesizer.default_resources(
                     app_id="my-app-id",
+                    staging_bucket_encryption=BucketEncryption.S3_MANAGED,
             
                     # The following line is optional. By default it is assumed you have bootstrapped in the same
                     # region(s) as the stack(s) you are deploying.
@@ -1240,12 +1290,12 @@ class DefaultBootstrapRolesOptions:
     jsii_struct_bases=[],
     name_mapping={
         "app_id": "appId",
+        "staging_bucket_encryption": "stagingBucketEncryption",
         "auto_delete_staging_assets": "autoDeleteStagingAssets",
         "deploy_time_file_asset_lifetime": "deployTimeFileAssetLifetime",
         "file_asset_publishing_role": "fileAssetPublishingRole",
         "image_asset_publishing_role": "imageAssetPublishingRole",
         "image_asset_version_count": "imageAssetVersionCount",
-        "staging_bucket_encryption": "stagingBucketEncryption",
         "staging_bucket_name": "stagingBucketName",
         "staging_stack_name_prefix": "stagingStackNamePrefix",
     },
@@ -1255,24 +1305,24 @@ class DefaultStagingStackOptions:
         self,
         *,
         app_id: builtins.str,
+        staging_bucket_encryption: _aws_cdk_aws_s3_ceddda9d.BucketEncryption,
         auto_delete_staging_assets: typing.Optional[builtins.bool] = None,
         deploy_time_file_asset_lifetime: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
         file_asset_publishing_role: typing.Optional[BootstrapRole] = None,
         image_asset_publishing_role: typing.Optional[BootstrapRole] = None,
         image_asset_version_count: typing.Optional[jsii.Number] = None,
-        staging_bucket_encryption: typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption] = None,
         staging_bucket_name: typing.Optional[builtins.str] = None,
         staging_stack_name_prefix: typing.Optional[builtins.str] = None,
     ) -> None:
         '''(experimental) User configurable options to the DefaultStagingStack.
 
         :param app_id: (experimental) A unique identifier for the application that the staging stack belongs to. This identifier will be used in the name of staging resources created for this application, and should be unique across CDK apps. The identifier should include lowercase characters and dashes ('-') only and have a maximum of 20 characters.
+        :param staging_bucket_encryption: (experimental) Encryption type for staging bucket. In future versions of this package, the default will be BucketEncryption.S3_MANAGED. In previous versions of this package, the default was to use KMS encryption for the staging bucket. KMS keys cost $1/month, which could result in unexpected costs for users who are not aware of this. As we stabilize this module we intend to make the default S3-managed encryption, which is free. However, the migration path from KMS to S3 managed encryption for existing buckets is not straightforward. Therefore, for now, this property is required. If you have an existing staging bucket encrypted with a KMS key, you will likely want to set this property to BucketEncryption.KMS. If you are creating a new staging bucket, you can set this property to BucketEncryption.S3_MANAGED to avoid the cost of a KMS key.
         :param auto_delete_staging_assets: (experimental) Auto deletes objects in the staging S3 bucket and images in the staging ECR repositories. Default: true
         :param deploy_time_file_asset_lifetime: (experimental) The lifetime for deploy time file assets. Assets that are only necessary at deployment time (for instance, CloudFormation templates and Lambda source code bundles) will be automatically deleted after this many days. Assets that may be read from the staging bucket during your application's run time will not be deleted. Set this to the length of time you wish to be able to roll back to previous versions of your application without having to do a new ``cdk synth`` and re-upload of assets. Default: - Duration.days(30)
         :param file_asset_publishing_role: (experimental) Pass in an existing role to be used as the file publishing role. Default: - a new role will be created
         :param image_asset_publishing_role: (experimental) Pass in an existing role to be used as the image publishing role. Default: - a new role will be created
         :param image_asset_version_count: (experimental) The maximum number of image versions to store in a repository. Previous versions of an image can be stored for rollback purposes. Once a repository has more than 3 image versions stored, the oldest version will be discarded. This allows for sensible garbage collection while maintaining a few previous versions for rollback scenarios. Default: - up to 3 versions stored
-        :param staging_bucket_encryption: (experimental) Encryption type for staging bucket. Default: - s3.BucketEncryption.KMS
         :param staging_bucket_name: (experimental) Explicit name for the staging bucket. Default: - a well-known name unique to this app/env.
         :param staging_stack_name_prefix: (experimental) Specify a custom prefix to be used as the staging stack name and construct ID. The prefix will be appended before the appId, which is required to be part of the stack name and construct ID to ensure uniqueness. Default: 'StagingStack'
 
@@ -1281,21 +1331,24 @@ class DefaultStagingStackOptions:
 
         Example::
 
-            default_staging_stack = DefaultStagingStack.factory(app_id="my-app-id")
+            from aws_cdk.aws_s3 import BucketEncryption
+            
+            default_staging_stack = DefaultStagingStack.factory(app_id="my-app-id", staging_bucket_encryption=BucketEncryption.S3_MANAGED)
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__09dbc6ce5bcfd58fa48337caac574e10727d4bf9a43dc89866fbe7541b026219)
             check_type(argname="argument app_id", value=app_id, expected_type=type_hints["app_id"])
+            check_type(argname="argument staging_bucket_encryption", value=staging_bucket_encryption, expected_type=type_hints["staging_bucket_encryption"])
             check_type(argname="argument auto_delete_staging_assets", value=auto_delete_staging_assets, expected_type=type_hints["auto_delete_staging_assets"])
             check_type(argname="argument deploy_time_file_asset_lifetime", value=deploy_time_file_asset_lifetime, expected_type=type_hints["deploy_time_file_asset_lifetime"])
             check_type(argname="argument file_asset_publishing_role", value=file_asset_publishing_role, expected_type=type_hints["file_asset_publishing_role"])
             check_type(argname="argument image_asset_publishing_role", value=image_asset_publishing_role, expected_type=type_hints["image_asset_publishing_role"])
             check_type(argname="argument image_asset_version_count", value=image_asset_version_count, expected_type=type_hints["image_asset_version_count"])
-            check_type(argname="argument staging_bucket_encryption", value=staging_bucket_encryption, expected_type=type_hints["staging_bucket_encryption"])
             check_type(argname="argument staging_bucket_name", value=staging_bucket_name, expected_type=type_hints["staging_bucket_name"])
             check_type(argname="argument staging_stack_name_prefix", value=staging_stack_name_prefix, expected_type=type_hints["staging_stack_name_prefix"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "app_id": app_id,
+            "staging_bucket_encryption": staging_bucket_encryption,
         }
         if auto_delete_staging_assets is not None:
             self._values["auto_delete_staging_assets"] = auto_delete_staging_assets
@@ -1307,8 +1360,6 @@ class DefaultStagingStackOptions:
             self._values["image_asset_publishing_role"] = image_asset_publishing_role
         if image_asset_version_count is not None:
             self._values["image_asset_version_count"] = image_asset_version_count
-        if staging_bucket_encryption is not None:
-            self._values["staging_bucket_encryption"] = staging_bucket_encryption
         if staging_bucket_name is not None:
             self._values["staging_bucket_name"] = staging_bucket_name
         if staging_stack_name_prefix is not None:
@@ -1330,6 +1381,27 @@ class DefaultStagingStackOptions:
         assert result is not None, "Required property 'app_id' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def staging_bucket_encryption(self) -> _aws_cdk_aws_s3_ceddda9d.BucketEncryption:
+        '''(experimental) Encryption type for staging bucket.
+
+        In future versions of this package, the default will be BucketEncryption.S3_MANAGED.
+
+        In previous versions of this package, the default was to use KMS encryption for the staging bucket. KMS keys cost
+        $1/month, which could result in unexpected costs for users who are not aware of this. As we stabilize this module
+        we intend to make the default S3-managed encryption, which is free. However, the migration path from KMS to S3
+        managed encryption for existing buckets is not straightforward. Therefore, for now, this property is required.
+
+        If you have an existing staging bucket encrypted with a KMS key, you will likely want to set this property to
+        BucketEncryption.KMS. If you are creating a new staging bucket, you can set this property to
+        BucketEncryption.S3_MANAGED to avoid the cost of a KMS key.
+
+        :stability: experimental
+        '''
+        result = self._values.get("staging_bucket_encryption")
+        assert result is not None, "Required property 'staging_bucket_encryption' is missing"
+        return typing.cast(_aws_cdk_aws_s3_ceddda9d.BucketEncryption, result)
+
     @builtins.property
     def auto_delete_staging_assets(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Auto deletes objects in the staging S3 bucket and images in the staging ECR repositories.
@@ -1402,19 +1474,6 @@ class DefaultStagingStackOptions:
         result = self._values.get("image_asset_version_count")
         return typing.cast(typing.Optional[jsii.Number], result)
 
-    @builtins.property
-    def staging_bucket_encryption(
-        self,
-    ) -> typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption]:
-        '''(experimental) Encryption type for staging bucket.
-
-        :default: - s3.BucketEncryption.KMS
-
-        :stability: experimental
-        '''
-        result = self._values.get("staging_bucket_encryption")
-        return typing.cast(typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption], result)
-
     @builtins.property
     def staging_bucket_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) Explicit name for the staging bucket.
@@ -1458,12 +1517,12 @@ class DefaultStagingStackOptions:
     jsii_struct_bases=[DefaultStagingStackOptions, _aws_cdk_ceddda9d.StackProps],
     name_mapping={
         "app_id": "appId",
+        "staging_bucket_encryption": "stagingBucketEncryption",
         "auto_delete_staging_assets": "autoDeleteStagingAssets",
         "deploy_time_file_asset_lifetime": "deployTimeFileAssetLifetime",
         "file_asset_publishing_role": "fileAssetPublishingRole",
         "image_asset_publishing_role": "imageAssetPublishingRole",
         "image_asset_version_count": "imageAssetVersionCount",
-        "staging_bucket_encryption": "stagingBucketEncryption",
         "staging_bucket_name": "stagingBucketName",
         "staging_stack_name_prefix": "stagingStackNamePrefix",
         "analytics_reporting": "analyticsReporting",
@@ -1488,12 +1547,12 @@ class DefaultStagingStackProps(
         self,
         *,
         app_id: builtins.str,
+        staging_bucket_encryption: _aws_cdk_aws_s3_ceddda9d.BucketEncryption,
         auto_delete_staging_assets: typing.Optional[builtins.bool] = None,
         deploy_time_file_asset_lifetime: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
         file_asset_publishing_role: typing.Optional[BootstrapRole] = None,
         image_asset_publishing_role: typing.Optional[BootstrapRole] = None,
         image_asset_version_count: typing.Optional[jsii.Number] = None,
-        staging_bucket_encryption: typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption] = None,
         staging_bucket_name: typing.Optional[builtins.str] = None,
         staging_stack_name_prefix: typing.Optional[builtins.str] = None,
         analytics_reporting: typing.Optional[builtins.bool] = None,
@@ -1512,12 +1571,12 @@ class DefaultStagingStackProps(
         '''(experimental) Default Staging Stack Properties.
 
         :param app_id: (experimental) A unique identifier for the application that the staging stack belongs to. This identifier will be used in the name of staging resources created for this application, and should be unique across CDK apps. The identifier should include lowercase characters and dashes ('-') only and have a maximum of 20 characters.
+        :param staging_bucket_encryption: (experimental) Encryption type for staging bucket. In future versions of this package, the default will be BucketEncryption.S3_MANAGED. In previous versions of this package, the default was to use KMS encryption for the staging bucket. KMS keys cost $1/month, which could result in unexpected costs for users who are not aware of this. As we stabilize this module we intend to make the default S3-managed encryption, which is free. However, the migration path from KMS to S3 managed encryption for existing buckets is not straightforward. Therefore, for now, this property is required. If you have an existing staging bucket encrypted with a KMS key, you will likely want to set this property to BucketEncryption.KMS. If you are creating a new staging bucket, you can set this property to BucketEncryption.S3_MANAGED to avoid the cost of a KMS key.
         :param auto_delete_staging_assets: (experimental) Auto deletes objects in the staging S3 bucket and images in the staging ECR repositories. Default: true
         :param deploy_time_file_asset_lifetime: (experimental) The lifetime for deploy time file assets. Assets that are only necessary at deployment time (for instance, CloudFormation templates and Lambda source code bundles) will be automatically deleted after this many days. Assets that may be read from the staging bucket during your application's run time will not be deleted. Set this to the length of time you wish to be able to roll back to previous versions of your application without having to do a new ``cdk synth`` and re-upload of assets. Default: - Duration.days(30)
         :param file_asset_publishing_role: (experimental) Pass in an existing role to be used as the file publishing role. Default: - a new role will be created
         :param image_asset_publishing_role: (experimental) Pass in an existing role to be used as the image publishing role. Default: - a new role will be created
         :param image_asset_version_count: (experimental) The maximum number of image versions to store in a repository. Previous versions of an image can be stored for rollback purposes. Once a repository has more than 3 image versions stored, the oldest version will be discarded. This allows for sensible garbage collection while maintaining a few previous versions for rollback scenarios. Default: - up to 3 versions stored
-        :param staging_bucket_encryption: (experimental) Encryption type for staging bucket. Default: - s3.BucketEncryption.KMS
         :param staging_bucket_name: (experimental) Explicit name for the staging bucket. Default: - a well-known name unique to this app/env.
         :param staging_stack_name_prefix: (experimental) Specify a custom prefix to be used as the staging stack name and construct ID. The prefix will be appended before the appId, which is required to be part of the stack name and construct ID to ensure uniqueness. Default: 'StagingStack'
         :param analytics_reporting: Include runtime versioning information in this Stack. Default: ``analyticsReporting`` setting of containing ``App``, or value of 'aws:cdk:version-reporting' context key
@@ -1551,6 +1610,7 @@ class DefaultStagingStackProps(
             default_staging_stack_props = app_staging_synthesizer_alpha.DefaultStagingStackProps(
                 app_id="appId",
                 qualifier="qualifier",
+                staging_bucket_encryption=s3.BucketEncryption.UNENCRYPTED,
             
                 # the properties below are optional
                 analytics_reporting=False,
@@ -1568,7 +1628,6 @@ class DefaultStagingStackProps(
                 image_asset_version_count=123,
                 permissions_boundary=permissions_boundary,
                 stack_name="stackName",
-                staging_bucket_encryption=s3.BucketEncryption.UNENCRYPTED,
                 staging_bucket_name="stagingBucketName",
                 staging_stack_name_prefix="stagingStackNamePrefix",
                 suppress_template_indentation=False,
@@ -1584,12 +1643,12 @@ class DefaultStagingStackProps(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__ac9f132bcac8375ac08c16bf3c9bb7407b641e71cfd23cea8b50befa3cf79bbf)
             check_type(argname="argument app_id", value=app_id, expected_type=type_hints["app_id"])
+            check_type(argname="argument staging_bucket_encryption", value=staging_bucket_encryption, expected_type=type_hints["staging_bucket_encryption"])
             check_type(argname="argument auto_delete_staging_assets", value=auto_delete_staging_assets, expected_type=type_hints["auto_delete_staging_assets"])
             check_type(argname="argument deploy_time_file_asset_lifetime", value=deploy_time_file_asset_lifetime, expected_type=type_hints["deploy_time_file_asset_lifetime"])
             check_type(argname="argument file_asset_publishing_role", value=file_asset_publishing_role, expected_type=type_hints["file_asset_publishing_role"])
             check_type(argname="argument image_asset_publishing_role", value=image_asset_publishing_role, expected_type=type_hints["image_asset_publishing_role"])
             check_type(argname="argument image_asset_version_count", value=image_asset_version_count, expected_type=type_hints["image_asset_version_count"])
-            check_type(argname="argument staging_bucket_encryption", value=staging_bucket_encryption, expected_type=type_hints["staging_bucket_encryption"])
             check_type(argname="argument staging_bucket_name", value=staging_bucket_name, expected_type=type_hints["staging_bucket_name"])
             check_type(argname="argument staging_stack_name_prefix", value=staging_stack_name_prefix, expected_type=type_hints["staging_stack_name_prefix"])
             check_type(argname="argument analytics_reporting", value=analytics_reporting, expected_type=type_hints["analytics_reporting"])
@@ -1606,6 +1665,7 @@ class DefaultStagingStackProps(
             check_type(argname="argument deploy_role_arn", value=deploy_role_arn, expected_type=type_hints["deploy_role_arn"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "app_id": app_id,
+            "staging_bucket_encryption": staging_bucket_encryption,
             "qualifier": qualifier,
         }
         if auto_delete_staging_assets is not None:
@@ -1618,8 +1678,6 @@ class DefaultStagingStackProps(
             self._values["image_asset_publishing_role"] = image_asset_publishing_role
         if image_asset_version_count is not None:
             self._values["image_asset_version_count"] = image_asset_version_count
-        if staging_bucket_encryption is not None:
-            self._values["staging_bucket_encryption"] = staging_bucket_encryption
         if staging_bucket_name is not None:
             self._values["staging_bucket_name"] = staging_bucket_name
         if staging_stack_name_prefix is not None:
@@ -1663,6 +1721,27 @@ class DefaultStagingStackProps(
         assert result is not None, "Required property 'app_id' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def staging_bucket_encryption(self) -> _aws_cdk_aws_s3_ceddda9d.BucketEncryption:
+        '''(experimental) Encryption type for staging bucket.
+
+        In future versions of this package, the default will be BucketEncryption.S3_MANAGED.
+
+        In previous versions of this package, the default was to use KMS encryption for the staging bucket. KMS keys cost
+        $1/month, which could result in unexpected costs for users who are not aware of this. As we stabilize this module
+        we intend to make the default S3-managed encryption, which is free. However, the migration path from KMS to S3
+        managed encryption for existing buckets is not straightforward. Therefore, for now, this property is required.
+
+        If you have an existing staging bucket encrypted with a KMS key, you will likely want to set this property to
+        BucketEncryption.KMS. If you are creating a new staging bucket, you can set this property to
+        BucketEncryption.S3_MANAGED to avoid the cost of a KMS key.
+
+        :stability: experimental
+        '''
+        result = self._values.get("staging_bucket_encryption")
+        assert result is not None, "Required property 'staging_bucket_encryption' is missing"
+        return typing.cast(_aws_cdk_aws_s3_ceddda9d.BucketEncryption, result)
+
     @builtins.property
     def auto_delete_staging_assets(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Auto deletes objects in the staging S3 bucket and images in the staging ECR repositories.
@@ -1735,19 +1814,6 @@ class DefaultStagingStackProps(
         result = self._values.get("image_asset_version_count")
         return typing.cast(typing.Optional[jsii.Number], result)
 
-    @builtins.property
-    def staging_bucket_encryption(
-        self,
-    ) -> typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption]:
-        '''(experimental) Encryption type for staging bucket.
-
-        :default: - s3.BucketEncryption.KMS
-
-        :stability: experimental
-        '''
-        result = self._values.get("staging_bucket_encryption")
-        return typing.cast(typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption], result)
-
     @builtins.property
     def staging_bucket_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) Explicit name for the staging bucket.
@@ -1997,9 +2063,13 @@ class DeploymentIdentities(
 
     Example::
 
+        from aws_cdk.aws_s3 import BucketEncryption
+        
+        
         app = App(
             default_stack_synthesizer=AppStagingSynthesizer.default_resources(
                 app_id="my-app-id",
+                staging_bucket_encryption=BucketEncryption.S3_MANAGED,
         
                 # The following line is optional. By default it is assumed you have bootstrapped in the same
                 # region(s) as the stack(s) you are deploying.
@@ -2802,12 +2872,12 @@ class UsingAppStagingSynthesizer(
         "bootstrap_qualifier": "bootstrapQualifier",
         "deployment_identities": "deploymentIdentities",
         "app_id": "appId",
+        "staging_bucket_encryption": "stagingBucketEncryption",
         "auto_delete_staging_assets": "autoDeleteStagingAssets",
         "deploy_time_file_asset_lifetime": "deployTimeFileAssetLifetime",
         "file_asset_publishing_role": "fileAssetPublishingRole",
         "image_asset_publishing_role": "imageAssetPublishingRole",
         "image_asset_version_count": "imageAssetVersionCount",
-        "staging_bucket_encryption": "stagingBucketEncryption",
         "staging_bucket_name": "stagingBucketName",
         "staging_stack_name_prefix": "stagingStackNamePrefix",
     },
@@ -2819,12 +2889,12 @@ class DefaultResourcesOptions(AppStagingSynthesizerOptions, DefaultStagingStackO
         bootstrap_qualifier: typing.Optional[builtins.str] = None,
         deployment_identities: typing.Optional[DeploymentIdentities] = None,
         app_id: builtins.str,
+        staging_bucket_encryption: _aws_cdk_aws_s3_ceddda9d.BucketEncryption,
         auto_delete_staging_assets: typing.Optional[builtins.bool] = None,
         deploy_time_file_asset_lifetime: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
         file_asset_publishing_role: typing.Optional[BootstrapRole] = None,
         image_asset_publishing_role: typing.Optional[BootstrapRole] = None,
         image_asset_version_count: typing.Optional[jsii.Number] = None,
-        staging_bucket_encryption: typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption] = None,
         staging_bucket_name: typing.Optional[builtins.str] = None,
         staging_stack_name_prefix: typing.Optional[builtins.str] = None,
     ) -> None:
@@ -2833,12 +2903,12 @@ class DefaultResourcesOptions(AppStagingSynthesizerOptions, DefaultStagingStackO
         :param bootstrap_qualifier: (experimental) Qualifier to disambiguate multiple bootstrapped environments in the same account. This qualifier is only used to reference bootstrapped resources. It will not be used in the creation of app-specific staging resources: ``appId`` is used for that instead. Default: - Value of context key '@aws-cdk/core:bootstrapQualifier' if set, otherwise ``DEFAULT_QUALIFIER``
         :param deployment_identities: (experimental) What roles to use to deploy applications. These are the roles that have permissions to interact with CloudFormation on your behalf. By default these are the standard bootstrapped CDK roles, but you can customize them or turn them off and use the CLI credentials to deploy. Default: - The standard bootstrapped CDK roles
         :param app_id: (experimental) A unique identifier for the application that the staging stack belongs to. This identifier will be used in the name of staging resources created for this application, and should be unique across CDK apps. The identifier should include lowercase characters and dashes ('-') only and have a maximum of 20 characters.
+        :param staging_bucket_encryption: (experimental) Encryption type for staging bucket. In future versions of this package, the default will be BucketEncryption.S3_MANAGED. In previous versions of this package, the default was to use KMS encryption for the staging bucket. KMS keys cost $1/month, which could result in unexpected costs for users who are not aware of this. As we stabilize this module we intend to make the default S3-managed encryption, which is free. However, the migration path from KMS to S3 managed encryption for existing buckets is not straightforward. Therefore, for now, this property is required. If you have an existing staging bucket encrypted with a KMS key, you will likely want to set this property to BucketEncryption.KMS. If you are creating a new staging bucket, you can set this property to BucketEncryption.S3_MANAGED to avoid the cost of a KMS key.
         :param auto_delete_staging_assets: (experimental) Auto deletes objects in the staging S3 bucket and images in the staging ECR repositories. Default: true
         :param deploy_time_file_asset_lifetime: (experimental) The lifetime for deploy time file assets. Assets that are only necessary at deployment time (for instance, CloudFormation templates and Lambda source code bundles) will be automatically deleted after this many days. Assets that may be read from the staging bucket during your application's run time will not be deleted. Set this to the length of time you wish to be able to roll back to previous versions of your application without having to do a new ``cdk synth`` and re-upload of assets. Default: - Duration.days(30)
         :param file_asset_publishing_role: (experimental) Pass in an existing role to be used as the file publishing role. Default: - a new role will be created
         :param image_asset_publishing_role: (experimental) Pass in an existing role to be used as the image publishing role. Default: - a new role will be created
         :param image_asset_version_count: (experimental) The maximum number of image versions to store in a repository. Previous versions of an image can be stored for rollback purposes. Once a repository has more than 3 image versions stored, the oldest version will be discarded. This allows for sensible garbage collection while maintaining a few previous versions for rollback scenarios. Default: - up to 3 versions stored
-        :param staging_bucket_encryption: (experimental) Encryption type for staging bucket. Default: - s3.BucketEncryption.KMS
         :param staging_bucket_name: (experimental) Explicit name for the staging bucket. Default: - a well-known name unique to this app/env.
         :param staging_stack_name_prefix: (experimental) Specify a custom prefix to be used as the staging stack name and construct ID. The prefix will be appended before the appId, which is required to be part of the stack name and construct ID to ensure uniqueness. Default: 'StagingStack'
 
@@ -2847,9 +2917,13 @@ class DefaultResourcesOptions(AppStagingSynthesizerOptions, DefaultStagingStackO
 
         Example::
 
+            from aws_cdk.aws_s3 import BucketEncryption
+            
+            
             app = App(
                 default_stack_synthesizer=AppStagingSynthesizer.default_resources(
                     app_id="my-app-id",
+                    staging_bucket_encryption=BucketEncryption.S3_MANAGED,
                     file_asset_publishing_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/S3Access"),
                     image_asset_publishing_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/ECRAccess")
                 )
@@ -2860,16 +2934,17 @@ class DefaultResourcesOptions(AppStagingSynthesizerOptions, DefaultStagingStackO
             check_type(argname="argument bootstrap_qualifier", value=bootstrap_qualifier, expected_type=type_hints["bootstrap_qualifier"])
             check_type(argname="argument deployment_identities", value=deployment_identities, expected_type=type_hints["deployment_identities"])
             check_type(argname="argument app_id", value=app_id, expected_type=type_hints["app_id"])
+            check_type(argname="argument staging_bucket_encryption", value=staging_bucket_encryption, expected_type=type_hints["staging_bucket_encryption"])
             check_type(argname="argument auto_delete_staging_assets", value=auto_delete_staging_assets, expected_type=type_hints["auto_delete_staging_assets"])
             check_type(argname="argument deploy_time_file_asset_lifetime", value=deploy_time_file_asset_lifetime, expected_type=type_hints["deploy_time_file_asset_lifetime"])
             check_type(argname="argument file_asset_publishing_role", value=file_asset_publishing_role, expected_type=type_hints["file_asset_publishing_role"])
             check_type(argname="argument image_asset_publishing_role", value=image_asset_publishing_role, expected_type=type_hints["image_asset_publishing_role"])
             check_type(argname="argument image_asset_version_count", value=image_asset_version_count, expected_type=type_hints["image_asset_version_count"])
-            check_type(argname="argument staging_bucket_encryption", value=staging_bucket_encryption, expected_type=type_hints["staging_bucket_encryption"])
             check_type(argname="argument staging_bucket_name", value=staging_bucket_name, expected_type=type_hints["staging_bucket_name"])
             check_type(argname="argument staging_stack_name_prefix", value=staging_stack_name_prefix, expected_type=type_hints["staging_stack_name_prefix"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "app_id": app_id,
+            "staging_bucket_encryption": staging_bucket_encryption,
         }
         if bootstrap_qualifier is not None:
             self._values["bootstrap_qualifier"] = bootstrap_qualifier
@@ -2885,8 +2960,6 @@ class DefaultResourcesOptions(AppStagingSynthesizerOptions, DefaultStagingStackO
             self._values["image_asset_publishing_role"] = image_asset_publishing_role
         if image_asset_version_count is not None:
             self._values["image_asset_version_count"] = image_asset_version_count
-        if staging_bucket_encryption is not None:
-            self._values["staging_bucket_encryption"] = staging_bucket_encryption
         if staging_bucket_name is not None:
             self._values["staging_bucket_name"] = staging_bucket_name
         if staging_stack_name_prefix is not None:
@@ -2939,6 +3012,27 @@ class DefaultResourcesOptions(AppStagingSynthesizerOptions, DefaultStagingStackO
         assert result is not None, "Required property 'app_id' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def staging_bucket_encryption(self) -> _aws_cdk_aws_s3_ceddda9d.BucketEncryption:
+        '''(experimental) Encryption type for staging bucket.
+
+        In future versions of this package, the default will be BucketEncryption.S3_MANAGED.
+
+        In previous versions of this package, the default was to use KMS encryption for the staging bucket. KMS keys cost
+        $1/month, which could result in unexpected costs for users who are not aware of this. As we stabilize this module
+        we intend to make the default S3-managed encryption, which is free. However, the migration path from KMS to S3
+        managed encryption for existing buckets is not straightforward. Therefore, for now, this property is required.
+
+        If you have an existing staging bucket encrypted with a KMS key, you will likely want to set this property to
+        BucketEncryption.KMS. If you are creating a new staging bucket, you can set this property to
+        BucketEncryption.S3_MANAGED to avoid the cost of a KMS key.
+
+        :stability: experimental
+        '''
+        result = self._values.get("staging_bucket_encryption")
+        assert result is not None, "Required property 'staging_bucket_encryption' is missing"
+        return typing.cast(_aws_cdk_aws_s3_ceddda9d.BucketEncryption, result)
+
     @builtins.property
     def auto_delete_staging_assets(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Auto deletes objects in the staging S3 bucket and images in the staging ECR repositories.
@@ -3011,19 +3105,6 @@ class DefaultResourcesOptions(AppStagingSynthesizerOptions, DefaultStagingStackO
         result = self._values.get("image_asset_version_count")
         return typing.cast(typing.Optional[jsii.Number], result)
 
-    @builtins.property
-    def staging_bucket_encryption(
-        self,
-    ) -> typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption]:
-        '''(experimental) Encryption type for staging bucket.
-
-        :default: - s3.BucketEncryption.KMS
-
-        :stability: experimental
-        '''
-        result = self._values.get("staging_bucket_encryption")
-        return typing.cast(typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption], result)
-
     @builtins.property
     def staging_bucket_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) Explicit name for the staging bucket.
@@ -3074,7 +3155,9 @@ class DefaultStagingStack(
 
     Example::
 
-        default_staging_stack = DefaultStagingStack.factory(app_id="my-app-id")
+        from aws_cdk.aws_s3 import BucketEncryption
+        
+        default_staging_stack = DefaultStagingStack.factory(app_id="my-app-id", staging_bucket_encryption=BucketEncryption.S3_MANAGED)
     '''
 
     def __init__(
@@ -3085,12 +3168,12 @@ class DefaultStagingStack(
         qualifier: builtins.str,
         deploy_role_arn: typing.Optional[builtins.str] = None,
         app_id: builtins.str,
+        staging_bucket_encryption: _aws_cdk_aws_s3_ceddda9d.BucketEncryption,
         auto_delete_staging_assets: typing.Optional[builtins.bool] = None,
         deploy_time_file_asset_lifetime: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
         file_asset_publishing_role: typing.Optional[BootstrapRole] = None,
         image_asset_publishing_role: typing.Optional[BootstrapRole] = None,
         image_asset_version_count: typing.Optional[jsii.Number] = None,
-        staging_bucket_encryption: typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption] = None,
         staging_bucket_name: typing.Optional[builtins.str] = None,
         staging_stack_name_prefix: typing.Optional[builtins.str] = None,
         analytics_reporting: typing.Optional[builtins.bool] = None,
@@ -3110,12 +3193,12 @@ class DefaultStagingStack(
         :param qualifier: (experimental) The qualifier used to specialize strings. Shouldn't be necessary but who knows what people might do.
         :param deploy_role_arn: (experimental) The ARN of the deploy action role, if given. This role will need permissions to read from to the staging resources. Default: - The CLI credentials are assumed, no additional permissions are granted.
         :param app_id: (experimental) A unique identifier for the application that the staging stack belongs to. This identifier will be used in the name of staging resources created for this application, and should be unique across CDK apps. The identifier should include lowercase characters and dashes ('-') only and have a maximum of 20 characters.
+        :param staging_bucket_encryption: (experimental) Encryption type for staging bucket. In future versions of this package, the default will be BucketEncryption.S3_MANAGED. In previous versions of this package, the default was to use KMS encryption for the staging bucket. KMS keys cost $1/month, which could result in unexpected costs for users who are not aware of this. As we stabilize this module we intend to make the default S3-managed encryption, which is free. However, the migration path from KMS to S3 managed encryption for existing buckets is not straightforward. Therefore, for now, this property is required. If you have an existing staging bucket encrypted with a KMS key, you will likely want to set this property to BucketEncryption.KMS. If you are creating a new staging bucket, you can set this property to BucketEncryption.S3_MANAGED to avoid the cost of a KMS key.
         :param auto_delete_staging_assets: (experimental) Auto deletes objects in the staging S3 bucket and images in the staging ECR repositories. Default: true
         :param deploy_time_file_asset_lifetime: (experimental) The lifetime for deploy time file assets. Assets that are only necessary at deployment time (for instance, CloudFormation templates and Lambda source code bundles) will be automatically deleted after this many days. Assets that may be read from the staging bucket during your application's run time will not be deleted. Set this to the length of time you wish to be able to roll back to previous versions of your application without having to do a new ``cdk synth`` and re-upload of assets. Default: - Duration.days(30)
         :param file_asset_publishing_role: (experimental) Pass in an existing role to be used as the file publishing role. Default: - a new role will be created
         :param image_asset_publishing_role: (experimental) Pass in an existing role to be used as the image publishing role. Default: - a new role will be created
         :param image_asset_version_count: (experimental) The maximum number of image versions to store in a repository. Previous versions of an image can be stored for rollback purposes. Once a repository has more than 3 image versions stored, the oldest version will be discarded. This allows for sensible garbage collection while maintaining a few previous versions for rollback scenarios. Default: - up to 3 versions stored
-        :param staging_bucket_encryption: (experimental) Encryption type for staging bucket. Default: - s3.BucketEncryption.KMS
         :param staging_bucket_name: (experimental) Explicit name for the staging bucket. Default: - a well-known name unique to this app/env.
         :param staging_stack_name_prefix: (experimental) Specify a custom prefix to be used as the staging stack name and construct ID. The prefix will be appended before the appId, which is required to be part of the stack name and construct ID to ensure uniqueness. Default: 'StagingStack'
         :param analytics_reporting: Include runtime versioning information in this Stack. Default: ``analyticsReporting`` setting of containing ``App``, or value of 'aws:cdk:version-reporting' context key
@@ -3139,12 +3222,12 @@ class DefaultStagingStack(
             qualifier=qualifier,
             deploy_role_arn=deploy_role_arn,
             app_id=app_id,
+            staging_bucket_encryption=staging_bucket_encryption,
             auto_delete_staging_assets=auto_delete_staging_assets,
             deploy_time_file_asset_lifetime=deploy_time_file_asset_lifetime,
             file_asset_publishing_role=file_asset_publishing_role,
             image_asset_publishing_role=image_asset_publishing_role,
             image_asset_version_count=image_asset_version_count,
-            staging_bucket_encryption=staging_bucket_encryption,
             staging_bucket_name=staging_bucket_name,
             staging_stack_name_prefix=staging_stack_name_prefix,
             analytics_reporting=analytics_reporting,
@@ -3167,24 +3250,24 @@ class DefaultStagingStack(
         cls,
         *,
         app_id: builtins.str,
+        staging_bucket_encryption: _aws_cdk_aws_s3_ceddda9d.BucketEncryption,
         auto_delete_staging_assets: typing.Optional[builtins.bool] = None,
         deploy_time_file_asset_lifetime: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
         file_asset_publishing_role: typing.Optional[BootstrapRole] = None,
         image_asset_publishing_role: typing.Optional[BootstrapRole] = None,
         image_asset_version_count: typing.Optional[jsii.Number] = None,
-        staging_bucket_encryption: typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption] = None,
         staging_bucket_name: typing.Optional[builtins.str] = None,
         staging_stack_name_prefix: typing.Optional[builtins.str] = None,
     ) -> IStagingResourcesFactory:
         '''(experimental) Return a factory that will create DefaultStagingStacks.
 
         :param app_id: (experimental) A unique identifier for the application that the staging stack belongs to. This identifier will be used in the name of staging resources created for this application, and should be unique across CDK apps. The identifier should include lowercase characters and dashes ('-') only and have a maximum of 20 characters.
+        :param staging_bucket_encryption: (experimental) Encryption type for staging bucket. In future versions of this package, the default will be BucketEncryption.S3_MANAGED. In previous versions of this package, the default was to use KMS encryption for the staging bucket. KMS keys cost $1/month, which could result in unexpected costs for users who are not aware of this. As we stabilize this module we intend to make the default S3-managed encryption, which is free. However, the migration path from KMS to S3 managed encryption for existing buckets is not straightforward. Therefore, for now, this property is required. If you have an existing staging bucket encrypted with a KMS key, you will likely want to set this property to BucketEncryption.KMS. If you are creating a new staging bucket, you can set this property to BucketEncryption.S3_MANAGED to avoid the cost of a KMS key.
         :param auto_delete_staging_assets: (experimental) Auto deletes objects in the staging S3 bucket and images in the staging ECR repositories. Default: true
         :param deploy_time_file_asset_lifetime: (experimental) The lifetime for deploy time file assets. Assets that are only necessary at deployment time (for instance, CloudFormation templates and Lambda source code bundles) will be automatically deleted after this many days. Assets that may be read from the staging bucket during your application's run time will not be deleted. Set this to the length of time you wish to be able to roll back to previous versions of your application without having to do a new ``cdk synth`` and re-upload of assets. Default: - Duration.days(30)
         :param file_asset_publishing_role: (experimental) Pass in an existing role to be used as the file publishing role. Default: - a new role will be created
         :param image_asset_publishing_role: (experimental) Pass in an existing role to be used as the image publishing role. Default: - a new role will be created
         :param image_asset_version_count: (experimental) The maximum number of image versions to store in a repository. Previous versions of an image can be stored for rollback purposes. Once a repository has more than 3 image versions stored, the oldest version will be discarded. This allows for sensible garbage collection while maintaining a few previous versions for rollback scenarios. Default: - up to 3 versions stored
-        :param staging_bucket_encryption: (experimental) Encryption type for staging bucket. Default: - s3.BucketEncryption.KMS
         :param staging_bucket_name: (experimental) Explicit name for the staging bucket. Default: - a well-known name unique to this app/env.
         :param staging_stack_name_prefix: (experimental) Specify a custom prefix to be used as the staging stack name and construct ID. The prefix will be appended before the appId, which is required to be part of the stack name and construct ID to ensure uniqueness. Default: 'StagingStack'
 
@@ -3192,12 +3275,12 @@ class DefaultStagingStack(
         '''
         options = DefaultStagingStackOptions(
             app_id=app_id,
+            staging_bucket_encryption=staging_bucket_encryption,
             auto_delete_staging_assets=auto_delete_staging_assets,
             deploy_time_file_asset_lifetime=deploy_time_file_asset_lifetime,
             file_asset_publishing_role=file_asset_publishing_role,
             image_asset_publishing_role=image_asset_publishing_role,
             image_asset_version_count=image_asset_version_count,
-            staging_bucket_encryption=staging_bucket_encryption,
             staging_bucket_name=staging_bucket_name,
             staging_stack_name_prefix=staging_stack_name_prefix,
         )
@@ -3418,12 +3501,12 @@ def _typecheckingstub__04df2201aac14a17d1f202664f0ecfab35edb0a3e63061b1cb8c73c36
 def _typecheckingstub__09dbc6ce5bcfd58fa48337caac574e10727d4bf9a43dc89866fbe7541b026219(
     *,
     app_id: builtins.str,
+    staging_bucket_encryption: _aws_cdk_aws_s3_ceddda9d.BucketEncryption,
     auto_delete_staging_assets: typing.Optional[builtins.bool] = None,
     deploy_time_file_asset_lifetime: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
     file_asset_publishing_role: typing.Optional[BootstrapRole] = None,
     image_asset_publishing_role: typing.Optional[BootstrapRole] = None,
     image_asset_version_count: typing.Optional[jsii.Number] = None,
-    staging_bucket_encryption: typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption] = None,
     staging_bucket_name: typing.Optional[builtins.str] = None,
     staging_stack_name_prefix: typing.Optional[builtins.str] = None,
 ) -> None:
@@ -3433,12 +3516,12 @@ def _typecheckingstub__09dbc6ce5bcfd58fa48337caac574e10727d4bf9a43dc89866fbe7541
 def _typecheckingstub__ac9f132bcac8375ac08c16bf3c9bb7407b641e71cfd23cea8b50befa3cf79bbf(
     *,
     app_id: builtins.str,
+    staging_bucket_encryption: _aws_cdk_aws_s3_ceddda9d.BucketEncryption,
     auto_delete_staging_assets: typing.Optional[builtins.bool] = None,
     deploy_time_file_asset_lifetime: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
     file_asset_publishing_role: typing.Optional[BootstrapRole] = None,
     image_asset_publishing_role: typing.Optional[BootstrapRole] = None,
     image_asset_version_count: typing.Optional[jsii.Number] = None,
-    staging_bucket_encryption: typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption] = None,
     staging_bucket_name: typing.Optional[builtins.str] = None,
     staging_stack_name_prefix: typing.Optional[builtins.str] = None,
     analytics_reporting: typing.Optional[builtins.bool] = None,
@@ -3515,12 +3598,12 @@ def _typecheckingstub__29102b1165011d046c95963e887fe565a9300d7ed93d8499af73ef05f
     bootstrap_qualifier: typing.Optional[builtins.str] = None,
     deployment_identities: typing.Optional[DeploymentIdentities] = None,
     app_id: builtins.str,
+    staging_bucket_encryption: _aws_cdk_aws_s3_ceddda9d.BucketEncryption,
     auto_delete_staging_assets: typing.Optional[builtins.bool] = None,
     deploy_time_file_asset_lifetime: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
     file_asset_publishing_role: typing.Optional[BootstrapRole] = None,
     image_asset_publishing_role: typing.Optional[BootstrapRole] = None,
     image_asset_version_count: typing.Optional[jsii.Number] = None,
-    staging_bucket_encryption: typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption] = None,
     staging_bucket_name: typing.Optional[builtins.str] = None,
     staging_stack_name_prefix: typing.Optional[builtins.str] = None,
 ) -> None:
@@ -3534,12 +3617,12 @@ def _typecheckingstub__ca741a4572a1f95a8d82e9d029388b8a2d72acacb69715277b6a785b4
     qualifier: builtins.str,
     deploy_role_arn: typing.Optional[builtins.str] = None,
     app_id: builtins.str,
+    staging_bucket_encryption: _aws_cdk_aws_s3_ceddda9d.BucketEncryption,
     auto_delete_staging_assets: typing.Optional[builtins.bool] = None,
     deploy_time_file_asset_lifetime: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
     file_asset_publishing_role: typing.Optional[BootstrapRole] = None,
     image_asset_publishing_role: typing.Optional[BootstrapRole] = None,
     image_asset_version_count: typing.Optional[jsii.Number] = None,
-    staging_bucket_encryption: typing.Optional[_aws_cdk_aws_s3_ceddda9d.BucketEncryption] = None,
     staging_bucket_name: typing.Optional[builtins.str] = None,
     staging_stack_name_prefix: typing.Optional[builtins.str] = None,
     analytics_reporting: typing.Optional[builtins.bool] = None,

aws_cdk/app_staging_synthesizer_alpha/_jsii/__init__.py

@@ -15,9 +15,9 @@ import constructs._jsii
 
 __jsii_assembly__ = jsii.JSIIAssembly.load(
     "@aws-cdk/app-staging-synthesizer-alpha",
-    "2.127.0-alpha.0",
+    "2.128.0-alpha.0",
     __name__[0:-6],
-    "app-staging-synthesizer-alpha@2.127.0-alpha.0.jsii.tgz",
+    "app-staging-synthesizer-alpha@2.128.0-alpha.0.jsii.tgz",
 )
 
 __all__ = [

{aws_cdk.app_staging_synthesizer_alpha-2.127.0a0.dist-info → aws_cdk.app_staging_synthesizer_alpha-2.128.0a0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: aws-cdk.app-staging-synthesizer-alpha
-Version: 2.127.0a0
+Version: 2.128.0a0
 Summary: Cdk synthesizer for with app-scoped staging stack
 Home-page: https://github.com/aws/aws-cdk
 Author: Amazon Web Services
@@ -23,7 +23,7 @@ Requires-Python: ~=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
 License-File: NOTICE
-Requires-Dist: aws-cdk-lib <3.0.0,>=2.127.0
+Requires-Dist: aws-cdk-lib <3.0.0,>=2.128.0
 Requires-Dist: constructs <11.0.0,>=10.0.0
 Requires-Dist: jsii <2.0.0,>=1.94.0
 Requires-Dist: publication >=0.0.3
@@ -62,9 +62,13 @@ are as follows:
 To get started, update your CDK App with a new `defaultStackSynthesizer`:
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
-        app_id="my-app-id"
+        app_id="my-app-id",  # put a unique id here
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED
     )
 )
 ```
@@ -124,9 +128,13 @@ synthesizer will create a new Staging Stack in each environment the CDK App is d
 its staging resources. To use this kind of synthesizer, use `AppStagingSynthesizer.defaultResources()`.
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
 
         # The following line is optional. By default it is assumed you have bootstrapped in the same
         # region(s) as the stack(s) you are deploying.
@@ -147,8 +155,14 @@ source code. As part of the `DefaultStagingStack`, an S3 bucket and IAM role wil
 used to upload the asset to S3.
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
-    default_stack_synthesizer=AppStagingSynthesizer.default_resources(app_id="my-app-id")
+    default_stack_synthesizer=AppStagingSynthesizer.default_resources(
+        app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED
+    )
 )
 
 stack = Stack(app, "my-stack")
@@ -168,9 +182,13 @@ You can customize some or all of the roles you'd like to use in the synthesizer
 if all you need is to supply custom roles (and not change anything else in the `DefaultStagingStack`):
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
         deployment_identities=DeploymentIdentities.specify_roles(
             cloud_formation_execution_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/Execute"),
             deployment_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/Deploy"),
@@ -188,9 +206,13 @@ and `CloudFormationExecutionRole` in the
 [bootstrap template](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml).
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
         deployment_identities=DeploymentIdentities.cli_credentials()
     )
 )
@@ -201,9 +223,13 @@ assumable by the deployment role. You can also specify an existing IAM role for
 `fileAssetPublishingRole` or `imageAssetPublishingRole`:
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
         file_asset_publishing_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/S3Access"),
         image_asset_publishing_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/ECRAccess")
     )
@@ -255,9 +281,13 @@ to a previous version of an application just by doing a CloudFormation deploymen
 template, without rebuilding and republishing assets.
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
         deploy_time_file_asset_lifetime=Duration.days(100)
     )
 )
@@ -273,9 +303,13 @@ purged.
 To change the number of revisions stored, use `imageAssetVersionCount`:
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
         image_asset_version_count=10
     )
 )
@@ -289,9 +323,13 @@ or `emptyOnDelete` turned on. This creates custom resources under the hood to fa
 cleanup. To turn this off, specify `autoDeleteStagingAssets: false`.
 
 ```python
+from aws_cdk.aws_s3 import BucketEncryption
+
+
 app = App(
     default_stack_synthesizer=AppStagingSynthesizer.default_resources(
         app_id="my-app-id",
+        staging_bucket_encryption=BucketEncryption.S3_MANAGED,
         auto_delete_staging_assets=False
     )
 )
@@ -299,20 +337,20 @@ app = App(
 
 ### Staging Bucket Encryption
 
-By default, the staging resources will be stored in an S3 Bucket with KMS encryption. To use
-SSE-S3, set `stagingBucketEncryption` to `BucketEncryption.S3_MANAGED`.
+You must explicitly specify the encryption type for the staging bucket via the `stagingBucketEncryption` property. In
+future versions of this package, the default will be `BucketEncryption.S3_MANAGED`.
 
-```python
-from aws_cdk.aws_s3 import BucketEncryption
+In previous versions of this package, the default was to use KMS encryption for the staging bucket. KMS keys cost
+$1/month, which could result in unexpected costs for users who are not aware of this. As we stabilize this module
+we intend to make the default S3-managed encryption, which is free. However, the migration path from KMS to S3
+managed encryption for existing buckets is not straightforward. Therefore, for now, this property is required.
 
+If you have an existing staging bucket encrypted with a KMS key, you will likely want to set this property to
+`BucketEncryption.KMS`. If you are creating a new staging bucket, you can set this property to
+`BucketEncryption.S3_MANAGED` to avoid the cost of a KMS key.
 
-app = App(
-    default_stack_synthesizer=AppStagingSynthesizer.default_resources(
-        app_id="my-app-id",
-        staging_bucket_encryption=BucketEncryption.S3_MANAGED
-    )
-)
-```
+You can learn more about choosing a bucket encryption type in the
+[S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html).
 
 ## Using a Custom Staging Stack per Environment
 

aws_cdk.app_staging_synthesizer_alpha-2.128.0a0.dist-info/RECORD

@@ -0,0 +1,10 @@
+aws_cdk/app_staging_synthesizer_alpha/__init__.py,sha256=kFCznCuIjDOVk7yC5LIAnBoCu8eHyyAYnf4o78JUapE,202849
+aws_cdk/app_staging_synthesizer_alpha/py.typed,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
+aws_cdk/app_staging_synthesizer_alpha/_jsii/__init__.py,sha256=Xw1Rz3P2zjd-avTwEKChq9msRBP-3BbCLr3t_7W-I4E,467
+aws_cdk/app_staging_synthesizer_alpha/_jsii/app-staging-synthesizer-alpha@2.128.0-alpha.0.jsii.tgz,sha256=aoEYAaTs-GP_jljjK2CSo7sFOWenZEPAaJgQhPsx0LM,86369
+aws_cdk.app_staging_synthesizer_alpha-2.128.0a0.dist-info/LICENSE,sha256=kEDF86xJUQh1E9M7UPKKbHepBEdFxIUyoGfTwQB7zKg,11391
+aws_cdk.app_staging_synthesizer_alpha-2.128.0a0.dist-info/METADATA,sha256=DHnhmQtrDoRchob74MPoJ0ZlGCjRckdVlDMLXRoGLIU,18264
+aws_cdk.app_staging_synthesizer_alpha-2.128.0a0.dist-info/NOTICE,sha256=dXf56qvx2VDNCaqiRscOD2IH5GbmqbnKRzroZCeLtaQ,113
+aws_cdk.app_staging_synthesizer_alpha-2.128.0a0.dist-info/WHEEL,sha256=Xo9-1PvkuimrydujYJAjF7pCkriuXBpUPEjma1nZyJ0,92
+aws_cdk.app_staging_synthesizer_alpha-2.128.0a0.dist-info/top_level.txt,sha256=1TALAKbuUGsMSrfKWEf268lySCmcqSEO6cDYe_XlLHM,8
+aws_cdk.app_staging_synthesizer_alpha-2.128.0a0.dist-info/RECORD,,

aws_cdk.app_staging_synthesizer_alpha-2.127.0a0.dist-info/RECORD

@@ -1,10 +0,0 @@
-aws_cdk/app_staging_synthesizer_alpha/__init__.py,sha256=mFtbGMo-lHavtSCugmjasUbxo1rJvE5ZkouqlqLTIKY,193413
-aws_cdk/app_staging_synthesizer_alpha/py.typed,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
-aws_cdk/app_staging_synthesizer_alpha/_jsii/__init__.py,sha256=zFAxTozFAJQlVAbtBOmUaYsGCqPQx3nEaOqTc4Ycez4,467
-aws_cdk/app_staging_synthesizer_alpha/_jsii/app-staging-synthesizer-alpha@2.127.0-alpha.0.jsii.tgz,sha256=9_FVQU5ZixM0N1TzaapMXfkpC0gMyutW1jrSJaAvu30,84762
-aws_cdk.app_staging_synthesizer_alpha-2.127.0a0.dist-info/LICENSE,sha256=kEDF86xJUQh1E9M7UPKKbHepBEdFxIUyoGfTwQB7zKg,11391
-aws_cdk.app_staging_synthesizer_alpha-2.127.0a0.dist-info/METADATA,sha256=ycTeA5OiqLzABgN-IWdYkDWIm1iaAAY2a34Jpo1ZS_k,16562
-aws_cdk.app_staging_synthesizer_alpha-2.127.0a0.dist-info/NOTICE,sha256=dXf56qvx2VDNCaqiRscOD2IH5GbmqbnKRzroZCeLtaQ,113
-aws_cdk.app_staging_synthesizer_alpha-2.127.0a0.dist-info/WHEEL,sha256=Xo9-1PvkuimrydujYJAjF7pCkriuXBpUPEjma1nZyJ0,92
-aws_cdk.app_staging_synthesizer_alpha-2.127.0a0.dist-info/top_level.txt,sha256=1TALAKbuUGsMSrfKWEf268lySCmcqSEO6cDYe_XlLHM,8
-aws_cdk.app_staging_synthesizer_alpha-2.127.0a0.dist-info/RECORD,,