Description
Issue
Assuming usage of Java & DynamoDbClient with properly configured DynamoDbEncryptionInterceptor.
In cases where BatchWriteRequest that contains some PutRequests items, if any of those item is then returned in BatchWriteItemResponse#unprocessedItems - it cannot be used for further processing. (i.e. retry)
Invalid case for retry using DynamoDbClient:
BatchWriteItemResponse#unprocessedItems put requests contain encryption headers, so if item is reused as is encryption interceptor throws :
software.amazon.cryptography.dbencryptionsdk.dynamodb.transforms.model.DynamoDbEncryptionTransformsException: Writing reserved attributes not allowed : aws_dbe_foot,aws_dbe_head
Invalid case for retry using DynamoDbEnhancedClient:
If DynamoDbEnhancedClient is used to unconvert unprocessedItems attribute values to java type (using software.amazon.awssdk.enhanced.dynamodb.model.BatchWriteResult#unprocessedPutItemsForTable) - encryption headers are removed, mapping succeeds but attributes that were encrypted by interceptor are broken.
In my case I have a String attribute defined, which is then encrypted by interceptor. Usage of BatchWriteResult#unprocessedPutItemsForTable unconverts encrypted byte array to String leaving me with base64 encrypted value instead of the initial String value that was put to BatchWriteItemEnhancedRequest.
Workaround
I put custom interceptor before DynamoDbEncryptionInterceptor. It stores initial BatchWriteRequest#PutRequest items and in case of #unprocessesItems returned in batch response I replace encrypted values with the stored ones.