I created an AWS Elastic DocDbCluster using CDK and provided an already-present Security group. Later on, I changed my Stack to create a security group from CDK and provide this ID to the docDbCluster and redeployed the stack.
Cloudformation is throwing an error:
DocumentDBStack failed: Error: The stack named DocumentDBStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Shard configuration, network parameters (security groups and subnets) and Authentication parameters (secret ARN and password) cannot be modified at the same time. (Service: DocDbElastic, Status Code: 400, Request ID: 53edd146-bc75-40b6-a756-af6df4d019c2)" (RequestToken: c4d30044-c9c1-2ec2-24d2-ed5bde5784e9, HandlerErrorCode: InvalidRequest)
CDK Code:
/**
* Create a new Security Group
* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html
*/
const securityGroup = new ec2.SecurityGroup(this, 'docDbSG', {
vpc: vpc,
});
// Add ingress rules
securityGroup.addIngressRule(ec2.Peer.ipv4("10.0.0.0/8"), ec2.Port.allTraffic(), "allow from internal network");
/**
* Create a new Document DB Elastic Cluster
* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_docdbelastic.CfnCluster.html
*/
new docdbelastic.CfnCluster(this, 'elasticDocDbCluster', {
adminUserName: props!.docDbAdminUserName,
adminUserPassword: "password",
authType: props!.docDbAuthType,
clusterName: props!.docDbClusterName,
shardCapacity: props!.docDbShardCapacity,
shardCount: props!.docDbShardCount,
subnetIds: props!.dataSubnets,
vpcSecurityGroupIds: [securityGroup.securityGroupId],
});
I even ran a CDK Diff and it shows a single change:
Resources
[+] AWS::EC2::SecurityGroup docDbSG docDbSGDD5902
[~] AWS::DocDBElastic::Cluster elasticDocDbCluster elasticDocDbCluster
└─ [~] VpcSecurityGroupIds
└─ @@ -1,3 +1,8 @@
[ ] [
[-] "sg-1234"
[+] {
[+] "Fn::GetAtt": [
[+] "docDbSGDD5902",
[+] "GroupId"
[+] ]
[+] }
[ ] ]