aws-docdbelastic: Unable to update security group

[Exter-dg]

Describe the bug

When updating the security group in docdbElasticCluster, CDK throws an error -

DocumentDBStack failed: Error: The stack named DocumentDBStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Shard configuration, network parameters (security groups and subnets) and Authentication parameters (secret ARN and password) cannot be modified at the same time. (Service: DocDbElastic, Status Code: 400, Request ID: 53edd146-bc75-40b6-a756-af6df4d019c2)" (RequestToken: c4d30044-c9c1-2ec2-24d2-ed5bde5784e9, HandlerErrorCode: InvalidRequest)

Earlier I used to pass a SG ARN manually.
Now, we create a new security group in the same stack.

New Code:

/**
 * Create a new Security Group
 * https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html
 */
const securityGroup = new ec2.SecurityGroup(this, 'docDbSG', {
  vpc: vpc,
});

// Add ingress rules
securityGroup.addIngressRule(ec2.Peer.ipv4("10.0.0.0/8"), ec2.Port.allTraffic(), "allow from internal network");

/**
 * Create a new Document DB Elastic Cluster
 * https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_docdbelastic.CfnCluster.html
 */
new docdbelastic.CfnCluster(this, 'elasticDocDbCluster', {
  adminUserName: props!.docDbAdminUserName,
  adminUserPassword: "password",
  authType: props!.docDbAuthType,
  clusterName: props!.docDbClusterName,
  shardCapacity: props!.docDbShardCapacity,
  shardCount: props!.docDbShardCount,
  subnetIds: props!.dataSubnets,
  vpcSecurityGroupIds: [securityGroup.securityGroupId],
});

CDK Diff only shows that the security group is being updated:

Resources
[+] AWS::EC2::SecurityGroup docDbSG docDbSGDD5902
[~] AWS::DocDBElastic::Cluster elasticDocDbCluster elasticDocDbCluster
 └─ [~] VpcSecurityGroupIds
     └─ @@ -1,3 +1,8 @@
        [ ] [
        [-]   "sg-1234"
        [+]   {
        [+]     "Fn::GetAtt": [
        [+]       "docDbSGDD5902",
        [+]       "GroupId"
        [+]     ]
        [+]   }
        [ ] ]

Expected Behavior

SG should be updated

Current Behavior

Throws error

Reproduction Steps

Code

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.123.0

Framework Version

No response

Node.js Version

v16.20.2

OS

Linux/UNIX

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

I guess its the restrict from cloudformation that does not allow you to update that in the same time and you need to create a new security group instead.

[Exter-dg]

@pahud So what's the workaround? I even tried creating the security group first and then trying to add it to docdb cluster. It still throws the same error

[Exter-dg]

Temporary workaround: I removed the SG association with DocDB and manually ran the stack. This created the new SG. Later on, I manually added this SG to our DocDB cluster from AWS console. I again updated our code to its original state - attaching the SG to our docdb cluster using CDK. When it was deployed again, it ran without issues.