aws_docdbelastic : Changing AUTH_TYPE doesn't trigger replacement

[Exter-dg]

Describe the bug

Changing AUTH_TYPE doesn't trigger replacement

Expected Behavior

When I try to change the AUTH_TYPE of Elastic docdb cluster from PLAIN_TEXT to SECRET_ARN, a replacement should be triggered. Wherein, the old cluster should be deleted and new cluster should be created.

Current Behavior

When I try to change the AUTH_TYPE of Elastic docdb cluster from PLAIN_TEXT to SECRET_ARN or vice-versa, a new cluster is created but it fails with an error that cluster with this name already exists.

Error -

Cluster name xyz is not valid because cluster xyz exists. (Service: DocDbElastic, Status Code: 400, Request ID: 7bd649c5-77ff-4d38-85ca-2eb51fcb4c75)"

Even the CDK diff shows that the cluster will be replaced

~] AWS::DocDBElastic::Cluster elasticDocDbCluster elasticDocDbCluster replace
 ├─ [~] AdminUserPassword
 │   └─ @@ -1,1 +1,3 @@
 │      [-] "adminUserPassword"
 │      [+] {
 │      [+]   "Ref": "docDbSecret44E78"
 │      [+] }
 └─ [~] AuthType (requires replacement)
     ├─ [-] PLAIN_TEXT
     └─ [+] SECRET_ARN

Reproduction Steps

Change AUTH_TYPE of existing cluster from CDK.

Possible Solution

Cloud formation shows that it is creating a new resource. Shouldn't it delete the old one first?

Additional Information/Context

No response

CDK CLI Version

2.123.0

Framework Version

No response

Node.js Version

v16.20.2

OS

Linux/UNIX

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Can you share your CDK code? I guess this could be a CFN bug as the ClusterName is required but replacing with a new one is having a conflict.

[Exter-dg]

@pahud Here is the snippet

import {
  aws_docdbelastic as docdbelastic,
  aws_secretsmanager as secretsmanager
} from 'aws-cdk-lib';

/**
 * Create a new secret
 * https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html
 */
const secret = new secretsmanager.Secret(this, 'Secret', {
  description: SecretDescription,
  secretName: SecretName,
  generateSecretString: {
    excludeCharacters: '/@":+&$?#[]',
  }
});

/**
 * Create a new Document DB Elastic Cluster
 * https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_docdbelastic.CfnCluster.html
 */
new docdbelastic.CfnCluster(this, 'elasticDocDbCluster', {
  adminUserName: AdminUserName,
  adminUserPassword: secret.secretArn,
  authType: "SECRET_ARN",
  clusterName: "ClusterName",
  shardCapacity: ShardCapacity,
  shardCount: ShardCount,
  subnetIds: dataSubnets,
  vpcSecurityGroupIds: [securityGroup.securityGroupId],
});