AWS RDS Stack update always replaces the DB Cluster

0
votes

I first restored an Aurora RDS Cluster using a cluster snapshot with a cloud formation template. Then removed the snapshot identifier, updated the password and performed a stack update keeping everything else unchanged in the CFT. But stack always prints the

Requested update requires the creation of a new physical resource; hence creating one.

message and start creating a new cluster. Here is my CFT for the cluster.

"DatabaseCluster": {
  "Type": "AWS::RDS::DBCluster",
  "DeletionPolicy": "Snapshot",
  "Properties": {
    "BackupRetentionPeriod": {
      "Ref": "BackupRetentionPeriod"
    },
    "Engine": "aurora-postgresql",
    "EngineVersion": {
      "Ref": "EngineVersion"
    },
    "Port": {
      "Ref": "Port"
    },
    "MasterUsername": {
      "Fn::If" : [
        "isUseDBSnapshot",
        {"Ref" : "AWS::NoValue"},
        {"Ref" : "MasterUsername"}
      ]
    },
    "MasterUserPassword": {
      "Fn::If" : [
        "isUseDBSnapshot",
        {"Ref" : "AWS::NoValue"},
        {"Ref" : "MasterPassword"}
      ]
    },
    "DatabaseName": {
      "Fn::If" : [
        "isUseDBSnapshot",
        {"Ref" : "AWS::NoValue"},
        {"Ref" : "DBName"}
      ]
    },
    "SnapshotIdentifier" : {
      "Fn::If" : [
        "isUseDBSnapshot",
        {"Ref" : "SnapshotIdentifier"},
        {"Ref" : "AWS::NoValue"}
      ]
    },
    "PreferredBackupWindow": "01:00-02:00",
    "PreferredMaintenanceWindow": "mon:03:00-mon:04:00",
    "DBSubnetGroupName": {"Ref":"rdsDbSubnetGroup"},
    "StorageEncrypted":{"Ref" : "StorageEncrypted"},
    "DBClusterParameterGroupName": {"Ref" : "RDSDBClusterParameterGroup"},
    "VpcSecurityGroupIds": [{"Ref" : "CommonSGId"}]
  }
}

According to the AWS RDS CFT doc MasterUserPassword update doesn't need a cluster replacement.

Is there anything wrong with my CFT or is this an issue with AWS?

1
amazon-cloudformationamazon-rdsamazon-aurora

1 Answers

1
votes

If you just wish to update the password of the DB instance, you shouldn't remove the Snapshot identifier. I understand that you might be worried of losing data if the snapshot is being restored.

However, that is not the case with Cloudformation. Cloudformation precisely checks what changes you have made and performs a relevant operation. If you are changing just the password, then it will not tamper your data - whatever state it is in.

However, if you remove the snapshot identifier means you want to change the DB and remove the snapshot from it. So it will replace your DB instance.

Check the below link for more details on what happens on changing each parameter. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html#cfn-rds-dbcluster-snapshotidentifier

It clearly specifies that any chance in snapshot identifier will result in replacement