Skip to content

rds: upgrade to 2.215.0 causes replacement on DatabaseCluster due to changed KmsKeyId #35543

New issue
New issue
Closed
#35545
DataDog/serverless-sample-app
#499
Closed
rds: upgrade to 2.215.0 causes replacement on DatabaseCluster due to changed KmsKeyId#35543
#35545
DataDog/serverless-sample-app
#499
Labels
@aws-cdk/aws-rdsRelated to Amazon Relational DatabasebugThis issue is a bug.effort/mediumMedium work item – several days of effortp1potential-regressionMarking this issue as a potential regression to be checked by team member
@MoartnW

Description

@MoartnW
MoartnW
opened on Sep 22, 2025

Describe the bug

I have the following setup deployed using an earlier version of CDK:

const rdsEncryptionKey = new Key(this, 'RdsKey', {
	description: 'Key for RDS',
});
const alias = rdsEncryptionKey.addAlias('rds/myalias');

const database = new DatabaseCluster(this, 'DatabaseCluster', {
	vpc: vpc,
	vpcSubnets: { onePerAz: false, subnetGroupName: 'Private' },
	engine: dbEngine,
	parameterGroup: dbParameterGroup,
	networkType: NetworkType.IPV4,
	writer: ClusterInstance.serverlessV2('writer', {
		caCertificate: CaCertificate.RDS_CA_RSA2048_G1,
		allowMajorVersionUpgrade: false,
		autoMinorVersionUpgrade: true,
	}),
	copyTagsToSnapshot: true,
	databaseInsightsMode: DatabaseInsightsMode.STANDARD,
	deletionProtection: true,
	removalPolicy: RemovalPolicy.SNAPSHOT,
	storageEncryptionKey: alias,
	serverlessV2MaxCapacity: 2,
	serverlessV2MinCapacity: 1,
	defaultDatabaseName: 'defaultdatabase',
	backup: {
		retention: Duration.days(7),
		preferredWindow: '04:18-04:48'
	},
	preferredMaintenanceWindow: 'wed:02:20-wed:02:50',
	enableClusterLevelEnhancedMonitoring: true,
	monitoringInterval: Duration.seconds(60),
});

Without having any code changes, when I do a diff with 2.215.0, I get the following breaking change/replacement:

Image

When deploying, this actually replaces the database cluster.

After downgrading to 2.214.0, and do a diff again, I don't get any changes, as expected.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

2.214.0

Expected Behavior

I don't expect the database cluster to be replaced after upgrading aws-cdk-lib

Current Behavior

The cluster gets replaced.

Reproduction Steps

Using 2.214.0 or earlier, create and deploy a minimal stack containing a DatabaseCluster that uses a KMS alias as the storageEncryptionKey. Upgrade to 2.215, and run a diff.

Possible Solution

No response

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.215.0

AWS CDK CLI version

2.1029.2

Node.js Version

22.14.0

OS

Ubuntu (WSL)

Language

Python, TypeScript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-rdsRelated to Amazon Relational DatabasebugThis issue is a bug.effort/mediumMedium work item – several days of effortp1potential-regressionMarking this issue as a potential regression to be checked by team member

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions