aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard
verified publisher icon aws

aws-ec2: SecurityGroupIngress resources create volatile, stage-scope dependent names

Open moltar opened this issue 1 year ago • 1 comments

Describe the bug

After placing an existing Stack into a Stage, and even when hard-coding the Stack name to the one deployed, there's a large diff produced, where each AWS::EC2::SecurityGroupIngress (CfnSecurityGroupIngress) resource inherits the Stage name.

- DBSecurityGroupfromrdsdbfoodevDBSecurityGroup8C2C7014IndirectPort2D31B69D
+ DBSecurityGroupfromdevrdsdbfoodevDBSecurityGroup15286DE1IndirectPort48BD0C23
#                    ^^^ This is the stage name being added

Expected Behavior

Stage name should not leak into the naming scope, when Stack names are provided.

Current Behavior

Stage name affects the resource IDs.

Reproduction Steps

Already described in the bug.

Possible Solution

N/A

Additional Information/Context

Probably happens here:

https://github.com/aws/aws-cdk/blob/3c36fe968e2f2c121e5bfc828100a9e7dafb5c26/packages/aws-cdk-lib/aws-ec2/lib/security-group.ts#L93-L98

Why is the scope value (not this) passed to CfnSecurityGroupIngress?

CDK CLI Version

2.144.0

Framework Version

No response

Node.js Version

v20.14.0

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response

moltar avatar Jun 19 '24 13:06 moltar

Thank you for the callout. We'll bring this to team's attention.

pahud avatar Jun 26 '24 16:06 pahud

Hi @moltar,

Thanks for opening this issue! After reviewing the details, we found some other discussions that may be closely related:

Related Issues

  • #1424: Both issues address fundamental problems in CDK's logical ID generation system affecting resource stability. While the current issue specifically focuses on SecurityGroupIngress resources inheriting stage names, this issue discusses the broader logical ID generation strategy including hashing, uniqueness, and stability concerns. Both highlight how the CDK's approach to generating resource identifiers can lead to unexpected changes when refactoring or composing constructs.

  • #10898: Both issues demonstrate how parent construct paths unexpectedly affect resource IDs despite attempts to maintain stability. The current issue shows SecurityGroupIngress resources inheriting stage names when placed in a Stage, while this issue reports stack IDs changing despite being hard-coded. Both reveal inconsistencies in the CDK's logical ID generation system that can lead to unexpected resource replacement during updates.

  • #31345: Both issues involve construct positioning affecting logical IDs in unexpected ways. The current issue demonstrates how stage names leak into SecurityGroupIngress resource IDs, while this issue shows how the order of stacks affects CdkJsonStringify resource IDs. Both highlight issues with the CDK's approach to logical ID generation where the construct tree structure influences resource identifiers in ways that compromise stability.

This message was generated automatically to help connect related conversations and improve discoverability

Please react with 👍 or 👎 to let us know if this response was helpful!

Thank you for helping improve CDK! 🙌

related-issues-bot-for-aws[bot] avatar Aug 11 '25 16:08 related-issues-bot-for-aws[bot]