Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CloudFormation drift detection fails for AWS::RDS::DBProxyTargetGroup with “dBProxyName must not be null”

0

I’m seeing a consistent drift detection failure on an RDS Proxy target group resource, and it appears to happen during CloudFormation drift evaluation (not synth/deploy).

Setup:

CDK app (Python)

Region: us-west-2

Command: cdk drift <STACK_NAME> --verbose

CDK CLI version: 2.1111.0

Error:

Failed to detect drift on resources [<RESOURCE_ID>] 1 validation error detected: Value null at 'dBProxyName' failed to satisfy constraint: Member must not be null (Service: Rds, Status Code: 400)

Why this seems like drift/provider behavior:

  • Synth succeeds.
  • Generated template includes:
    • AWS::RDS::DBProxy with DBProxyName set to a non-null string.
    • AWS::RDS::DBProxyTargetGroup with DBProxyName set via Ref to the proxy resource.
    • Drift detection still fails only on the target group resource.

Is this a known CloudFormation drift issue for AWS::RDS::DBProxyTargetGroup? Is there an AWS-recommended workaround for drift checks on stacks containing this resource?

Topics
Management & GovernanceAWS Cloud Development Kit (CDK)Database
Tags
AWS CloudFormationAmazon RDS ProxyAWS Cloud Development Kit (CDK)
Language
English
asked 2 months ago24 views
1 Answer
0

Based on the information available, this appears to be related to how CloudFormation's drift detection interacts with the AWS::RDS::DBProxyTargetGroup resource type. During drift detection, CloudFormation performs a read operation on the resource to compare its actual state with the expected template configuration.

The error you're encountering suggests that during the drift detection read operation, the DBProxyName parameter is not being properly passed or retrieved, even though it's correctly specified in your template via the Ref function. This is likely occurring because drift detection performs independent API calls to describe the resource's current state, and there may be an issue with how the resource provider handles the read operation for this specific resource type.

For AWS::RDS::DBProxyTargetGroup specifically, the TargetGroupName property has a constraint where it must currently be set to "default". This resource type may have specific behaviors during drift detection that differ from standard resource operations.

While drift detection is designed to identify when resources have been modified outside of CloudFormation, certain resource types may not fully support drift detection or may have limitations in how their properties are evaluated. Resources that don't currently support drift detection aren't checked during the drift detection process.

As a potential workaround, you might consider:

  1. Temporarily excluding the DBProxyTargetGroup resource from drift detection if your drift detection tooling supports resource-level exclusions
  2. Verifying that the DBProxy resource itself is successfully created and in a stable state before running drift detection
  3. Checking if there are any IAM permissions issues that might prevent CloudFormation from properly reading the target group configuration during drift detection

This appears to be a resource-specific behavior rather than a general CloudFormation drift detection issue, and may warrant reporting to AWS Support if it's blocking your drift detection workflows.
Sources
CfnDBProxyTargetGroup — AWS Cloud Development Kit 2.245.0 documentation
CfnDBProxyTargetGroupProps — AWS Cloud Development Kit 2.245.0 documentation
describe_stack_resource_drifts - Boto3 1.42.50 documentation

answered 2 months ago
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content