amazonaurora: Cannot create multiple Aurora Vector Stores due to hardcoded security group names #1141
Description
Describe the bug
The AmazonAuroraVectorStore and ExistingAmazonAuroraVectorStore constructs use hardcoded security group names (aurora-security-group and lambda-security-group), which prevents creating multiple Aurora vector stores within the same AWS account and region due to naming conflicts.
Affected file: src/cdk-lib/amazonaurora/aurora-vector-store.ts
Problematic code locations:
- In
createDatabaseCluster()method:
const auroraSecurityGroup = new ec2.SecurityGroup(this, 'AuroraSecurityGroup', {
vpc,
securityGroupName: 'aurora-security-group', // ← Hardcoded name
description: 'Security group for access to Aurora from Lambda',
});- In
createLambdaSecurityGroup()method:
protected createLambdaSecurityGroup(vpc: ec2.IVpc): ec2.SecurityGroup {
return new ec2.SecurityGroup(this, 'LambdaSecurityGroup', {
vpc,
securityGroupName: 'lambda-security-group', // ← Hardcoded name
description: 'Security group for Lambda access to Aurora',
});
}Expected Behavior
Should be able to create multiple Aurora vector stores in the same AWS account and region without security group naming conflicts.
Current Behavior
When attempting to deploy a second Aurora vector store (either a new instance or using fromExistingAuroraVectorStore), the deployment fails with a security group name conflict error because AWS doesn't allow duplicate security group names within the same VPC.
Example error:
A security group with the name 'aurora-security-group' already exists
Reproduction Steps
- Deploy a CDK stack with an
AmazonAuroraVectorStoreconstruct:
const vectorStore1 = new AmazonAuroraVectorStore(this, 'VectorStore1', {
embeddingsModelVectorDimension: 1536,
});- Attempt to deploy another stack (or add to the same stack) with another Aurora vector store:
const vectorStore2 = new AmazonAuroraVectorStore(this, 'VectorStore2', {
embeddingsModelVectorDimension: 1536,
});- Run
cdk deploy - Deployment fails with security group name conflict
Alternative reproduction: Try using fromExistingAuroraVectorStore after previously creating an Aurora vector store with this construct - same error occurs.
Possible Solution
Replace hardcoded security group names with dynamically generated names using the existing generatePhysicalNameV2 utility that's already imported in the file:
// For Aurora Security Group
const auroraSecurityGroup = new ec2.SecurityGroup(this, 'AuroraSecurityGroup', {
vpc,
securityGroupName: generatePhysicalNameV2(this, 'aurora-sg', {
maxLength: 255,
lower: true,
separator: '-',
}),
description: 'Security group for access to Aurora from Lambda',
});
// For Lambda Security Group
protected createLambdaSecurityGroup(vpc: ec2.IVpc): ec2.SecurityGroup {
return new ec2.SecurityGroup(this, 'LambdaSecurityGroup', {
vpc,
securityGroupName: generatePhysicalNameV2(this, 'lambda-sg', {
maxLength: 255,
lower: true,
separator: '-',
}),
description: 'Security group for Lambda access to Aurora',
});
}Alternative solution: Remove the securityGroupName property entirely and let CDK auto-generate unique names.
This approach would be consistent with how the construct already handles the Aurora cluster identifier using generatePhysicalNameV2.
Additional Information/Context
No response
CDK CLI Version
2.1023.0 (build 45ceb89)
Framework Version
No response
Node.js Version
v23.11.0
OS
MacOS 15.5
Language
Python
Language Version
v3.9.6
Region experiencing the issue
us-west-2
Code modification
No
Other information
No response
Service quota
- I have reviewed the service quotas for this construct