Can't push updates due to Cloudformation RDS template change

We have an RDS database resource managed by Convox on a v2 rack. We’re trying to push a minor update to application code (unrelated to the database), but are running into a Cloudformation error:

CloudFormation cannot update a stack when a custom-named resource requires replacing. Rename <rack/app>-resourcedatabase-1gt9fi9e87e0c and update the stack again.

Digging deeper, I see that the only diff between the steady-state Cloudformation template and the template that Convox is trying to push to AWS is that the new template has StorageEncrypted: Ref !Encrypted, and since Encrypted is false, what its trying to do is set the StorageEncrypted from an unset, implicit default to an explicit “false”. That’s all well and good, except that setting this attribute on an RDS instance requires replacement.

I cannot understand why this attribute is only now being set. This attribute was added to the postgres.tmpl Cloudformation template back in Nov 2017, but our rack was never even running on a version from 2017:

$ convox rack releases
VERSION UPDATED
20190126182547 3 weeks ago
20190111211123 11 months ago
20180815173013 1 year ago
20180730192707 1 year ago

I see that there is a rack option for postgres called DatabaseSnapshotIdentifier, but it seems like this will attempt to set that var for ALL postgres resources we have, and destroy/replace all of them.

How do I get out of this state? Open to replacing the RDS instance, as painful as that is, but can’t even see a safe way to do so.

I might be wrong, but I don’t believe CloudFormation will throw this warning unless the setting on the RDS instance itself will change, regardless of the CF definition changing. Have you tried setting the configuration explicitly to false in your config?

Which config are you referring to?

You may be right about CF, but for what its worth, we can see that the instance is not using encryption right now, and that during the attempted update, the Encrypted parameter is “false”.