Why is availabilityZones required in IVpcNetwork?

Why is availabilityZones required in IVpcNetwork?

I’m trying to create a ec2.SecurityGroup by only referencing and external VPC by its ID. In vanilla CloudFormation, a Security Group can be created like this:

  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Some description
      VpcId: !ImportValue myVpcId

Note that only GroupDescription and VpcId are required by CloudFormation.

However, using the CDK, I must provide a list of AZs (along with the VPC ID) when creating the ec2.SecurityGroup:

new ec2.SecurityGroup(this, 'MySecurityGroup', {
  vpc: ec2.VpcNetwork.import(this, 'VpcImport', {
    vpcId: cdk.Fn.importValue('myVpcId'),
    availabilityZones: [], // I should not have to specify availabilityZones
  })
});

This is a pain, since I don’t want to either hardcode the AZs or fetch them from somewhere from within my CDK code. If I leave the availabilityZones to an empty list, then the CDK will complain: Error: Amount of publicSubnetIds (0) must be a multiple of availability zones (0).. The same pain applies to publicSubnetIds.

I think that for UX purposes, CDK users should be able to reference an external VPC only using the VPC’s ID. There’s probably some context that I’m missing as to why availabilityZones (and, transitively, publicSubnetIds) are required. Please enlighten me 😄