(aws-quicksight): Creating a CfnDataSource for Redshift fails with a cyclic reference caused from SecurityGroup

[flexelem]

Describe the bug

Hi there,

We are passing a redshift.Cluster construct into a stack where we are trying to create CfnDataSource for Redshift. However, when we pass redshiftCluster.clusterName to clusterId parameter from RedshiftParameters synth fails due to a cyclic reference caused from the SecurityGroup we are creating for QuickSight to Redshift connection which is a CfnVPCConnection.

Expected Behavior

I should create CfnDataSource without a cyclic reference error.

Current Behavior

Synth fails due to error

Error: 'dataUat/Redshift' depends on 'dataUat/QuickSight' (dataUat/Redshift -> dataUat/QuickSight/QuickSightSg/Resource.GroupId). Adding this dependency (dataUat/QuickSight -> dataUat/Redshift/Cluster/Resource.Ref) would create a cyclic reference.
    at QuicksightStack._addAssemblyDependency (/Users/buraktas/workspace/infrastructure-as-code/node_modules/aws-cdk-lib/core/lib/stack.js:1:11639)
    at operateOnDependency (/Users/buraktas/workspace/infrastructure-as-code/node_modules/aws-cdk-lib/core/lib/deps.js:1:1831)
    at addDependency (/Users/buraktas/workspace/infrastructure-as-code/node_modules/aws-cdk-lib/core/lib/deps.js:1:489)
    at QuicksightStack.addDependency (/Users/buraktas/workspace/infrastructure-as-code/node_modules/aws-cdk-lib/core/lib/stack.js:1:8701)
    at resolveValue (/Users/buraktas/workspace/infrastructure-as-code/node_modules/aws-cdk-lib/core/lib/private/refs.js:1:3825)
    at resolveReferences (/Users/buraktas/workspace/infrastructure-as-code/node_modules/aws-cdk-lib/core/lib/private/refs.js:1:1414)
    at prepareApp (/Users/buraktas/workspace/infrastructure-as-code/node_modules/aws-cdk-lib/core/lib/private/prepare-app.js:1:802)
    at synthesize (/Users/buraktas/workspace/infrastructure-as-code/node_modules/aws-cdk-lib/core/lib/private/synthesis.js:1:1530)
    at Stage.synth (/Users/buraktas/workspace/infrastructure-as-code/node_modules/aws-cdk-lib/core/lib/stage.js:1:2263)
    at pipelineSynth (/Users/buraktas/workspace/infrastructure-as-code/node_modules/aws-cdk-lib/pipelines/lib/private/construct-internals.js:1:833)

Reproduction Steps

import * as redshift from '@aws-cdk/aws-redshift-alpha';
import * as cdk from 'aws-cdk-lib';
import { aws_ec2 as ec2, aws_iam as iam, aws_quicksight as qs } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagStack } from './common';
import { VpcStack } from './vpc';

export interface QuickSightStackProps extends cdk.StackProps {
  /**
   * Main VPC stack where Redshift should be created.
   */
  vpcStack: VpcStack;

  /**
   * Redshift cluster from redshift stack
   */
  redshiftCluster: redshift.Cluster;
}

export class QuicksightStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props: QuickSightStackProps) {
    super(scope, id, props);

    const role = new iam.Role(this, 'QuickSightAssumeRole', {
      assumedBy: new iam.ServicePrincipal('quicksight.amazonaws.com'),
    });
    role.addToPolicy(new iam.PolicyStatement({
      effect: iam.Effect.ALLOW,
      actions: [
        'ec2:CreateNetworkInterface',
        'ec2:ModifyNetworkInterfaceAttribute',
        'ec2:DeleteNetworkInterface',
        'ec2:DescribeSubnets',
        'ec2:DescribeSecurityGroups',
      ],
      resources: ['*'], // We have to use '*' for ec2 resources
    }));

    // quicksight security group
    const quicksightSg = new ec2.SecurityGroup(this, 'QuickSightSg', {
      vpc: props.vpcStack.vpc,
      description: 'Security group for QuickSight to allow access to the required data sources like Redshift, S3',
      allowAllOutbound: false,
    });
    props.redshiftCluster.connections.allowDefaultPortFrom(quicksightSg, 'Allow access from QuickSight');

    const natSubnets = props.vpcStack.vpc.selectSubnets({
      subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
    });

    const qsVpcConn = new qs.CfnVPCConnection(this, 'VPCConnection', {
      awsAccountId: cdk.Stack.of(this).account,
      roleArn: role.roleArn,
      name: 'quicksight-vpc-conn', // this is a REQUIRED attribute
      vpcConnectionId: 'quicksight-vpc-conn', // this is a REQUIRED attribute even though is not from UI
      subnetIds: natSubnets.subnetIds,
      securityGroupIds: [quicksightSg.securityGroupId],
    });

    new qs.CfnDataSource(this, 'RedshiftDataSource', {
      awsAccountId: cdk.Stack.of(this).account,
      name: 'redshift-data-source',
      dataSourceParameters: {
        redshiftParameters: {
          clusterId: props.redshiftCluster.clusterName, // This property causes cyclic reference error pointing to 'quicksightSg'
          database: 'default_db',
        },
      },
      vpcConnectionProperties: {
        vpcConnectionArn: qsVpcConn.attrArn,
      },
    });
  }
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.102.0 (build 2abc59a)

Framework Version

No response

Node.js Version

v18.15.0

OS

macOS Monterey 12.6.3

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

I am still trying to figure it out. Is clusterId: props.redshiftCluster.clusterName that causes the cyclic reference?

[flexelem]

hey @pahud I resolved the issue by only using allowTo for configuring the security groups. But it is still weird to me why I was getting that cyclic reference error only when setting clusterId property

quicksightSg.connections.allowTo(props.redshiftCluster.connections, ec2.Port.tcp(5439), 'Allow access from QuickSight');

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.