-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
(aws-rds): grantConnect generates incorrect policy for DatabaseInstanceReadReplica #31061
(aws-rds): grantConnect generates incorrect policy for DatabaseInstanceReadReplica #31061
Comments
I think the culprit is here:
|
It was added as part of this PR: |
I confirmed by applying this workaround. Add this code to the end of the stack for a temporary fix. for (const node of this.node.findAll()) {
if (node instanceof DatabaseInstanceReadReplica && node.node.defaultChild instanceof CfnDBInstance) {
Object.assign(node, {
instanceResourceId: node.node.defaultChild.attrDbiResourceId,
} satisfies Partial<DatabaseInstanceReadReplica>);
}
} |
Reproducible using below code: import * as iam from 'aws-cdk-lib/aws-iam';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as cdk from 'aws-cdk-lib';
import * as rds from 'aws-cdk-lib/aws-rds';
export class CdktestStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'myVpc');
const sourceInstance = new rds.DatabaseInstance(this, 'TestDBInstance', {
engine: rds.DatabaseInstanceEngine.postgres({ version: rds.PostgresEngineVersion.VER_15_4 }),
instanceType: ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.LARGE),
vpc,
});
const dbReadReplica = new rds.DatabaseInstanceReadReplica(this, 'TestDBReadReplica', {
sourceDatabaseInstance: sourceInstance,
instanceType: ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.LARGE),
vpc,
});
const role = new iam.Role(this, 'DBTestRole', {assumedBy: new iam.AccountPrincipal(this.account)});
dbReadReplica.grantConnect(role, 'someuser');
}
} Running Resources:
...
...
Metadata:
aws:cdk:path: CdktestStack/TestDBInstance/SecurityGroup/Resource
TestDBInstanceSecret0BA9F4B5:
Type: AWS::SecretsManager::Secret
...
TestDBInstanceSecretAttachment19197643:
Type: AWS::SecretsManager::SecretTargetAttachment
Properties:
...
TestDBInstance0686406D:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: "100"
CopyTagsToSnapshot: true
DBInstanceClass: db.m5.large
DBSubnetGroupName:
Ref: TestDBInstanceSubnetGroup5C562BBA
Engine: postgres
EngineVersion: "15.4"
MasterUserPassword:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:"
- Ref: TestDBInstanceSecret0BA9F4B5
- :SecretString:password::}}
MasterUsername:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:"
- Ref: TestDBInstanceSecret0BA9F4B5
- :SecretString:username::}}
StorageType: gp2
VPCSecurityGroups:
- Fn::GetAtt:
- TestDBInstanceSecurityGroup5CAD0C42
- GroupId
UpdateReplacePolicy: Snapshot
DeletionPolicy: Snapshot
Metadata:
aws:cdk:path: CdktestStack/TestDBInstance/Resource
TestDBReadReplicaSubnetGroupE39B8C4A:
Type: AWS::RDS::DBSubnetGroup
Properties:
...
TestDBReadReplicaSecurityGroupC4105A64:
Type: AWS::EC2::SecurityGroup
Properties:
...
TestDBReadReplicaEE06F740:
Type: AWS::RDS::DBInstance
Properties:
CopyTagsToSnapshot: true
DBInstanceClass: db.m5.large
DBSubnetGroupName:
Ref: TestDBReadReplicaSubnetGroupE39B8C4A
EnableIAMDatabaseAuthentication: true
SourceDBInstanceIdentifier:
Fn::Join:
- ""
- - "arn:aws:rds:us-east-2:<<account-id-redacted>>:db:"
- Ref: TestDBInstance0686406D
StorageType: gp2
VPCSecurityGroups:
- Fn::GetAtt:
- TestDBReadReplicaSecurityGroupC4105A64
- GroupId
UpdateReplacePolicy: Snapshot
DeletionPolicy: Snapshot
Metadata:
aws:cdk:path: CdktestStack/TestDBReadReplica/Resource
DBTestRole834396B2:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS: arn:aws:iam::<<account-id-redacted>>:root
Version: "2012-10-17"
Metadata:
aws:cdk:path: CdktestStack/DBTestRole/Resource
DBTestRoleDefaultPolicy7501B762:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: rds-db:connect
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:rds-db:us-east-2:<<account-id-redacted>>:dbuser:"
- Fn::GetAtt:
- TestDBReadReplicaEE06F740
- DBInstanceArn
- /someuser
Version: "2012-10-17"
PolicyName: DBTestRoleDefaultPolicy7501B762
Roles:
- Ref: DBTestRole834396B2
... Running {
"Version": "2012-10-17",
"Statement": [
{
"Action": "rds-db:connect",
"Resource": "arn:aws:rds-db:us-east-2:<<account-id-redacted>>:dbuser:arn:aws:rds:us-east-2:account-id-redacted:db:cdkteststack-testdbreadreplicaee06f740-dycl1vgyuydy/someuser",
"Effect": "Allow"
}
]
} It should have created policy with correct resource format |
Comments on closed issues and PRs are hard for our team to see. |
1 similar comment
Comments on closed issues and PRs are hard for our team to see. |
Describe the bug
Calling
grantConnect
on an instance ofDatabaseInstanceReadReplica
generates an incorrect policy that uses the full ARN of the instance instead of theinstanceResourceId
value.Expected Behavior
Current Behavior
Reproduction Steps
Possible Solution
No response
Additional Information/Context
aws-cdk/packages/aws-cdk-lib/aws-rds/lib/instance.ts
Lines 201 to 206 in abc78bf
CDK CLI Version
2.150.0
Framework Version
2.150.0
Node.js Version
v20.14.0
OS
macOS
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: