fix(rds): fixed the IAM policy that grantConnect() generates for DatabaseInstanceReadReplica #31068
Conversation
…baseInstanceReadReplica
github-actions
bot
added
bug
ashishdhingra
force-pushed
the
DatabaseInstanceReadReplica-GrantRead-Fix
branch
from
e821569
to
4b8b0d5
Compare
aws-cdk-automation
added
the
pr/needs-community-review
| @@ -1366,7 +1366,7 @@ export class DatabaseInstanceReadReplica extends DatabaseInstanceNew implements | |||
| this.instanceIdentifier = instance.ref; | |||
| this.dbInstanceEndpointAddress = instance.attrEndpointAddress; | |||
| this.dbInstanceEndpointPort = instance.attrEndpointPort; | |||
| this.instanceResourceId = instance.attrDbInstanceArn; | |||
There was a problem hiding this comment.
I am afraid that this can be a breaking change to customers. I know that we assigned a wrong value, but may be there are some customers that use this property to get the DB Instance Arn and use it some how. So, my recommendation is to deprecate this property, and to add a new property for the instance resource id, and use it in grant method, and also check where else we use the current property.
There was a problem hiding this comment.
@moelasmar Thanks for your review comment. Would creating a feature flag (example #29794) be the recommended approach instead of adding a new property? Please advise.
There was a problem hiding this comment.
I think the feature flag here will not fix the problem, as the flag default value will be false (to avoid breaking customers), so the policy will still referring to the wrong replica instance id. So, I do not prefer feature flag, it add a lot of confusion on us when we write code, so we can use this property in similar cases assuming that we are using the correct property, but because the feature flag is disabled, this may cause more issues for customers.
I prefer to go with deprecation, and adding new property.
There was a problem hiding this comment.
@moelasmar Thanks for your review comment. I have added a commit to:
- Deprecate
instanceResourceIdproperty and add newinstanceResourceIdV2property inDatabaseInstanceReadReplica. - Added a copy of
grantConnect()inDatabaseInstanceReadReplicathat makes use ofinstanceResourceIdV2.
Please review.
Thanks,
Ashish
There was a problem hiding this comment.
Thanks @ashishdhingra for resolving my comment, and sorry for late response.
I actually, did a deeper check, and I found that I missed that the property instanceResourceId is actually exist in the Interface IDatabaseInstance so, adding a new property will actually break the idea of that interface, and also deprecating this property is not a good idea.
So, I think it is better to make this change under feature flag, and to enable the feature flag by default, and the customers who want to keep the current behaviour, they can disable the flag.
There was a problem hiding this comment.
I pushed some updates to this change to add the feature flag. Could you please take a look.
There was a problem hiding this comment.
Looks good reviewing at high level. Needs review from the maintainer.
aws-cdk-automation
removed
the
pr/needs-community-review
amazon-codecatalyst
bot
force-pushed
the
DatabaseInstanceReadReplica-GrantRead-Fix
branch
from
4b8b0d5
to
ad7c2de
Compare
ashishdhingra
force-pushed
the
DatabaseInstanceReadReplica-GrantRead-Fix
branch
from
ad7c2de
to
113ab2a
Compare
mergify
bot
dismissed
moelasmar’s stale review
Pull request has been modified.
…ceResourceIdV2 property in DatabaseInstanceReadReplica to use in grantConnect().
amazon-codecatalyst
bot
force-pushed
the
DatabaseInstanceReadReplica-GrantRead-Fix
branch
from
ced2113
to
4d0239a
Compare
aws-cdk-automation
added
the
pr/needs-community-review
ashishdhingra
added
pr/needs-maintainer-review
…InstanceReadReplica-GrantRead-Fix # Conflicts: # packages/@aws-cdk/cx-api/FEATURE_FLAGS.md # packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md # packages/aws-cdk-lib/cx-api/README.md # packages/aws-cdk-lib/cx-api/lib/features.ts # packages/aws-cdk-lib/cx-api/test/features.test.ts
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
| @@ -73,6 +73,7 @@ Flags come in three types: | |||
| | [@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault](#aws-cdkcustom-resourceslogapiresponsedatapropertytruedefault) | When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default | 2.145.0 | (fix) | | |||
| | [@aws-cdk/aws-s3:keepNotificationInImportedBucket](#aws-cdkaws-s3keepnotificationinimportedbucket) | When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack. | 2.155.0 | (fix) | | |||
| | [@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask](#aws-cdkaws-stepfunctions-tasksusenews3uriparametersforbedrockinvokemodeltask) | When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model. | V2NEXT | (fix) | | |||
| | [@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId](#aws-rds-setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId) | When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn` | V2NEXT | (fix) | | |||
There was a problem hiding this comment.
| | [@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId](#aws-rds-setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId) | When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn` | V2NEXT | (fix) | | |
| | [@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId](#aws-rds-setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId) | When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn` | V2NEXT | (fix) | |
| | ----- |---------|-------------| | ||
| | (not in v1) | | | | ||
| | V2NEXT | `true` | `true` | |
There was a problem hiding this comment.
The spacing on some of these seem off, was it manually generated or auto generated by running the build?
There was a problem hiding this comment.
it seems while I merged the conflicts I messed up these files, let me rerun the build and see if it will fix it
| | Since | Default | Recommended | | ||
| | ----- | ----- | ----- | | ||
| | (not in v1) | | | | ||
| | V2NEXT | `true` | `true` | |
There was a problem hiding this comment.
Do we want this to be true by default? Would that not break customers?
There was a problem hiding this comment.
my idea was which behaviour should I keep, shall I keep the wrong behaviour, or should I fix it. I chose to fix the wrong behaviour with an option to let people keep the current one. But, honestly you have a point, it is a breaking change
There was a problem hiding this comment.
I will change it to false.
Issue # (if applicable)
Closes #31061.
Reason for this change
Calling
grantConnect()on an instance ofDatabaseInstanceReadReplicagenerates an incorrect policy that uses the full ARN of the instance instead of the instanceResourceId value. It should have created policy with correct resource formatarn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-nameper Creating and using an IAM policy for IAM database access.Description of changes
Fixed the IAM policy that
grantConnect()generates forDatabaseInstanceReadReplica. The change correctly sets the value ofinstanceResourceIdto replica instanceattrDbiResourceId. The value ofinstanceResourceIdis used to generate IAM policy.Description of how you validated changes
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license