Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rds: AuroraClusterInstance ignores publiclyAccessible set to false when cluster is placed in public subnet #28037

Closed
juanheyns opened this issue Nov 16, 2023 · 3 comments · Fixed by #28038
Closed

rds: AuroraClusterInstance ignores publiclyAccessible set to false when cluster is placed in public subnet #28037

juanheyns opened this issue Nov 16, 2023 · 3 comments · Fixed by #28038
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@juanheyns
Copy link
Contributor

Describe the bug

Even though publiclyAccessible set to false, the value is ignored if the cluster is placed in a public subnet.

There are legitimate cases where a cluster could be placed in a public subnet, but it still should not have a public IP address.

declare const scope: cdk.IResource
declare const vpc: ec2.IVpc

const cluster = new rds.DatabaseCluster(scope, 'Resource', {
  clusterIdentifier: 'cluster-one',
  engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_04_0 }),
  writer: rds.ClusterInstance.serverlessV2('writer', {
    instanceIdentifier: 'writer-instance',
    publiclyAccessible: false
  }),
  readers: [
    rds.ClusterInstance.serverlessV2('reader', {
      instanceIdentifier: 'reader-instance',
      publiclyAccessible: false,
    })
  ],
  vpc,
  vpcSubnets: {
    subnetType: ec2.SubnetType.PUBLIC
  },
})

Expected Behavior

The publiclyAccessible attribute should be honored if it is set, even if it is false.

Current Behavior

If the vpc and the vpcSubnets.subnetType is set to PUBLIC it ignores the value provided in publiclyAccessible attribute.

The documentation does not specify that it will be ignored.

Reproduction Steps

declare const scope: cdk.IResource
declare const vpc: ec2.IVpc

const cluster = new rds.DatabaseCluster(scope, 'Resource', {
  clusterIdentifier: 'cluster-one',
  engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_04_0 }),
  writer: rds.ClusterInstance.serverlessV2('writer', {
    instanceIdentifier: 'writer-instance',
    publiclyAccessible: false
  }),
  readers: [
    rds.ClusterInstance.serverlessV2('reader', {
      instanceIdentifier: 'reader-instance',
      publiclyAccessible: false,
    })
  ],
  vpc,
  vpcSubnets: {
    subnetType: ec2.SubnetType.PUBLIC
  },
})

Possible Solution

Check if the publiclyAccessible attribute is NOT undefined, then set the value based on the vpc and vpc subnets.

Additional Information/Context

No response

CDK CLI Version

2.108.1

Framework Version

2.108.1

Node.js Version

18.18.2

OS

macOS 14.0 (23A344)

Language

TypeScript

Language Version

TypeScript (4.9.5)

Other information

No response
@juanheyns juanheyns added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 16, 2023
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Nov 16, 2023
@juanheyns juanheyns mentioned this issue Nov 16, 2023
Merged
@pahud
Copy link
Contributor

pahud commented Nov 16, 2023

Makes sense. Thank you for your report. We'll review the PR when it's ready.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 16, 2023
@juanheyns
Copy link
Contributor Author

@pahud PR ready for review

@github-actions github-actions bot mentioned this issue Dec 1, 2023
Closed
@mergify mergify bot closed this as completed in #28038 Dec 7, 2023
mergify bot pushed a commit that referenced this issue Dec 7, 2023
@juanheyns
fix(rds): publiclyAccessible=false set on an instance is ignored when…
569593c 
… cluster is placed in a public subnet (#28038)

This change fixes the incorrect behavior as explained in #28037. 

Using null coalescing operator in TypeScript will use the original value of `publiclyAccessible` set on the `ServerlessV2ClusterInstanceProps`.

Closes #28037.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 7, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
2 participants
@pahud @juanheyns