elasticache: incorrect cloudformation synthensis when using aws_elasticache.CfnUser.AuthenticationModeProperty(type="iam")

[viralmdesai]

Describe the bug

cdk --version
2.121.1 (build d86bb1a)

When using AuthenticationModeProperty(type="iam"), the synthesized cloudformation is incorrect.

        auth_type = elasticache.CfnUser.AuthenticationModeProperty(type="iam")

        ec_user_iam_auth = aws_elasticache.CfnUser(self, "ec-user-1",
                                               engine= "redis",
                                               user_id="ec-user-1",
                                               user_name="ec-user-1",
                                               access_string="on ~* +@all",
                                               authentication_mode=auth_type)


        auth_type = aws_elasticache.CfnUser.AuthenticationModeProperty(type="iam")

Notice that the generated CloudFormation "type" in lower case for user properties...

"ecuser1": {
"Type": "AWS::ElastiCache::User",
"Properties": {
"AccessString": "on ~* +@ALL",
"AuthenticationMode": {
"type": "iam"
},
"Engine": "redis",
"UserId": "ec-user-1",
"UserName": "ec-user-1"
},

...

When using auth_type is JSON object, it generates the CloudFormation template correctly.

   auth_type = {"Type" : "iam"}
    ec_user_iam_auth = aws_elasticache.CfnUser(self, "ec-user-1",
                                           engine= "redis",
                                           user_id="ec-user-1",
                                           user_name="ec-user-1",
                                           access_string="on ~* +@all",
                                           authentication_mode=auth_type)

According an internal discussion, it appears that there is a bug here on how authenticationMode is defined.

It is

authenticationMode?: any | cdk.IResolvable;

Should it be

authenticationMode?: CfnUser.AuthenticationModeProperty | cdk.IResolvable;

?





### Expected Behavior

When using aws_elasticache.CfnUser.AuthenticationModeProperty(type="iam"), it should generate syntactically correct cloudformation template with "Type" : "iam" property in ElastiCache redis user.

### Current Behavior

When using aws_elasticache.CfnUser.AuthenticationModeProperty(type="iam"), it generates syntactically incorrect cloudformation template with "type" : "iam" property in ElastiCache redis user.

### Reproduction Steps

Please see the bug description

### Possible Solution

Interim solution until bug fix

   auth_type = {"Type" : "iam"}
    ec_user_iam_auth = aws_elasticache.CfnUser(self, "ec-user-1",
                                           engine= "redis",
                                           user_id="ec-user-1",
                                           user_name="ec-user-1",
                                           access_string="on ~* +@all",
                                           authentication_mode=auth_type)

May be bug fix is needed in how this is defined

authenticationMode?: any | cdk.IResolvable;

Should it be

authenticationMode?: CfnUser.AuthenticationModeProperty | cdk.IResolvable;

### Additional Information/Context

_No response_

### CDK CLI Version

cdk --version (2.121.1 (build d86bb1a))

### Framework Version

_No response_

### Node.js Version

node --version (v20.6.1)

### OS

macos sw_vers -productVersion  13.6.3

### Language

TypeScript, Python

### Language Version

_No response_

### Other information

Only tested in python

[pahud]

According to the document here, authentication_mode is type Any(not typed) and I believe you should pass a JSON object in this case.
https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticache/CfnUser.html

[viralmdesai]

@pahud - What is the purpose of having a Class in the same documentation? here: https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticache/CfnUser.html#authenticationmodeproperty

class CfnUser.AuthenticationModeProperty(*, type, passwords=None)?

In other languages too this generates the class which results in incorrect Cloudformation as described in the case?

[Mateusz-Stasielowicz]

@pahud I faced the same issue but using Java with CDK 2.133.0.

In Java there is no simple solution like providing JSON object.

Is there a plan to fix this issue in the near future?

[nicobanderas]

@Mateusz-Stasielowicz I faced the same issue with Java CDK, as a workaround you could use a Map like:

CfnUser.Builder.create(scope, "MyId")
.userId("user-1")
.engine("redis")
.userName("user-1")
.accessString("on ~* +@all")
.authenticationMode(Map.of("Type", "iam"))
.build();

[pahud]

@Mateusz-Stasielowicz

Thank you. The doc for Java could be very confusing. I will bring this up to the team. Meanwhile, please try the workaround by @Mateusz-Stasielowicz and let me know if it works for you.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[dmarkowvw]

This still seems to be an issue in TypeScript
"aws-cdk": "2.151.0", "aws-cdk-lib": "2.151.0"