-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rds: Cannot create DatabaseCluster in PRIVATE_ISOLATED subnets #29256
Comments
As you didn't specify aws-cdk/packages/aws-cdk-lib/aws-rds/lib/cluster.ts Lines 578 to 583 in a21e429
And the vpcSubnets will be determined here
which by default will filter the
With that being said, you should add props.vpcSubnets to specify your subnetType to select isolated subnets only. For example: const cluster = new rds.DatabaseCluster(this, 'Database', {
engine: rds.DatabaseClusterEngine.auroraMysql({
version: rds.AuroraMysqlEngineVersion.VER_3_05_2,
}),
storageEncrypted: true,
vpcSubnets: {
subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
},
writer: rds.ClusterInstance.provisioned('instance1', {
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.LARGE),
publiclyAccessible: false,
}),
readers: [rds.ClusterInstance.provisioned('instance2', {
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.LARGE),
publiclyAccessible: false,
})],
vpc,
});
Let me know if it works for you. |
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
|
Describe the bug
CDK typescript code to create an Aurora/MySQL database cluster fails
cdk diff
when the provided VPC contains onlyPRIVATE_ISOLATED
subnets, but succeeds when the subnets arePRIVATE_WITH_EGRESS
. See the provided code, lines 25 and 26 (also marked with "*******").Expected Behavior
Expected behaviour is that
cdk diff
reports no errors and that a subsequentcdk deploy
causes a database cluster to be created with no outbound Internet access.Current Behavior
cdk diff
produces the output below. Deployment is not possible.Note: A client-identifying substring has been replaced by "xxx" in the above output.
Reproduction Steps
Assuming Linux, and that
npm
,cdk
etc are already installed:Now copy the supplied code (see below) over
bin/rds_bug_minimal.ts
. Edit the account and region details on lines 11 and 12 (marked "FIX ME
"), then:This should SUCCEED and will not output any errors.
Now edit
bin/rds_bug_minimal.ts
. Comment out lines 21 and 25 and uncomment line 26 (these three lines are marked "******
"), then try again:This should FAIL and will output the error mentioned above (with different local paths of course).
Code follows. Note this is not quite minimal, in that it also contains the
natGateways
workaround line:Possible Solution
Whatever check is performed that produces the given error message is (apparently) unnecessarily strict when
publiclyAccessible
is set tofalse
, and is accepting onlyPRIVATE_WITH_EGRESS
subnets. It should also acceptPRIVATE_ISOLATED
subnets.A workaround in our CDK that seems to be working is to use
PRIVATE_WITH_EGRESS
, but set thenatGateways
property of the Vpc construct to zero.Additional Information/Context
If the
publiclyAccessible
property is left undefined, the result withPRIVATE_ISOLATED
subnets is identical.My theory, on very little evidence, is that the validation code for the database cluster subnets simply does not know about the
PRIVATE_ISOLATED
subnet type.CDK CLI Version
2.130.0 (build bd6e5ee)
Framework Version
2.130.0
Node.js Version
v18.17.1
OS
Linux
Language
TypeScript
Language Version
5.3.3
Other information
A search here for similar issues turned up this one, but it is from 2019 and doesn't seem to be quite the same issue:
#4828
There were apparently changes around the subnet type validation also in 2019, which predates the introduction of the
PRIVATE_ISOLATED
subnet type (I think).#4668
The text was updated successfully, but these errors were encountered: