-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redshiftserverless.CfnWorkgroup.VpcEndpointProperty: creation of Redshift-managed VPC endpoints not working #29977
Comments
@ozggumus-aws Good afternoon. Please suggest if you are getting any error when synthesizing your CDK code.
Using the below CDK code (for demonstration purposes only): import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as redshiftserverless from 'aws-cdk-lib/aws-redshiftserverless';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as iam from 'aws-cdk-lib/aws-iam';
import * as secretmanager from 'aws-cdk-lib/aws-secretsmanager';
import * as kms from 'aws-cdk-lib/aws-kms';
export class Issue29977RedshiftStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'RedshiftVPC', {
ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/16'),
maxAzs: 2,
});
const redshiftserverlessSecurityGroup = new ec2.SecurityGroup(this, 'RedshiftServerlessSecurityGroup', {
vpc: vpc
});
const redshiftserverlessAdminSecret = new secretmanager.Secret(this, 'RedshiftserverlessAdminSecret', {
generateSecretString: {
secretStringTemplate: JSON.stringify({ username: 'admin'}),
generateStringKey: 'password',
excludeCharacters: '/@"\\\'',
passwordLength: 32
}
});
const redshiftserverlessKmsKey = new kms.Key(this, 'RedshiftserverlessKmsKey', {
enabled: true,
enableKeyRotation: true
});
const redshiftserverlessNamespaceRole = new iam.Role(this, 'RedshiftServerlessNamespaceRole', {
assumedBy: new iam.CompositePrincipal(
new iam.ServicePrincipal('sagemaker.amazonaws.com'),
new iam.ServicePrincipal('redshift.amazonaws.com'),
new iam.ServicePrincipal('redshift-serverless.amazonaws.com')
),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonRedshiftAllCommandsFullAccess')
]
});
redshiftserverlessNamespaceRole.addToPolicy(
new iam.PolicyStatement({
actions: [
"s3:GetObject",
"s3:GetBucketAcl"
],
effect: iam.Effect.ALLOW,
resources: [
"arn:aws:s3:::redshift/*",
"arn:aws:s3:::redshift"
]
})
);
const cfnNamespace = new redshiftserverless.CfnNamespace(this, 'RedshiftServerlessNamespace', {
namespaceName: 'default',
adminUsername: redshiftserverlessAdminSecret.secretValueFromJson('username').unsafeUnwrap(),
adminUserPassword: redshiftserverlessAdminSecret.secretValueFromJson('password').unsafeUnwrap(),
dbName: 'dev',
defaultIamRoleArn: redshiftserverlessNamespaceRole.roleArn,
iamRoles: [redshiftserverlessNamespaceRole.roleArn],
kmsKeyId: redshiftserverlessKmsKey.keyId,
logExports: ['userlog','connectionlog','useractivitylog']
});
const cfnWorkgroup = new redshiftserverless.CfnWorkgroup(this, 'Workgroup', {
workgroupName: 'workgroupName',
// the properties below are optional
baseCapacity: 32,
configParameters: [{
parameterKey: 'parameterKey',
parameterValue: 'parameterValue',
}],
enhancedVpcRouting: true,
maxCapacity: 32,
namespaceName: cfnNamespace.namespaceName,
//port: 123,
publiclyAccessible: false,
securityGroupIds: [redshiftserverlessSecurityGroup.securityGroupId],
subnetIds: vpc.selectSubnets({subnetGroupName: 'Private'}).subnetIds,
});
const vpcEndpointProperty: redshiftserverless.CfnWorkgroup.VpcEndpointProperty = {
networkInterfaces: [{
subnetId: "subnet-XXXXX", // can be changed later
}],
vpcId: vpc.vpcId,
};
cfnWorkgroup.addOverride('Endpoint.VpcEndpoints', [vpcEndpointProperty]);
cfnWorkgroup.addDependency(cfnNamespace);
}
} Running Resources:
...
...
RedshiftServerlessNamespace:
Type: AWS::RedshiftServerless::Namespace
Properties:
AdminUserPassword:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:"
- Ref: RedshiftserverlessAdminSecret20CA274D
- :SecretString:password::}}
AdminUsername:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:"
- Ref: RedshiftserverlessAdminSecret20CA274D
- :SecretString:username::}}
DbName: dev
DefaultIamRoleArn:
Fn::GetAtt:
- RedshiftServerlessNamespaceRole433DCFA2
- Arn
IamRoles:
- Fn::GetAtt:
- RedshiftServerlessNamespaceRole433DCFA2
- Arn
KmsKeyId:
Ref: RedshiftserverlessKmsKeyAB9F3897
LogExports:
- userlog
- connectionlog
- useractivitylog
NamespaceName: default
Metadata:
aws:cdk:path: Issue29977RedshiftStack/RedshiftServerlessNamespace
Workgroup:
Type: AWS::RedshiftServerless::Workgroup
Properties:
BaseCapacity: 32
ConfigParameters:
- ParameterKey: parameterKey
ParameterValue: parameterValue
EnhancedVpcRouting: true
MaxCapacity: 32
NamespaceName: default
PubliclyAccessible: false
SecurityGroupIds:
- Fn::GetAtt:
- RedshiftServerlessSecurityGroup47F26F9E
- GroupId
SubnetIds:
- Ref: RedshiftVPCPrivateSubnet1Subnet5DDEC5B3
- Ref: RedshiftVPCPrivateSubnet2Subnet520D5025
WorkgroupName: workgroupName
DependsOn:
- RedshiftServerlessNamespace
Metadata:
aws:cdk:path: Issue29977RedshiftStack/Workgroup
Endpoint:
VpcEndpoints:
- networkInterfaces:
- subnetId: subnet-XXXXX
- subnetId: test
vpcId:
Ref: RedshiftVPCA4DF34BB
...
... Thanks, |
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
Internal tracking: P127889658 |
@ozggumus-aws Good morning. I got an update from CDK team. From CloudFormation perspective, to create Redshift-managed VPC endpoints, the property EnhancedVpcRouting needs to be set When this is true, the resource type will create VPC resource for RedShift Workgroup in back-end, in another word, this is not something explicit can be specified and configured with CloudFormtion template. With EnhancedVpcRouting set to Thanks, |
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Describe the bug
I am trying to create a Redshift-managed VPC endpoints in Redshift Serverless workgroup in typescript, but this does not seem to be supported with CDK.
Expected Behavior
CfnWorkgroup construct should have a construct prop where we can assign interface VpcEndpointProperty.
Current Behavior
class CfnWorkgroup (construct) doesnt have the necessary prop so we cant create a redshift managed vpc endpoint using cdk in typescript
Reproduction Steps
Possible Solution
construct prop for interface VpcEndpointProperty
Additional Information/Context
No response
CDK CLI Version
2.139.0
Framework Version
No response
Node.js Version
v21.3.0
OS
14.4.1
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: