-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dynamodb: Replication regions are incompatible with resource policies in TableV2 #30705
Comments
Thank you for the report. It makes sense to me. We will discuss with @LeeroyHannigan about it. Before that, we probably can work it around using export class DummyStack extends Stack {
readonly cluster: rds.DatabaseCluster;
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const policy = new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
actions: ['dynamodb:GetItem'],
principals: [new iam.AccountRootPrincipal()],
resources: ['*'],
}),
],
});
const table = new ddb.TableV2(this, 'Table', {
pointInTimeRecovery: true,
partitionKey: {
name: 'key',
type: ddb.AttributeType.STRING,
},
tableName: 'MyTable',
replicas: [{ region: 'us-west-1', }, { region: 'us-west-2', resourcePolicy: undefined }],
resourcePolicy: policy,
});
const cfnglobaltable = table.node.defaultChild as ddb.CfnGlobalTable
cfnglobaltable.addPropertyDeletionOverride('Replicas.1.ResourcePolicy');
}
} We welcome PRs. |
Comments on closed issues and PRs are hard for our team to see. |
1 similar comment
Comments on closed issues and PRs are hard for our team to see. |
Describe the bug
As stated in the AWS documentation for resource policies, we cannot create a replica and add a resource policy to that replica in the same stack update.
This means every time we want to add a new replication region in the CDK we need to somehow not add the resource policy to that new region for the initial deployment. TableV2 allows us to customize each replica, including whether or not we want a resource policy, but it too eagerly adds the resource policy under TableV2 construct and we are unable to override it with an
undefined
to not include any resourcePolicy.Expected Behavior
When adding a new replica region that specifies an undefined resource policy, TableV2 should not add the resource policy defined within it's construct.
Current Behavior
TableV2 eagerly adds the resource policy to all replicas, even when specifying it should be undefined, and the deployment fails. The only way to add a new replica without adding a resource policy is to first deploy a stack update that creates the new replica and removes the resource policy from all other replicas. Then following up with a second stack update that re-adds the resource policy to all replicas. This means between the first and second update none of the tables will have a resource policy attached.
Reproduction Steps
Using a TableV2 WITHOUT replicas, but WITH the resource policy and this works
If I then try to deploy WITH a replica (us-east-1) and WITH a resource policy, it fails due same stack update error
When I delete the stack and restart and try to deploy WITH a replica (us-east-1) but WITHOUT the resource policy, this succeeds
When I then add the resource policy WITHOUT adding a new replica region, this works and the resource policy is added to both the table in us-west-2 and us-east-1
But when I then try to add another region (us-east-2), it then fails with the same stack update error
If I try to override the resourcePolicy in the new replica to not include one, TableV2 still adds
tablePolicyDocument
to it in the CFN template and the deployment fails with the same stack update errorI've so far been able to work around this by using the L1 escape hatch with
CfnGlobalTable
and manually specifying each replica and selectively adding the resource policy to each replica.Possible Solution
The easiest solution is to update this line from:
to
and require all replicas to manually include a resourcePolicy if one is desired.
Ideally, the construct could allow
null
and whennull
is specified in a specific replica, no resourcePolicy is added to that replica even when one is defined in the TableV2 itselfAdditional Information/Context
No response
CDK CLI Version
2.136.0
Framework Version
No response
Node.js Version
v18.18.2
OS
Linux
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: