search

aws-cloudformation / aws-cloudformation-resource-providers-rds

The CloudFormation Resource Provider Package For Amazon Relational Database Service
https://aws.amazon.com/rds/
Apache License 2.0
26 stars 42 forks source link

Unable to update AWS::RDS::DBCluster tags | Conflict with AWS Backup #511

Open miguel-aws opened 5 months ago

miguel-aws commented 5 months ago

I am using AWS Backup to manage RDS cluster backups and using CDK to manage Aurora DB cluster.

I added a tag to RDS Aurora DB Cluster but the stack fails with AWS Backup conflicts

RDS cluster xyz is associated with the following AwsBackupRecoveryPointArn: arn:aws:backup:us-east-1:000000000000:recovery-point:continuous:cluster-fwqvlm34vzrxkdelm7stdduw6q-f50fc296. The BackupRetentionPeriod can be blank, or you can use the current value, 10. For more details, see the AWS Backup documentation. (Service: Rds, Status Code: 400, Request ID: 123)"

AddTagsToResource should have been sufficient to add this tag however after looking in CloudTrail, the update handler invokes ModifyDbCluster containing backupRetentionPeriod with a default value of 1 . Example:

{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "ABC12345:AWSCloudFormation",
    "arn": "arn:aws:sts::000000000000:assumed-role/cdk-hnb659fds-cfn-exec-role-000000000000-us-east-1/AWSCloudFormation",
    "accountId": "000000000000",
    "accessKeyId": "ABC123",
    "sessionContext": {
      "sessionIssuer": {
        "type": "Role",
        "principalId": "ABC123",
        "arn": "arn:aws:iam::000000000000:role/cdk-hnb659fds-cfn-exec-role-000000000000-us-east-1",
        "accountId": "000000000000",
        "userName": "cdk-hnb659fds-cfn-exec-role-000000000000-us-east-1"
      },
      "webIdFederationData": {},
      "attributes": {
        "creationDate": "2024-02-20T17:50:16Z",
        "mfaAuthenticated": "false"
      }
    },
    "invokedBy": "cloudformation.amazonaws.com"
  },
  "eventTime": "2024-02-20T17:50:16Z",
  "eventSource": "rds.amazonaws.com",
  "eventName": "ModifyDBCluster",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "cloudformation.amazonaws.com",
  "userAgent": "cloudformation.amazonaws.com",
  "errorCode": "InvalidParameterValueException",
  "errorMessage": "RDS cluster xyz is associated with the following AwsBackupRecoveryPointArn: arn:aws:backup:us-east-1:000000000000:recovery-point:continuous:cluster-fwqvlm34vzrxkdelm7stdduw6q-f50fc296. The BackupRetentionPeriod can be blank, or you can use the current value, 10. For more details, see the AWS Backup documentation.",
  "requestParameters": {
    "dBClusterIdentifier": "xyz",
    "applyImmediately": true,
    "backupRetentionPeriod": 1,
    "dBClusterParameterGroupName": "default.aurora-postgresql15",
    "cloudwatchLogsExportConfiguration": {
      "enableLogTypes": [],
      "disableLogTypes": []
    },
    "allowMajorVersionUpgrade": false,
    "copyTagsToSnapshot": true,
    "allowEngineModeChange": false
  },
  "responseElements": null,
  "requestID": "123",
  "eventID": "123",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "000000000000",
  "eventCategory": "Management"
}

I believe this mismatch is the cause of the issue.

The workaround is to add retention to the RDS cluster directly on the CDK app/CFN template:

backup: {
        retention: Duration.days(10),
}
  "DatabaseB269D8BB": {
   "Type": "AWS::RDS::DBCluster",
   "Properties": {
    "BackupRetentionPeriod": 10,

Can you take a look at this?