search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 54 forks source link

(AWS::RDS::DBCluster) False-positive drift on GlobalClusterIdentifier #1857

Open dbayardAWS opened 9 months ago

dbayardAWS commented 9 months ago

Name of the resource

AWS::RDS::DBCluster

Resource Name

No response

Issue Description

In an Aurora Global Database setup, you need to specify the GlobalClusterIdentifier property when you create a secondary cluster in a secondary region.

However, the DBCluster CFN does not appear to know how to retrieve the current value of GlobalClusterIdentifier and thinks it is null, which causes Drift Detection on the secondary cluster to report that it is in drift.

The DBCluster CFN resource could either lookup the current runtime value of GlobalClusterIdentifier by scanning through the output of the rds describe-global-clusters output to see if the cluster is listed, OR you could ignore the GlobalClusterIdentifier property when calculating drift detection.

Expected Behavior

As long as a DBCluster is still part of the same GlobalCluster setup, we do not expect a stack that specified GlobalClusterIdentifier for DBCluster should ever be marked as out of sync on an unchanged GlobalClusterIdentifier property.

Observed Behavior

The GlobalClusterIdentifier is marked as REMOVED during drift-detection.

    {
        "StackId": "arn:aws:cloudformation:us-west-2:946160804999:stack/aurora-globaldatabase/f7073ff0-8d58-11ee-8443-062ad8766bdf",
        "LogicalResourceId": "DBCluster",
        "PhysicalResourceId": "dbcluster02",
        "ResourceType": "AWS::RDS::DBCluster",
        "ExpectedProperties": "{\"StorageEncrypted\":false,\"EngineVersion\":\"15.4\",\"EngineMode\":\"provisioned\",\"VpcSecurityGroupIds\":[\"sg-046a9e37588646c17\"],\"Port\":5432,\"DBClusterIdentifier\":\"dbcluster02\",\"DBClusterParameterGroupName\":\"aurora-globaldatabase-dbclusterparametergroup-ivol3f9iexut\",\"DBSubnetGroupName\":\"aurora-globaldatabase-subnetgroup-uxtvdj6ao3hv\",\"DeletionProtection\":false,\"GlobalClusterIdentifier\":\"globaldbcluster\",\"Engine\":\"aurora-postgresql\"}",
        "ActualProperties": "{\"StorageEncrypted\":false,\"EngineVersion\":\"15.4\",\"EngineMode\":\"provisioned\",\"VpcSecurityGroupIds\":[\"sg-046a9e37588646c17\"],\"Port\":5432,\"DBClusterIdentifier\":\"dbcluster02\",\"DBClusterParameterGroupName\":\"aurora-globaldatabase-dbclusterparametergroup-ivol3f9iexut\",\"DBSubnetGroupName\":\"aurora-globaldatabase-subnetgroup-uxtvdj6ao3hv\",\"DeletionProtection\":false,\"Engine\":\"aurora-postgresql\"}",
        "PropertyDifferences": [
            {
                "PropertyPath": "/GlobalClusterIdentifier",
                "ExpectedValue": "globaldbcluster",
                "ActualValue": "null",
                "DifferenceType": "REMOVE"
            }
        ],
        "StackResourceDriftStatus": "MODIFIED",
        "Timestamp": "2023-11-27T19:45:20.553000+00:00"
    },

Test Cases

Create a Global Cluster setup using CFN with a primary in region1 and a secondary cluster in region2. After the secondary cluster is created, run a drift detection on the stack that created the secondary cluster. You will see that the GlobalClusterIdentifier property of the secondary cluster is marked as in DRIFT.

Other Details

No response