Closed fanhongy closed 2 years ago
Current workaround will be using escape hatch to remove the property:
cfn_rds_instance = rds_instance.node.default_child
cfn_rds_instance.add_property_deletion_override('PubliclyAccessible')
This kind of issue will impact the critical resource. Please fix this with higher priority.
There are two issues at play here:
Relevant code in 1.59.0:
Relevant code in 1.115.0:
As you can see, the new code applies a default that the old code did not. The new code should (probably?) not be applying that default, the VPC class has its own defaults.
't Were @njlynch who changes this behavior in https://github.com/aws/aws-cdk/pull/10391. Looks to be an oversight, but who knows. Nick?
Comes from this line:
Not sure that I entirely agree with the logic: what if you didn't pass in PUBLIC
by default, but selected a subnet that happens to be public by some other means? By name, by direct reference, or by defaulting through all the available subnet types? In those cases the flag WOULDN'T be flipped.
It's going to be slightly hard to change this logic though, especially since this flag apparently has implications for replacement of the instance. But it's making me slightly uncomfortable.
Feature was added by random contributor: https://github.com/aws/aws-cdk/pull/12164
I'm in favor of changing the logic for both of these:
PRIVATE
, it should just be falling back to what Vpc
does by default.publiclyAccessible
based off of the actually selected subnets, not off of the declared selection mechanism (in fact selectedSubnets
has a boolean flag indicating whether or not it matched public subnets).However both of these fixes probably need to be gated behind feature flags that will REMAIN for CDKv2, as they are potentially backwards breaking (but need to be able to be flipped to old behavior).
In any case, @fanhongy, to unblock yourself you don't need to resort to overrides. You can just pass publicly_accessible=False
to the constructor to switch it back off.
As you can see, the new code applies a default that the old code did not. The new code should (probably?) not be applying that default, the VPC class has its own defaults. njlynch changes this behavior in #10391. Looks to be an oversight, but who knows. Nick?
To be honest, I cannot recall why I decided to default to private subnets here. Likely a security mentality of private === more secure than public, combined with an ignorance of the fact that the VPC class providing its own defaults. Agreed that unfortunately changing it now would require a feature flag.
In any case, @fanhongy, to unblock yourself you don't need to resort to overrides. You can just pass
publicly_accessible=False
to the constructor to switch it back off.
I think the reason an override was added is that CFN triggers an update if PubliclyAccessible
goes from unset to set, regardless of whether the set state is the same as the default state.
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
Having an issue after updating the CDK version from 1.59.0 -> 1.115.0 Previously, we defined the vpc with public subnet only, a RDS DB instance was created in the VPC. Script like below:
However after updating the CDK to the most recent version, we found the RDS will be create in a private subnet if not specify a vpc_subnet parameter. After adding the vpc_subnets = {"subnet_type": ec2.SubnetType.PUBLIC} to RDS DB instance construct, it automatically add PubliclyAccessible property to CFN template, and that is causing the replacement.
Reproduction Steps
with below code, command
cdk synth
will generate the RDS DB instance with propertyPubliclyAccessible
, as in previous version, this property doesn't present, add this property will cause the replacement.What did you expect to happen?
the update of CDK version should not affect critical resource, such as RDS DB instance, replaced.
What actually happened?
The new version of CDK will try to add
PubliclyAccessible
as long as you set thesubnet_group
parameter in CDK.Workaround
Environment
This is :bug: Bug Report