search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.51k stars 3.85k forks source link

aws-cdk-lib.aws-rds.DatabaseCluster: Unable to add security group to RDS cluster #25763

Open ttaka66 opened 1 year ago

ttaka66 commented 1 year ago

Describe the bug

I wanna add a security group to all instances within the RDS cluster that created with the CDK. It seems to be similar to #17684.

I tried to write the code below by TypeScript.

import { SecurityGroup } from 'aws-cdk-lib/aws-ec2';
import ( DatabaseCluster } from 'aws-cdk-lib/aws-rds';

const cluster = new DatabaseCluster(...);
const newSg = new SecurityGroup(...);
cluster.connections.addSecurityGroup(newSg);

The RDS instances within the cluster didn't have newSg.

In addition, I tried to get each instances within the cluster to let each have security group. But, It seems that DatabaseCluster class don't have a method to get instances. Is there a good way to add security groups to the RDS cluster later?

Expected Behavior

The RDS cluster (named cluster by above example) can add a security group (named newSG by above example) to instances.

Current Behavior

The RDS cluster (named cluster by above example) can't add a security group (named newSG by above example) to instances.

Reproduction Steps

Install CDK

npm install aws-cdk-lib@2.81.0 aws-cdk@2.81.0

Create the app

mkdir additional-sg
cd additional-sg
../node_modules/.bin/cdk init app --language typescript

Copy and Paste below code to lib/additional-sg-stack.ts

import * as cdk from 'aws-cdk-lib';
import {
  InstanceClass,
  InstanceSize,
  InstanceType,
  SecurityGroup,
  SubnetType,
  Vpc,
} from 'aws-cdk-lib/aws-ec2';
import {
  AuroraMysqlEngineVersion,
  Credentials,
  DatabaseCluster,
  DatabaseClusterEngine,
} from 'aws-cdk-lib/aws-rds';

export class AdditionalSgStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = new Vpc(this, 'adsg-vpc', {
      cidr: '10.90.0.0/16',
      maxAzs: 2,
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: 'adsg-public',
          subnetType: SubnetType.PUBLIC,
        },
        {
          cidrMask: 24,
          name: 'adsg-private',
          subnetType: SubnetType.PRIVATE_WITH_EGRESS,
        },
      ],
    });

    const sg = new SecurityGroup(this, 'adsg-security-group', {
      vpc: vpc,
      allowAllOutbound: true,
      securityGroupName: 'adsg-sg',
    });

    const cluster = new DatabaseCluster(this, 'adsg-database-cluster', {
      engine: DatabaseClusterEngine.auroraMysql({
        version: AuroraMysqlEngineVersion.VER_3_02_1,
      }),
      credentials: Credentials.fromPassword(
        'you',
        cdk.SecretValue.unsafePlainText('yourpassword'),
      ),
      instances: 1,
      instanceProps: {
        instanceType: InstanceType.of(InstanceClass.T3, InstanceSize.MEDIUM),
        vpc: vpc,
        securityGroups: [sg],
      },
      defaultDatabaseName: 'adsgdb',
    });

    const newSg = new SecurityGroup(this, 'adsg-new-security-group', {
      vpc: vpc,
      securityGroupName: 'new-adsg-sg',
    });

    cluster.connections.addSecurityGroup(newSg);
  }
}

const app = new cdk.App();
new AdditionalSgStack(app, 'AdditionalSgStack');
app.synth();

Bootstrap

../node_modules/.bin/cdk bootstrap bootstrap aws://YOUR-ACCOUNT-NUMBER/REGION --profile YOUR-AWS-PROFILE --qualifier sandbox999

Add below @aws-cdk/core:bootstrapQualifier context to cdk.json.

{
  ...
  "context": {
    ...
    "@aws-cdk/core:bootstrapQualifier": "sandbox999"
    ...
  }
  ...
}

Deploy the stack

../node_modules/.bin/cdk deploy --profile YOUR-AWS-PROFILE

You can see that the RDS instance containing the name adsgdb has just security group named adsg-sg. But, I expect the RDS instance to have two security groups.(adsg-sg and new-adsg-sg)

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.81.0

Framework Version

No response

Node.js Version

v18.11.0

OS

macOS 13.4

Language

Typescript

Language Version

TypeScript (5.0.4)

Other information

No response

pahud commented 1 year ago

I believe this is because how it is implemented here unless it is rendered with a Lazy class I guess.

Before we refactor its implementation, the easiest way is just update your cluster securityGroups prop as:

securityGroups: [sg, newSg],
github-actions[bot] commented 1 year ago

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

ttaka66 commented 1 year ago

@pahud Thank you for your reply. You say the feature that we able to add Security Groups later will be implemented in the future?