DatabaseCluster(aws-rds): Using grantDataApiAccess method on imported cluster using DatabaseCluster.fromDatabaseClusterAttributes fails with the error: Cannot grant Data API access when the Data API is disabled

rahuldeverani commented 5 months ago

Describe the bug

If we want to add a Appsync dataSource and provide RDS DB cluster as serverlessCluster prop , it fails with the error: Cannot grant Data API access when the Data API is disabled

Expected Behavior

It should not fail during synth

Current Behavior

This seems to be occurring due to this: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-rds/lib/cluster.ts#L524 as imported cluster : https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-rds/lib/cluster.ts#L1065C16-L1065C39 will have enableDataApi set as false: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-rds/lib/cluster.ts#L983

Reproduction Steps

        const dbCluster = DatabaseCluster.fromDatabaseClusterAttributes(this, 'dbcluster', {
      clusterIdentifier: <identifier> ,
    });

    const rdsDataSource = new appsync.RdsDataSource(this, 'vehicledata-rds-datasource', {
      api,
      name: 'rdsDataSource',
      description: 'Vehicle Aurora serverless V2',
      secretStore: dbSecretCredentials,
      serverlessCluster: dbCluster,
      databaseName: '<>',
      serviceRole: dataSourceRole,
    });

This also fails with this snippet:

          const dbCluster = DatabaseCluster.fromDatabaseClusterAttributes(this, 'dbcluster', {
            clusterIdentifier: '<>',
          });

          const consoleReadOnlyRole = new iam.Role(this, 'ConsoleReadOnlyRole', {
            assumedBy: new iam.ArnPrincipal('arn_for_trusted_principal'),
          });

        // Grant the grantee access to the Data API
        dbCluster.grantDataApiAccess(consoleReadOnlyRole);

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.138.0

Framework Version

No response

Node.js Version

v20.8.1

OS

MacOs

Language

TypeScript

Language Version

No response

Other information

No response

ashishdhingra commented 5 months ago

@rahuldeverani This doesn't appear to be an issue. Below are my findings:

Although, manually creating Aurora Postgres (serverless v2) cluster in us-west-2 region (refer Supported Regions and Aurora DB engines for RDS Data API) with Data API disabled and creating role succeeds via AWS console.
Creating API via Amazon AppSync and selecting the created RDS cluster with Data API disabled, gives the error in AWS console.

After Data API is enabled in AWS console, we no longer get the mentioned error. So the validation check in the CDK package is in line with the behavior in AWS console.

Please let me know if you are noticing a different behavior in AWS console.

Thanks, Ashish

github-actions[bot] commented 5 months ago

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

aws-cdk-automation commented 4 months ago

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

aws / aws-cdk