search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.51k stars 3.85k forks source link

aws-rds: Imported Database Cluster cannot grant data API access #31116

Open TonySherman opened 1 month ago

TonySherman commented 1 month ago

Describe the bug

I am having the same issue as #30676 that was previously closed.

I am looking up a RDS Database Cluster to use as an AppSync datasource. The RDS Cluster does have Data API enabled and I can add it as a datasource in the AppSync console, however when I add the RDS datasource via cdk, I get the error: RuntimeError: Error: Cannot grant Data API access when the Data API is disabled

Regression Issue

Last Known Working CDK Version

No response

Expected Behavior

I should be able add a RDS datasource to an AppSync API by using the fromDatabaseClusterAttributes function.

Current Behavior

Error is thrown: RuntimeError: Error: Cannot grant Data API access when the Data API is disabled

Reproduction Steps


# look up cluster
cluster = aws_rds.DatabaseCluster.from_database_cluster_attributes(
            self,
            'cluster',
            cluster_identifier='my-cluster',
        )

# add cluster as AppSync datasource
graph_api.add_rds_datasource(
            'rds-datasource',
            serverless_cluster=cluster,
            secret_store=my_secret,
        )

Possible Solution

No response

Additional Information/Context

30676 explains this issue very well and what is causing it.

CDK CLI Version

2.151.0 (build b8289e2

Framework Version

No response

Node.js Version

v18.17.1

OS

MacOS

Language

Python

Language Version

Python 3.9

Other information

No response

TonySherman commented 1 month ago

@rahuldeverani curious if you were able to resolve this issue or how you worked around it (referring to #30676).

TonySherman commented 1 month ago

I was able to deploy a RDS datasource by using aws_appsync.CfnDataSource and creating a role manually with the data api permissions.

TonySherman commented 1 month ago

I've created an example repo to reproduce the issue that I'm seeing: https://github.com/TonySherman/cdk-rds-appsync-example/tree/main

xanderhades commented 1 month ago

@ashishdhingra I'm having the same problem

The details in the previous github issue seem to be a good lead

This seems to be occurring due to this: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-rds/lib/cluster.ts#L524 as imported cluster : https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-rds/lib/cluster.ts#L1065C16-L1065C39 will have enableDataApi set as false: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-rds/lib/cluster.ts#L983

ashishdhingra commented 1 month ago

Reproducible. DatabaseCluster.fromDatabaseClusterAttributes() returns a new instance of ImportedDatabaseCluster. It doesn't appear to make any context lookup calls similar to what is mentioned at Context methods. So unsure DatabaseCluster.fromDatabaseClusterAttributes() could effectively be used for this scenario.

TonySherman commented 1 month ago

@kwwendt was able to provide another method of importing a cluster by using rds.ServerlessCluster.from_serverless_cluster_attributes . So it's possible this issue could be closed, however, a lot of the AppSync rds datasource examples use rds.ServerlessCluster as the example datasource. Maybe those should be updated?