(aws-rds): Cannot add both export and import bucket policies to rds cluster #16757
Comments
jfrconley
added
bug
github-actions
bot
added
the
@aws-cdk/aws-rds
|
Hey @jfrconley, thanks for opening the issue. You're right, I can reproduce your error reliably with the following code: const vpc = new ec2.Vpc(this, 'VPC', {
maxAzs: 2,
natGateways: 1,
subnetConfiguration: [
{
name: 'rds',
subnetType: ec2.SubnetType.PUBLIC,
},
],
});
const instance = new rds.DatabaseInstance(this, 'Instance', {
vpc,
vpcSubnets: {
subnetType: ec2.SubnetType.PUBLIC,
},
engine: rds.DatabaseInstanceEngine.postgres({
version: rds.PostgresEngineVersion.VER_11_12,
}),
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
multiAz: false,
publiclyAccessible: true,
iamAuthentication: true,
s3ExportBuckets: [new s3.Bucket(this, 'ExportBucket', { removalPolicy: cdk.RemovalPolicy.DESTROY })],
s3ImportBuckets: [new s3.Bucket(this, 'ImportBucket', { removalPolicy: cdk.RemovalPolicy.DESTROY })],
});I wonder what's the problem here... could it be that Postgres version I don't see what can CDK be doing wrong here, and the error message is also weird, TBH... |
|
Interestingly, commenting out the Let me try now with the reverse setup (commenting out |
|
Yep, that also worked! This is crazy. So only when they're both present, does it fail! Could this be some bug in either the RDS API, or in the RDS CloudFormation API...? |
|
This is what I encountered as well, it only seems to fail if both are present. It seems like it's trying to apply both policies at the same time, but RDS has some kind of a processing period that it needs between them. Is there a way that policies can be added as separate resources in cdk? I bet if I added an explicit dependency between the policies it would work. |
|
Hmm, this is interesting - the CDK actually re-uses the same Role for both the import and export features! Here's the resulting CloudFormation template after synthesizing the code in #16757 (comment): {
"Resources": {
"InstanceC1063A87": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceClass": "db.t3.micro",
"AllocatedStorage": "100",
"AssociatedRoles": [
{
"FeatureName": "s3Import",
"RoleArn": {
"Fn::GetAtt": [
"InstanceS3ImportRole30959D06",
"Arn"
]
}
},
{
"FeatureName": "s3Export",
"RoleArn": {
"Fn::GetAtt": [
"InstanceS3ImportRole30959D06",
"Arn"
]
}
}
],
// ...
},
},
"InstanceS3ImportRole30959D06": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "rds.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "RdsDbInstanceStack/Instance/S3ImportRole/Resource"
}
},
"InstanceS3ImportRoleDefaultPolicy297F292A": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"ImportBucketBAF3A8E9",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"ImportBucketBAF3A8E9",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"ExportBucket4E99310E",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"ExportBucket4E99310E",
"Arn"
]
},
"/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "InstanceS3ImportRoleDefaultPolicy297F292A",
"Roles": [
{
"Ref": "InstanceS3ImportRole30959D06"
}
]
},
"Metadata": {
"aws:cdk:path": "RdsDbInstanceStack/Instance/S3ImportRole/DefaultPolicy/Resource"
}
},
}
}@jfrconley so do you think adding a |
peterwoodworth
removed
the
needs-triage
|
Based on that cloudformation, I would almost think this was a cloudformation bug. It seems like there isn't a way to add roles separately from the top level RDS resource so adding a dependency wouldn't fix it. The error we get back seems to indicate that an update is being applied during an unready state for the instance, so the actual execution of the CF would need to change. |
|
Yep, I agree. |
|
After talking directly with AWS support about the generated cloudformation, it appears that the issue is actually that cdk uses the same policy for both import and export. Essentially, RDS does not allow attaching the same policy twice even when it is given different purposes. This is a bug in CDK and can be fixed by simply keeping the generated policies separate. |
|
Hmm, that's kind of insane - why would the number of Policies matter? 🙂 I feel like the RDS service is doing something weird here. However, I'm open to changing the implementation here to use multiple policies. |
|
Interesting... our code contains the following comment: Looks like this is not actually true 🙂. |
…ployment Our CDK code was assuming that all instance engines that support S3 imports & exports must use the same Role for both functionalities. However, it turns out that's true only for Oracle and SQL Server, but not for Postgres - in fact, Postgres has the exact opposite requirement, and will fail deployment if the same Role is used for both. Change our code to only use a single Role if the engine is Oracle or SQL Server. Fixes aws#16757
skinny85
added
effort/small
…ployment (#17060) Our CDK code was assuming that all instance engines that support S3 imports & exports must use the same Role if both functions are enabled at the same time. However, it turns out that's true only for Oracle and SQL Server, but not for Postgres - in fact, Postgres has the exact opposite requirement, and will fail deployment if the same Role is used for both. Change our code to only use a single Role if the engine is Oracle or SQL Server. Fixes #16757 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…ployment (aws#17060) Our CDK code was assuming that all instance engines that support S3 imports & exports must use the same Role if both functions are enabled at the same time. However, it turns out that's true only for Oracle and SQL Server, but not for Postgres - in fact, Postgres has the exact opposite requirement, and will fail deployment if the same Role is used for both. Change our code to only use a single Role if the engine is Oracle or SQL Server. Fixes aws#16757 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
I am trying to add both import and export bucket policies to my RDS cluster. Everything compiles and builds correctly, but when I deploy I get the following error message:
It seems like it's trying to add both roles at once and the second one is failing.
Reproduction Steps
Create any RDS instance and add both an import and export bucket policy.
What did you expect to happen?
Both policies should be added
What actually happened?
Stack deploy fails and rollsback with neither added.
Environment
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: