(aws-rds): grantConnect generates incorrect policy for DatabaseInstanceReadReplica

[moltar]

Describe the bug

Calling grantConnect on an instance of DatabaseInstanceReadReplica generates an incorrect policy that uses the full ARN of the instance instead of the instanceResourceId value.

Expected Behavior

{
    "Action": "rds-db:connect",
    "Resource": "arn:aws:rds-db:us-east-1:1234567890:dbuser:db-INSTANCE_RESOURCE_ID/user",
    "Effect": "Allow"
}

Current Behavior

{
    "Action": "rds-db:connect",
    "Resource": "arn:aws:rds-db:us-east-1:1234567890:dbuser:arn:aws:rds:us-east-1:1234567890:db:instance-name-wq2y5qzlfdy6/user",
    "Effect": "Allow"
}

Reproduction Steps

1. Create a read replica
2. Call grantConnect on it

Possible Solution

No response

Additional Information/Context

aws-cdk/packages/aws-cdk-lib/aws-rds/lib/instance.ts

Lines 201 to 206 in abc78bf

	Stack.of(this).formatArn({
	arnFormat: ArnFormat.COLON_RESOURCE_NAME,
	service: 'rds-db',
	resource: 'dbuser',
	resourceName: [this.instanceResourceId, dbUser].join('/'),
	}),

CDK CLI Version

2.150.0

Framework Version

2.150.0

Node.js Version

v20.14.0

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response

[moltar]

I think the culprit is here:

aws-cdk/packages/aws-cdk-lib/aws-rds/lib/instance.ts

Line 1369 in abc78bf

this.instanceResourceId = instance.attrDbInstanceArn;

[moltar]

It was added as part of this PR:

https://github.com/aws/aws-cdk/pull/25141/files#diff-8b2a963b0382d6266fde393a3491fcc8ae2a38e9bbc4a2d6803b088257dd54ecR1324

[moltar]

I confirmed by applying this workaround.

Add this code to the end of the stack for a temporary fix.

    for (const node of this.node.findAll()) {
      if (node instanceof DatabaseInstanceReadReplica && node.node.defaultChild instanceof CfnDBInstance) {
        Object.assign(node, {
          instanceResourceId: node.node.defaultChild.attrDbiResourceId,
        } satisfies Partial<DatabaseInstanceReadReplica>);
      }
    }

[ashishdhingra]

Reproducible using below code:

import * as iam from 'aws-cdk-lib/aws-iam';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as cdk from 'aws-cdk-lib';
import * as rds from 'aws-cdk-lib/aws-rds';

export class CdktestStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = new ec2.Vpc(this, 'myVpc');
    
    const sourceInstance = new rds.DatabaseInstance(this, 'TestDBInstance', {
      engine: rds.DatabaseInstanceEngine.postgres({ version: rds.PostgresEngineVersion.VER_15_4 }),
      instanceType: ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.LARGE),
      vpc,
    });

    const dbReadReplica = new rds.DatabaseInstanceReadReplica(this, 'TestDBReadReplica', {
      sourceDatabaseInstance: sourceInstance,
      instanceType: ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.LARGE),
      vpc,
    });

    const role = new iam.Role(this, 'DBTestRole', {assumedBy: new iam.AccountPrincipal(this.account)});
    dbReadReplica.grantConnect(role, 'someuser');
  }
}

Running cdk synth generates the below CloudFormation template:

Resources:
...
...
    Metadata:
      aws:cdk:path: CdktestStack/TestDBInstance/SecurityGroup/Resource
  TestDBInstanceSecret0BA9F4B5:
    Type: AWS::SecretsManager::Secret
...
  TestDBInstanceSecretAttachment19197643:
    Type: AWS::SecretsManager::SecretTargetAttachment
    Properties:
...
  TestDBInstance0686406D:
    Type: AWS::RDS::DBInstance
    Properties:
      AllocatedStorage: "100"
      CopyTagsToSnapshot: true
      DBInstanceClass: db.m5.large
      DBSubnetGroupName:
        Ref: TestDBInstanceSubnetGroup5C562BBA
      Engine: postgres
      EngineVersion: "15.4"
      MasterUserPassword:
        Fn::Join:
          - ""
          - - "{{resolve:secretsmanager:"
            - Ref: TestDBInstanceSecret0BA9F4B5
            - :SecretString:password::}}
      MasterUsername:
        Fn::Join:
          - ""
          - - "{{resolve:secretsmanager:"
            - Ref: TestDBInstanceSecret0BA9F4B5
            - :SecretString:username::}}
      StorageType: gp2
      VPCSecurityGroups:
        - Fn::GetAtt:
            - TestDBInstanceSecurityGroup5CAD0C42
            - GroupId
    UpdateReplacePolicy: Snapshot
    DeletionPolicy: Snapshot
    Metadata:
      aws:cdk:path: CdktestStack/TestDBInstance/Resource
  TestDBReadReplicaSubnetGroupE39B8C4A:
    Type: AWS::RDS::DBSubnetGroup
    Properties:
...
  TestDBReadReplicaSecurityGroupC4105A64:
    Type: AWS::EC2::SecurityGroup
    Properties:
...
  TestDBReadReplicaEE06F740:
    Type: AWS::RDS::DBInstance
    Properties:
      CopyTagsToSnapshot: true
      DBInstanceClass: db.m5.large
      DBSubnetGroupName:
        Ref: TestDBReadReplicaSubnetGroupE39B8C4A
      EnableIAMDatabaseAuthentication: true
      SourceDBInstanceIdentifier:
        Fn::Join:
          - ""
          - - "arn:aws:rds:us-east-2:<<account-id-redacted>>:db:"
            - Ref: TestDBInstance0686406D
      StorageType: gp2
      VPCSecurityGroups:
        - Fn::GetAtt:
            - TestDBReadReplicaSecurityGroupC4105A64
            - GroupId
    UpdateReplacePolicy: Snapshot
    DeletionPolicy: Snapshot
    Metadata:
      aws:cdk:path: CdktestStack/TestDBReadReplica/Resource
  DBTestRole834396B2:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              AWS: arn:aws:iam::<<account-id-redacted>>:root
        Version: "2012-10-17"
    Metadata:
      aws:cdk:path: CdktestStack/DBTestRole/Resource
  DBTestRoleDefaultPolicy7501B762:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: rds-db:connect
            Effect: Allow
            Resource:
              Fn::Join:
                - ""
                - - "arn:aws:rds-db:us-east-2:<<account-id-redacted>>:dbuser:"
                  - Fn::GetAtt:
                      - TestDBReadReplicaEE06F740
                      - DBInstanceArn
                  - /someuser
        Version: "2012-10-17"
      PolicyName: DBTestRoleDefaultPolicy7501B762
      Roles:
        - Ref: DBTestRole834396B2
...

Running cdk deploy creates the DB instance and Read replica, and attached the below policy to the specified DB Role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "rds-db:connect",
            "Resource": "arn:aws:rds-db:us-east-2:<<account-id-redacted>>:dbuser:arn:aws:rds:us-east-2:account-id-redacted:db:cdkteststack-testdbreadreplicaee06f740-dycl1vgyuydy/someuser",
            "Effect": "Allow"
        }
    ]
}

It should have created policy with correct resource format arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name per Creating and using an IAM policy for IAM database access.