fix(rds): Correct ARN in IAM policy for IAM database access #25141
Conversation
github-actions
bot
added
beginning-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
akash1810
changed the title
|
Clarification Request. |
aws-cdk-automation
added
the
pr/reviewer-clarification-requested
| @@ -130,6 +147,7 @@ export abstract class DatabaseInstanceBase extends Resource implements IDatabase | |||
| public readonly instanceEndpoint = new Endpoint(attrs.instanceEndpointAddress, attrs.port); | |||
| public readonly engine = attrs.engine; | |||
| protected enableIamAuthentication = true; | |||
| public readonly instanceResourceId = attrs.instanceResourceId; | |||
There was a problem hiding this comment.
This is a new, required property. Is it a breaking change for fromDatabaseInstanceAttributes?
There was a problem hiding this comment.
This is a new, required property. Is it a breaking change for
fromDatabaseInstanceAttributes?
Ahh the AWS CodeBuild report suggests it is breaking:
err - IFACE aws-cdk-lib.aws_rds.DatabaseInstanceAttributes: newly required property 'instanceResourceId' added: input to aws-cdk-lib.aws_rds.DatabaseInstanceBase.fromDatabaseInstanceAttributes [strengthened:aws-cdk-lib.aws_rds.DatabaseInstanceAttributes]
Some packages seem to have undergone breaking API changes. Please avoid.
Advice on how to proceed welcomed 🙏🏽.
There was a problem hiding this comment.
I think you can change this to an optional property in IDatabaseInstance and DatabaseInstanceBase and fromDatabaseInstanceAttributes.
There was a problem hiding this comment.
I think you can change this to an optional property in
IDatabaseInstanceandDatabaseInstanceBaseandfromDatabaseInstanceAttributes.
Done in ce630ec.
I'm not a huge fan of this as it means one has to ensure the property is not undefined when accessing it, which adds bloat IMO:
const db = new DatabaseInstance();
const resourceId: string | undefined = db.instanceResourceId;
if (!resourceId) {
// unhappy path
}
else {
// happy path
}Alternatively, one can use non-null assertion, however I've worked in projects where this would produce a lint warning.
const db = new DatabaseInstance();
const resourceId: string = db.instanceResourceId!;Additionally, this being optional makes it the only optional property1. Not a problem in general, however might be an indication of not being desired?
Footnotes
-
enableIamAuthenticationdoesn't really count, as an optional boolean still has two values:true=true,false|undefined=false. ↩
There was a problem hiding this comment.
Yeah it's not great, but it's the only way to avoid breaking changes.
|
Exemption Request Unit tests have been updated, and an additional one added. Running the tests via |
aws-cdk-automation
added
the
pr-linter/exemption-requested
The IAM policy for IAM database access takes the form of: ``` arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name ``` Update the ARN used in `grantConnect` to this format. Additionally, update the signature of `grantConnect` to take an optional `dbUser`, which is defaulted to the master username of the database. This signature change also matches `grantConnect` in `DatabaseProxy`. See: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html - aws-cloudformation/cloudformation-coverage-roadmap#105
To avoid a breaking change, make `instanceResourceId` an optional prop.
corymhall
added
the
pr-linter/exempt-integ-test
Integration tests are now added in |
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
@akash1810 you need to authorize modification on the head branch in order for mergify to merge this. |
Ah. Done that now. Thanks! Do I need to do anything to re-run mergify? |
|
@Mergifyio requeue |
✅ The queue state of this pull request has been cleaned. It can be re-embarked automatically |
|
|
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
We are experiencing some issues after upgrading to v2.77.0 which I believe is due to this change. When using I think this happens due to the following new code: Perhaps this should be unsafeUnwrap instead of toString? |
|
Don't suppose there's any appetite to populate this property when fetching a database via FindDatabases()? There's no clear way defined to actually populate this property in this commit unless I'm missing something? The one comment in the docs about it being logged in CloudTrail doesn't feel like a sensible way to fetch the Id. |
The IAM policy for IAM database access takes the form of:
Following aws-cloudformation/cloudformation-coverage-roadmap#105, this change updates the ARN used in
grantConnectto this format.Additionally, update the signature of
grantConnectto take an optionaldbUser, which is defaulted to the master username of the database, obtained via the availableSecret.This signature change also matches
grantConnectinDatabaseProxy. See #12416.Closes #11851.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license