(rds): IDatabaseCluster connections allowfrom does not work or does not fail
See original GitHub issueWhen referencing a database cluster exported from another stack, adding access with security groups did not work as expected.
Reproduction Steps
(in java) In one stack
DatabaseCluster db = new DatabaseCluster(this, "db", DatabaseClusterProps.builder()
.defaultDatabaseName("shared")
.engine(DatabaseClusterEngine.AURORA_MYSQL)
.instanceProps(InstanceProps.builder()
.vpc(vpc) // Shared IVPC
.vpcSubnets(subnets) // SubnetSelection here, shared between stacks
.instanceType(InstanceType.of(InstanceClass.BURSTABLE3, InstanceSize.SMALL))
.build())
.build());
CfnOutput.Builder.create(this, "dbref")
.exportName("SharedDB")
.value(db.getClusterIdentifier())
.build();
In another stack
SecurityGroup sg = new SecurityGroup(this, "sg", SecurityGroupProps.builder()
.securityGroupName("App sg")
.vpc(vpc) // an IVPC shared between stacks
.allowAllOutbound(true)
.build());
IDatabaseCluster db = DatabaseCluster.fromDatabaseClusterAttributes(this, "db", DatabaseClusterAttributes.builder()
.clusterIdentifier(Fn.importValue("SharedDB"))
.build());
db.getConnections().allowFrom(sg, Port.tcp(3306), "MySQL Access for app");
What did you expect to happen?
I either expect it to work, or to fail: saying more is needed in the IDatabaseCluster, or that the API getConnections allowFrom is not available with an IDatabaseCluster.
This functionality works for a shared load balancer, so I would expect it to be possible with a AWS::EC2::SecurityGroupIngress
What actually happened?
There is no output in the synth stage containing “MySQL Access for app”, there is no error
Environment
- CDK CLI Version : 1.78.0
- Framework Version: 1.78.0
- Node.js Version: v15.4.0
- OS : Mac OS X 10.15.7
- Language (Version): Java
Other
N/A
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Resolve problems connecting to an Amazon RDS DB ...
There are a number of root causes for the inability to connect to an Amazon RDS DB instance. Here are a few of...
Read more >AWS: can't connect to RDS database from my machine
It turns out it is not that hard. Do these steps: Go to EC2 Dashboard; Go to Security Groups tab; Select and only...
Read more >Allow a remote IP to connect to your Amazon RDS MySQL ...
Step 3. Make sure the security group that belongs to your RDS database is selected/highlighted. If you are not sure which one it...
Read more >Troubleshooting for RDS Proxy
For example, the value ucs2 is not valid because it can crash the MySQL server. ERROR 3159 (HY000): This RDS Proxy requires TLS...
Read more >Why can't I connect to Amazon RDS after setting it up?
By default RDS does not allow any connection that is not specified within the Security Group (SG). You can allow based on CIDR...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
After some more experimentation, I find that by exporting the security group from the DB
and then importing
the allowFrom function works.
Perhaps a desirable result is that when the list is empty, an error occurs.
@skinny85 I have the same issue. Has it been fixed? I would like to import an RDS Serverless Cluster and add an inbound rule to its Security Group.