Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
(rds): IDatabaseCluster connections allowfrom does not work or does not fail
See original GitHub issueWhen referencing a database cluster exported from another stack, adding access with security groups did not work as expected.
Reproduction Steps
(in java) In one stack
DatabaseCluster db = new DatabaseCluster(this, "db", DatabaseClusterProps.builder()
.defaultDatabaseName("shared")
.engine(DatabaseClusterEngine.AURORA_MYSQL)
.instanceProps(InstanceProps.builder()
.vpc(vpc) // Shared IVPC
.vpcSubnets(subnets) // SubnetSelection here, shared between stacks
.instanceType(InstanceType.of(InstanceClass.BURSTABLE3, InstanceSize.SMALL))
.build())
.build());
CfnOutput.Builder.create(this, "dbref")
.exportName("SharedDB")
.value(db.getClusterIdentifier())
.build();
In another stack
SecurityGroup sg = new SecurityGroup(this, "sg", SecurityGroupProps.builder()
.securityGroupName("App sg")
.vpc(vpc) // an IVPC shared between stacks
.allowAllOutbound(true)
.build());
IDatabaseCluster db = DatabaseCluster.fromDatabaseClusterAttributes(this, "db", DatabaseClusterAttributes.builder()
.clusterIdentifier(Fn.importValue("SharedDB"))
.build());
db.getConnections().allowFrom(sg, Port.tcp(3306), "MySQL Access for app");
What did you expect to happen?
I either expect it to work, or to fail: saying more is needed in the IDatabaseCluster, or that the API getConnections allowFrom is not available with an IDatabaseCluster.
This functionality works for a shared load balancer, so I would expect it to be possible with a AWS::EC2::SecurityGroupIngress
What actually happened?
There is no output in the synth stage containing “MySQL Access for app”, there is no error
Environment
- CDK CLI Version : 1.78.0
- Framework Version: 1.78.0
- Node.js Version: v15.4.0
- OS : Mac OS X 10.15.7
- Language (Version): Java
Other
N/A
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
After some more experimentation, I find that by exporting the security group from the DB
and then importing
the allowFrom function works.
Perhaps a desirable result is that when the list is empty, an error occurs.
@skinny85 I have the same issue. Has it been fixed? I would like to import an RDS Serverless Cluster and add an inbound rule to its Security Group.