Skip to content

(aws_rds): DatabaseCluster s3ImportRole fails with Aurora MySQL 3 #19126

Closed
#19145
Closed
(aws_rds): DatabaseCluster s3ImportRole fails with Aurora MySQL 3#19126
#19145
Assignees
skinny85
Labels
@aws-cdk/aws-rdsRelated to Amazon Relational DatabasebugThis issue is a bug.needs-triageThis issue or PR still needs to be triaged.p1
@vobarian

Description

@vobarian
vobarian
opened on Feb 23, 2022

What is the problem?

Creating a DatabaseCluster with the property s3ImportRole or s3ImportBuckets fails when the engine version is Aurora MySQL 3 (MySql 8.0). Using these properties on the construct causes it to add aurora_load_from_s3_role to the cluster parameter group; however this parameter is not supported for engine version 3 and aws_default_s3_role must be used instead (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Reference.html).

Additionally, although I can set up the correct IAM role and aws_default_s3_role property in the cluster parameter group myself, I do not see any way with the DatabaseCluster construct to associate a role with the cluster without also triggering the failing behavior that modifies the parameter group, so I am really stuck. How can I just associate a role with the cluster?

Reproduction Steps

    const engine = DatabaseClusterEngine.auroraMysql({
          version: AuroraMysqlEngineVersion.of("8.0.mysql_aurora.3.01.0","8.0")
    });

    const auroraRole = this.createAuroraRole(); // has assume role for rds with s3 read inline policy

    const parameterGroup = new ParameterGroup(this, "ClusterParameterGroup", {
      engine,
      parameters: {
        // this works for the parameter group but does not associate the role with the cluster:
        //aws_default_s3_role: auroraRole.roleArn
      }
    });

    const cluster = new DatabaseCluster(this, "Database", {
      clusterIdentifier: "mycluster",
      defaultDatabaseName: "mydatabase",
      engine,
      credentials: Credentials.fromGeneratedSecret("...", { secretName: "..." }),
      storageEncrypted: true,
      instances: 2,
      backup: {
        retention: Duration.days(7)
      },
      instanceProps: {
        instanceType: InstanceType.of(InstanceClass.T3, InstanceSize.MEDIUM),
        vpc,
        vpcSubnets: vpc.selectSubnets({ subnetGroupName: "Private" }),
        securityGroups: [securityGroup]
      },
      parameterGroup,
      s3ImportRole: auroraRole,
    });

What did you expect to happen?

Add the role to the cluster and associate the parameter group with the given parameters with the cluster.

What actually happened?

4:52:02 PM | UPDATE_FAILED        | AWS::RDS::DBClusterParameterGroup           | xxx...meterGroup3F9810FA
Invalid / Unsupported DB Parameter: aurora_load_from_s3_role

CDK CLI Version

2.1.0 (build f4f18b1)

Framework Version

2.1.0

Node.js Version

v14.16.0

OS

macOS 12.2.1

Language

Typescript

Language Version

3.9.10

Other information

No response

Metadata

Metadata

Assignees

Labels

@aws-cdk/aws-rdsRelated to Amazon Relational DatabasebugThis issue is a bug.needs-triageThis issue or PR still needs to be triaged.p1

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions