aws-rds: Subnet selection doesn't work for cluster.addRotationMultiUser #19233
Description
What is the problem?
There's a bug in VPC selection for addRotationMultiUser. Commented on original issue as well: #17265
Even if you pass in props for the subnet type to place the rotation lambda, it will always get placed in the same subnets as the cluster. See https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-rds/lib/cluster.ts line 611 for the addRotationMultiUser function. Notice how the '...options' line gets overridden by the cluster subnets.
The addRotationSingleUser function doesn't have this problem because the options are injected after the defaults. See the same file as above.
Not sure if there's another section of aws-rds that has an addRotationMultiUser function but worth checking the other rotation functions for the same bug.
I won't have time to work on a PR for a few months so someone else can feel free to pick this up. Just want to make sure the bug gets tracked.
Reproduction Steps
Create a vpc with private and isolated subnets and place an Aurora cluster in the isolated subnets. Then set up a multi user rotation:
this.secret = new rds.DatabaseSecret(this, 'Secret', {
username: username,
masterSecret: cluster.secret
}).attach(cluster);
cluster.addRotationMultiUser('Rotation', {
secret: this.secret,
automaticallyAfter: Duration.days(90),
vpcSubnets: {
subnetType: ec2.SubnetType.PRIVATE_WITH_NAT
}
});
What did you expect to happen?
Rotation lambda created in private subnet and able to talk to secrets manager through the internet.
What actually happened?
Rotation lambda created in isolated subnet (same subnet as cluster) and times out because it can't talk to the internet.
CDK CLI Version
2.12.0 (build c9786db)
Framework Version
No response
Node.js Version
v16.14.0
OS
macOS Monterey v12.1
Language
Typescript
Language Version
TypeScript Version 4.5.5
Other information
No response