rds: AuroraClusterInstance ignores publiclyAccessible set to false when cluster is placed in public subnet

[juanheyns]

Describe the bug

Even though publiclyAccessible set to false, the value is ignored if the cluster is placed in a public subnet.

There are legitimate cases where a cluster could be placed in a public subnet, but it still should not have a public IP address.

declare const scope: cdk.IResource
declare const vpc: ec2.IVpc

const cluster = new rds.DatabaseCluster(scope, 'Resource', {
  clusterIdentifier: 'cluster-one',
  engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_04_0 }),
  writer: rds.ClusterInstance.serverlessV2('writer', {
    instanceIdentifier: 'writer-instance',
    publiclyAccessible: false
  }),
  readers: [
    rds.ClusterInstance.serverlessV2('reader', {
      instanceIdentifier: 'reader-instance',
      publiclyAccessible: false,
    })
  ],
  vpc,
  vpcSubnets: {
    subnetType: ec2.SubnetType.PUBLIC
  },
})

Expected Behavior

The publiclyAccessible attribute should be honored if it is set, even if it is false.

Current Behavior

If the vpc and the vpcSubnets.subnetType is set to PUBLIC it ignores the value provided in publiclyAccessible attribute.

The documentation does not specify that it will be ignored.

Reproduction Steps

declare const scope: cdk.IResource
declare const vpc: ec2.IVpc

const cluster = new rds.DatabaseCluster(scope, 'Resource', {
  clusterIdentifier: 'cluster-one',
  engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_04_0 }),
  writer: rds.ClusterInstance.serverlessV2('writer', {
    instanceIdentifier: 'writer-instance',
    publiclyAccessible: false
  }),
  readers: [
    rds.ClusterInstance.serverlessV2('reader', {
      instanceIdentifier: 'reader-instance',
      publiclyAccessible: false,
    })
  ],
  vpc,
  vpcSubnets: {
    subnetType: ec2.SubnetType.PUBLIC
  },
})

Possible Solution

Check if the publiclyAccessible attribute is NOT undefined, then set the value based on the vpc and vpc subnets.

Additional Information/Context

No response

CDK CLI Version

2.108.1

Framework Version

2.108.1

Node.js Version

18.18.2

OS

macOS 14.0 (23A344)

Language

TypeScript

Language Version

TypeScript (4.9.5)

Other information

No response

[pahud]

Makes sense. Thank you for your report. We'll review the PR when it's ready.

[juanheyns]

@pahud PR ready for review

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.