rds: cannot adjust security groups of existing RDS

[adam-nielsen]

Describe the bug

If you create an RDS in your stack, you can adjust the security groups (e.g. allowing an EC2 to connect) which is fine.

However if you import an existing RDS into your stack, you can't adjust the security groups, so there appears to be no way to grant anything in a stack access to an existing RDS.

Expected Behavior

I expected the call to rds.connections.allowFrom() to work the same whether the RDS instance was created in the current stack or imported from another stack with rds.DatabaseCluster.fromDatabaseClusterAttributes().

Current Behavior

If the database already exists outside of the current stack, the allowFrom()/allowTo() calls produce no errors, but the Cfn output does not contain any mention of the security group changes.

Reproduction Steps

import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';

import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as rds from 'aws-cdk-lib/aws-rds';

export class ExampleStack extends Stack {
  public constructor(scope: Construct, id: string, props: StackProps) {
    super(scope, id, props);

    const vpc = ec2.Vpc.fromLookup(this, 'vpc', {
      vpcId: 'vpc-12345',
    });

    const client = new ec2.Instance(this, 'test', {
      vpc: vpc,
      instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
      machineImage: new ec2.AmazonLinuxImage({ generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2 }),
    });

    // If we create a new RDS, then the security groups work fine:
    /*
    const db = new rds.DatabaseCluster(this, 'Database', {
      engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_01_0 }),
      writer: rds.ClusterInstance.provisioned('writer', {
        instanceType: ec2.InstanceType.of(ec2.InstanceClass.R6G, ec2.InstanceSize.XLARGE4),
      }),
      vpc,
    });
    */

    // Produces:
    //    DatabaseSecurityGroupfromteststacktestInstanceSecurityGroup26634811330682648EE3:
    //      Type: AWS::EC2::SecurityGroupIngress
    //      Properties:
    //        Description: EC2 access to RDS
    //        FromPort: 3306
    //        ...

    // But if we get an existing RDS instead, then the security groups do not
    // get mentioned at all in the `cdk synth` output:
    const db = rds.DatabaseCluster.fromDatabaseClusterAttributes(this, 'existing-rds', {
      clusterIdentifier: 'existing-rds', // RDS cluster name
    });

    // Neither of these options work if the RDS already exists outside this stack.
    client.connections.allowTo(db, ec2.Port.MYSQL_AURORA, 'EC2 access to RDS');
    db.connections.allowFrom(client, ec2.Port.MYSQL_AURORA, 'RDS access from EC2');
  }
}

If you comment out the lower const db and uncomment the upper one, you can switch between importing an RDS and creating a new RDS, to see the difference.

Running this with cdk synth is enough to check the Cfn output to see if the security groups are mentioned or not.

Possible Solution

No response

Additional Information/Context

We have a shared RDS used by multiple independent applications, so when we deploy an application we want the resources (EC2/ECS/Lambda/etc.) to be able to access the RDS, without having to use a blanket rule that permits access to the whole VPC.

CDK CLI Version

2.142.1 (build ed4e152)

Framework Version

No response

Node.js Version

v18.18.2

OS

Arch Linux

Language

TypeScript

Language Version

TypeScript (5.3.3)

Other information

No response

[pahud]

If you need to separate the instances and DB in two stacks, consider the code below to have DatabaseStack and InstanceStack:

// create a DatabaseStack that creates a random DatabaseCluster
export class DatabaseStack extends Stack {
  readonly cluster: rds.DatabaseCluster;
  constructor(scope: Construct, id: string, props: StackProps) {
    super(scope, id, props);

    const vpc = ec2.Vpc.fromLookup(this, 'Vpc', { isDefault: true });
    // create a random database cluster
    this.cluster = new rds.DatabaseCluster(this, 'Database', {
      engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_01_0 }),
      writer: rds.ClusterInstance.provisioned('writer', {
        instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.MEDIUM),
      }),
      vpc,
    });
  }
}

export interface InstanceStackProps extends StackProps {
  readonly cluster: rds.IDatabaseCluster;
}

// create a InstanceStack that creates a random EC2 Instance
export class InstanceStack extends Stack {
  constructor(scope: Construct, id: string, props: InstanceStackProps) {
    super(scope, id, props);

    const vpc = ec2.Vpc.fromLookup(this, 'Vpc', { isDefault: true });
    // create a random EC2 instance
    const instance = new ec2.Instance(this, 'test', {
      vpc,
      instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
      machineImage: new ec2.AmazonLinuxImage({ generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2 }),
    });

    props.cluster.connections.allowFrom(instance.connections, ec2.Port.tcp(3306), 'from ec2 instance to rds')

  }
}

app.ts

const dbstack = new DatabaseStack(app, 'DatabaseStack', { env });

new InstanceStack(app, 'InstanceStack', { 
    env,
    cluster: dbstack.cluster,
});

on npx cdk synth --all

you should see this in your database stack template

   "Type": "AWS::EC2::SecurityGroupIngress",
   "Properties": {
    "Description": "from ec2 instance to rds",
    "FromPort": 3306,
    "GroupId": {
     "Fn::GetAtt": [
      "DatabaseSecurityGroup5C91FDCB",
      "GroupId"
     ]
    },
    "IpProtocol": "tcp",
    "SourceSecurityGroupId": {
     "Fn::ImportValue": "InstanceStack:ExportsOutputFnGetAtttestInstanceSecurityGroup0C312FB5GroupId7D1BFC91"
    },
    "ToPort": 3306
   },

and this in your InstanceStack

   "Type": "AWS::EC2::SecurityGroup",
   "Properties": {
    "GroupDescription": "InstanceStack/test/InstanceSecurityGroup",
    "SecurityGroupEgress": [
     {
      "CidrIp": "0.0.0.0/0",
      "Description": "Allow all outbound traffic by default",
      "IpProtocol": "-1"
     }
    ],

Let me know if it works for you.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[adam-nielsen]

Hi @pahud,

Many thanks for your reply and apologies for the late response!

You example does work, but it requires the two stacks are in the same CDK project. In our case we have one CDK project for our shared infrastructure, and then six other stacks for each application we deploy to the shared infrastructure. So we're unable to pass the IDatabaseCluster instance between stacks as you have suggested, because the stacks are entirely independent.

If you take your example and put DatabaseStack in one CDK project (then deploy with npx cdk deploy), and cd into the other CDK stack for InstanceStack and do another npx cdk deploy then you will see the problem.

Any ideas how to get your example to work in this situation?

[aws-cdk-automation]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.