Cloudformation-coverage-roadmap: AWS::RDS::DBInstance fails to update certain settings if in a VPC shared via RAM

Created on 12 Feb 2020  路  6Comments  路  Source: aws-cloudformation/cloudformation-coverage-roadmap

1. Title

AWS::RDS::DBInstance fails to update certain settings if in a VPC shared via RAM

2. Scope of request

Make RDS and Cloudformation work in a shared VPC.
With VPC sharing via RAM Cloudformation can't be relied on when using RDS.

3. Expected behavior

  • Create a VPC in one account and share via RAM
  • Create an Aurora cluster with one instance in the shared VPC in another account.
  • Update the instance's DBInstanceClass or EnablePerformanceMetrics (there are probably more, but these are the two I ran into)
  • Stack update should complete successfully instead of events with InternalFailure

Trying to work around these limitations by removing the instance from the stack, updating it by hand and then reimporting also fails with InternalFailure.

4. Suggest specific test cases

Samples:

  • Create a VPC in one account and share via RAM
  • Create an Aurora cluster with one instance in the shared VPC in another account.
  • Update the instance's DBInstanceClass or EnablePerformanceMetrics (there are probably more, but these are the two I ran into)
  • Stack update should complete successfully instead of events with InternalFailure

5. Helpful Links to speed up research and evaluation

The support mentioned that the team already knows about this.

6. Category (required) - Will help with tagging and be easier to find by other users to +1

  1. DB (RDS, DynamoDB...)
  2. Networking & Content (VPC, Route53, API GW,...)
bug? security identity compliance
Source
picture bracki
👍16

All 6 comments

@bracki @luiseduardocolon
This bug is also preventing us from moving RDS instances to shared VPC (owned by different account), thus preventing us from moving forward with cross VPC migration of all of our AWS resources. Any update on this would be greatly appreciated. We also have AWS Support Case ID tracking the issue: 6844571841.

robertd picture robertd on 4 Mar 2020

I face a similar issue (CDK Repo: #6439 and #6542):

Creating an RDS DatabaseInstance through CDK and later changing various properties (e.g. "engineVersion") results in an "Internal Failure" error message. In my case I did not import the VPC from another account, I created everything in the same stack:

interface BackendStackProps extends StackProps {
  deployStage?: string;
}

export class BackendStack extends Stack {
  constructor(scope: Construct, id: string, props?: BackendStackProps) {
    super(scope, id, props);

    // --- Networking
    const vpc = new Vpc(this, 'TestVPC', {
      natGateways: 1,
      maxAzs: 2,
    });

    // --- Database
    const appDB = new DatabaseInstance(this, 'TestPostgresInstance', {
      engine: DatabaseInstanceEngine.POSTGRES,
      instanceClass: InstanceType.of(InstanceClass.BURSTABLE3, InstanceSize.MICRO),
      masterUsername: 'TestUser',
      databaseName: 'testdb',
      vpc,
      allocatedStorage: 10,
      backupRetention: Duration.days(3),
    });

    // --- Grant Service Permissions
    // "service" is an instance of "ApplicationLoadBalancedFargateService"
    // appDB.connections.allowDefaultPortFrom(service.service.connections);
    // appDB.secret?.grantRead(service.taskDefinition.taskRole);
    // const secretPolicy = new Policy(this, 'DBSecretPolicy', {
    //   statements: [
    //     new PolicyStatement({
    //       effect: Effect.ALLOW,
    //       resources: [appDB.secret?.secretArn || ''],
    //       actions: ['secretsmanager:DescribeSecret'],
    //     }),
    //   ],
    // });
    // service.taskDefinition.taskRole.attachInlinePolicy(secretPolicy); // See: https://github.com/aws/aws-cdk/issues/6444
  }
}
jls-tschanzc picture jls-tschanzc on 6 Mar 2020

Is there an update on the fix? it's in "Coming Soon" for 5 weeks already.
We are using shared VPCs and we can't update our RDS databases with Cloudformation.
Any update will be appreciated.

nikoizs picture nikoizs on 7 May 2020
👀1

@luiseduardocolon Any updates on this would be much appreciated. Thank you!

robertd picture robertd on 6 Jun 2020
👍1

Hello,

Any updates on this?

robertd picture robertd on 1 Oct 2020

image

Hello Robert,

This is Eric again, and I wanted to provide you with an update.

Although the issue has not been updated in our public roadmap on GitHub, our internal CloudFormation team has verified that a fix has been implemented from our end to mitigate the issue, and you should no longer be encountering the same error.

Please let me know if you have any additional questions or concerns, and I will be happy to further assist you.

We value your feedback. Please share your experience by rating this correspondence using the AWS Support Center link at the end of this correspondence. Each correspondence can also be rated by selecting the stars in top right corner of each correspondence within the AWS Support Center.

Best regards,
Eric H.
Amazon Web Services

robertd picture robertd on 19 Feb 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rjpereira picture rjpereira  路  4Comments
kdgregory picture kdgregory  路  3Comments
JohnPreston picture JohnPreston  路  3Comments
msaggar picture msaggar  路  3Comments
fimbulvetr picture fimbulvetr  路  3Comments