Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws-rds: Proxy Target Group does not depend on Writer Instance #31304

Closed
1 task
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@ServerlessSam
Copy link

Describe the bug

When following documentation for a DatabaseCluster I get CloudFormation deployment errors

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Proxy Target Group should wait for Aurora writer instance to be ready before creating CloudFormation resource

Current Behavior

Target Group does not wait for Aurora writer instance to be ready before creating CloudFormation resource. The following CloudFormation error is seen as the proxy target group moves to the CREATE_FAILED state:

Resource handler returned message: "DB Instance <writer instance name> is in an unsupported state - CONFIGURING_ENHANCED_MONITORING, needs to be in [AVAILABLE, MODIFYING, BACKING_UP, CREATING]

Reproduction Steps

Deploy the following CDK (2.143.0) (eu-central-1 if you want to match my region)

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
import { Runtime, FunctionUrlAuthType, HttpMethod } from 'aws-cdk-lib/aws-lambda';
import { Credentials, DatabaseProxy, ClusterInstance } from 'aws-cdk-lib/aws-rds';
import { DatabaseCluster, DatabaseClusterEngine, ClientPasswordAuthType, ProxyTarget, AuroraPostgresEngineVersion } from 'aws-cdk-lib/aws-rds';
import {Vpc, SubnetType, SecurityGroup, InstanceType, InstanceClass, InstanceSize} from 'aws-cdk-lib/aws-ec2'
import * as path from 'path';

export class CdkAuroraLambdaStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // Create a custom VPC
    const vpc = new Vpc(this, 'AuroraVPC', {
      natGateways: 1,
      maxAzs: 2,
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: 'AuroraPublicSubnet',
          subnetType: SubnetType.PUBLIC,
        },
        {
          cidrMask: 24,
          name: 'AuroraSubnet',
          subnetType: SubnetType.PRIVATE_ISOLATED,
        },
      ],
    });

    // Create a security group for the Aurora Serverless v2 cluster
    const dbSecurityGroup = new SecurityGroup(this, 'AuroraSecurityGroup', {
      vpc,
      description: 'Security group for Aurora Serverless v2 cluster',
      allowAllOutbound: true,
    });

    // Create a security group for the Lambda functions
    const lambdaSecurityGroup = new SecurityGroup(this, 'LambdaSecurityGroup', {
      vpc,
      description: 'Security group for Lambda functions',
    });

    // Allow the Lambda functions to access the Aurora Serverless v2 cluster
    dbSecurityGroup.addIngressRule(lambdaSecurityGroup, cdk.aws_ec2.Port.tcp(5432));

    // Create Aurora Serverless v2 cluster
    const cluster = new DatabaseCluster(this, 'AuroraCluster', {
      engine: DatabaseClusterEngine.auroraPostgres({ version: AuroraPostgresEngineVersion.VER_16_2 }),
      credentials: Credentials.fromGeneratedSecret('AuroraSecret'),
      defaultDatabaseName: 'AuroraDB',
      serverlessV2MinCapacity: 0.5,
      serverlessV2MaxCapacity: 10,
      securityGroups: [dbSecurityGroup],
      vpc, // Use the custom VPC
      vpcSubnets: {
        subnetType: SubnetType.PRIVATE_ISOLATED,
      },
      writer: ClusterInstance.provisioned("writer")

    });

    // Create a data proxy
    const proxy = new DatabaseProxy(this, 'AuroraProxy', {
      proxyTarget: ProxyTarget.fromCluster(cluster),
      secrets: [cluster.secret!],
      vpc,
      clientPasswordAuthType: ClientPasswordAuthType.POSTGRES_MD5 
    });
    ```
    
    You will get the `CREATE_FAILED` deployment as explained in the bug. 

### Possible Solution

The Proxy Target Group needs to be aware and add a DependsOn for the writer instance. Currently it only depends on the Aurora Cluster. The writer instance is a seperate resource.

Adding `proxy.node.addDependency(cluster)` to the bottom of the code snipped from the repro steps resolves the issue for now. But the library should add this for you

### Additional Information/Context

_No response_

### CDK CLI Version

2.143.0

### Framework Version

2.143.0

### Node.js Version

v20.12.2

### OS

Mac

### Language

TypeScript

### Language Version

_No response_

### Other information

_No response_
@ServerlessSam ServerlessSam added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 3, 2024
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Sep 3, 2024
@ServerlessSam
Copy link
Author

@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. p2 and removed needs-triage This issue or PR still needs to be triaged. labels Sep 3, 2024
@khushail khushail self-assigned this Sep 3, 2024
@khushail
Copy link
Contributor

khushail commented Sep 3, 2024

Hi @ServerlessSam , thanks for reaching out.

I tried to repro the issue and it succeeded with deployment, using the code shared by you (without adding the dependency statement). please refer to the snapshots here -

Screenshot 2024-09-03 at 3 30 45 PM

The resources in Cloudformation -

Screenshot 2024-09-03 at 3 35 55 PM

Could you please share the error logs or any more information that might be able to help reproduce the issue ?

@khushail khushail added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Sep 3, 2024
@ServerlessSam
Copy link
Author

ServerlessSam commented Sep 4, 2024

Sure I'll provide more logs. I just reproduced it for a 3rd consecutive time.

To minimize log verbosity... This is the first log from my local CDK deployment that something is wrong:

CdkAuroraLambdaStack | 43/46 | 2:00:26 PM | CREATE_COMPLETE      | AWS::RDS::DBProxy                           | AuroraProxy (AuroraProxy1E1757CC) 
CdkAuroraLambdaStack | 43/46 | 2:00:26 PM | CREATE_IN_PROGRESS   | AWS::RDS::DBProxyTargetGroup                | AuroraProxy/ProxyTargetGroup (AuroraProxyProxyTargetGroupA7D69AA9) 
CdkAuroraLambdaStack | 43/46 | 2:00:27 PM | CREATE_IN_PROGRESS   | AWS::RDS::DBProxyTargetGroup                | AuroraProxy/ProxyTargetGroup (AuroraProxyProxyTargetGroupA7D69AA9) Resource creation Initiated
CdkAuroraLambdaStack | 43/46 | 2:00:30 PM | CREATE_FAILED        | AWS::RDS::DBProxyTargetGroup                | AuroraProxy/ProxyTargetGroup (AuroraProxyProxyTargetGroupA7D69AA9) Resource handler returned message: "DB Instance cdkauroralambdastack-auroraclusterwriter499c523e-w5y3jggfnpsh is in an unsupported state - CONFIGURING_ENHANCED_MONITORING, needs to be in [AVAILABLE, MODIFYING, BACKING_UP, CREATING] (Service: AmazonRDS; Status Code: 400; Error Code: InvalidDBInstanceState; Request ID: 3df0e6d1-2191-41ed-b246-1b28e19a7d5d; Proxy: null)" (RequestToken: 30e9b969-55be-c8ea-fad3-4ecbdab58d4f, HandlerErrorCode: GeneralServiceException)
[14:00:33] Stack CdkAuroraLambdaStack has an ongoing operation in progress and is not stable (ROLLBACK_IN_PROGRESS)
CdkAuroraLambdaStack | 44/46 | 2:00:36 PM | DELETE_COMPLETE      | AWS::RDS::DBProxyTargetGroup                | AuroraProxy/ProxyTargetGroup (AuroraProxyProxyTargetGroupA7D69AA9) 
CdkAuroraLambdaStack | 44/46 | 2:00:31 PM | CREATE_FAILED        | AWS::RDS::DBInstance                        | AuroraCluster/writer (AuroraClusterwriter499C523E) Resource creation cancelled
CdkAuroraLambdaStack | 44/46 | 2:00:31 PM | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack                  | CdkAuroraLambdaStack The following resource(s) failed to create: [AuroraProxyProxyTargetGroupA7D69AA9, AuroraClusterwriter499C523E]. Rollback requested by user.

After all the rollbacks are complete I see the following:

CdkAuroraLambdaStack |  3/46 | 2:11:07 PM | ROLLBACK_COMPLETE    | AWS::CloudFormation::Stack                  | CdkAuroraLambdaStack 

Failed resources:
CdkAuroraLambdaStack | 2:00:30 PM | CREATE_FAILED        | AWS::RDS::DBProxyTargetGroup                | AuroraProxy/ProxyTargetGroup (AuroraProxyProxyTargetGroupA7D69AA9) Resource handler returned message: "DB Instance cdkauroralambdastack-auroraclusterwriter499c523e-w5y3jggfnpsh is in an unsupported state - CONFIGURING_ENHANCED_MONITORING, needs to be in [AVAILABLE, MODIFYING, BACKING_UP, CREATING] (Service: AmazonRDS; Status Code: 400; Error Code: InvalidDBInstanceState; Request ID: 3df0e6d1-2191-41ed-b246-1b28e19a7d5d; Proxy: null)" (RequestToken: 30e9b969-55be-c8ea-fad3-4ecbdab58d4f, HandlerErrorCode: GeneralServiceException)

 ❌  CdkAuroraLambdaStack failed: Error: The stack named CdkAuroraLambdaStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "DB Instance cdkauroralambdastack-auroraclusterwriter499c523e-w5y3jggfnpsh is in an unsupported state - CONFIGURING_ENHANCED_MONITORING, needs to be in [AVAILABLE, MODIFYING, BACKING_UP, CREATING] (Service: AmazonRDS; Status Code: 400; Error Code: InvalidDBInstanceState; Request ID: 3df0e6d1-2191-41ed-b246-1b28e19a7d5d; Proxy: null)" (RequestToken: 30e9b969-55be-c8ea-fad3-4ecbdab58d4f, HandlerErrorCode: GeneralServiceException)
    at FullCloudFormationDeployment.monitorDeployment (/usr/local/lib/node_modules/aws-cdk/lib/index.js:442:10568)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (/usr/local/lib/node_modules/aws-cdk/lib/index.js:445:199515)
    at async /usr/local/lib/node_modules/aws-cdk/lib/index.js:445:181237

 ❌ Deployment failed: Error: The stack named CdkAuroraLambdaStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "DB Instance cdkauroralambdastack-auroraclusterwriter499c523e-w5y3jggfnpsh is in an unsupported state - CONFIGURING_ENHANCED_MONITORING, needs to be in [AVAILABLE, MODIFYING, BACKING_UP, CREATING] (Service: AmazonRDS; Status Code: 400; Error Code: InvalidDBInstanceState; Request ID: 3df0e6d1-2191-41ed-b246-1b28e19a7d5d; Proxy: null)" (RequestToken: 30e9b969-55be-c8ea-fad3-4ecbdab58d4f, HandlerErrorCode: GeneralServiceException)
    at FullCloudFormationDeployment.monitorDeployment (/usr/local/lib/node_modules/aws-cdk/lib/index.js:442:10568)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (/usr/local/lib/node_modules/aws-cdk/lib/index.js:445:199515)
    at async /usr/local/lib/node_modules/aws-cdk/lib/index.js:445:181237
[14:11:09] Reading cached notices from /Users/samuellock/.cdk/cache/notices.json

The stack named CdkAuroraLambdaStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "DB Instance cdkauroralambdastack-auroraclusterwriter499c523e-w5y3jggfnpsh is in an unsupported state - CONFIGURING_ENHANCED_MONITORING, needs to be in [AVAILABLE, MODIFYING, BACKING_UP, CREATING] (Service: AmazonRDS; Status Code: 400; Error Code: InvalidDBInstanceState; Request ID: 3df0e6d1-2191-41ed-b246-1b28e19a7d5d; Proxy: null)" (RequestToken: 30e9b969-55be-c8ea-fad3-4ecbdab58d4f, HandlerErrorCode: GeneralServiceException)
[14:11:09] Error: The stack named CdkAuroraLambdaStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "DB Instance cdkauroralambdastack-auroraclusterwriter499c523e-w5y3jggfnpsh is in an unsupported state - CONFIGURING_ENHANCED_MONITORING, needs to be in [AVAILABLE, MODIFYING, BACKING_UP, CREATING] (Service: AmazonRDS; Status Code: 400; Error Code: InvalidDBInstanceState; Request ID: 3df0e6d1-2191-41ed-b246-1b28e19a7d5d; Proxy: null)" (RequestToken: 30e9b969-55be-c8ea-fad3-4ecbdab58d4f, HandlerErrorCode: GeneralServiceException)
    at FullCloudFormationDeployment.monitorDeployment (/usr/local/lib/node_modules/aws-cdk/lib/index.js:442:10568)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (/usr/local/lib/node_modules/aws-cdk/lib/index.js:445:199515)
    at async /usr/local/lib/node_modules/aws-cdk/lib/index.js:445:181237

This is the corresponding error event in the CF console for the deployment. The rollback occurs after this

Screenshot 2024-09-04 at 14 23 43

This is the generated template being deployed:

    {
  "Resources": {
    "AuroraVPCABFB6588": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsHostnames": true,
        "EnableDnsSupport": true,
        "InstanceTenancy": "default",
        "Tags": [
          {
            "Key": "Name",
            "Value": "CdkAuroraLambdaStack/AuroraVPC"
          }
        ]
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/Resource"
      }
    },
    "AuroraVPCAuroraPublicSubnetSubnet1SubnetB8E2D156": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "AvailabilityZone": {
          "Fn::Select": [
            0,
            {
              "Fn::GetAZs": ""
            }
          ]
        },
        "CidrBlock": "10.0.0.0/24",
        "MapPublicIpOnLaunch": true,
        "Tags": [
          {
            "Key": "aws-cdk:subnet-name",
            "Value": "AuroraPublicSubnet"
          },
          {
            "Key": "aws-cdk:subnet-type",
            "Value": "Public"
          },
          {
            "Key": "Name",
            "Value": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet1"
          }
        ],
        "VpcId": {
          "Ref": "AuroraVPCABFB6588"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet1/Subnet"
      }
    },
    "AuroraVPCAuroraPublicSubnetSubnet1RouteTableDB3FCCA6": {
      "Type": "AWS::EC2::RouteTable",
      "Properties": {
        "Tags": [
          {
            "Key": "Name",
            "Value": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet1"
          }
        ],
        "VpcId": {
          "Ref": "AuroraVPCABFB6588"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet1/RouteTable"
      }
    },
    "AuroraVPCAuroraPublicSubnetSubnet1RouteTableAssociation263633F8": {
      "Type": "AWS::EC2::SubnetRouteTableAssociation",
      "Properties": {
        "RouteTableId": {
          "Ref": "AuroraVPCAuroraPublicSubnetSubnet1RouteTableDB3FCCA6"
        },
        "SubnetId": {
          "Ref": "AuroraVPCAuroraPublicSubnetSubnet1SubnetB8E2D156"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet1/RouteTableAssociation"
      }
    },
    "AuroraVPCAuroraPublicSubnetSubnet1DefaultRoute04464835": {
      "Type": "AWS::EC2::Route",
      "Properties": {
        "DestinationCidrBlock": "0.0.0.0/0",
        "GatewayId": {
          "Ref": "AuroraVPCIGW978E55B5"
        },
        "RouteTableId": {
          "Ref": "AuroraVPCAuroraPublicSubnetSubnet1RouteTableDB3FCCA6"
        }
      },
      "DependsOn": [
        "AuroraVPCVPCGW2CE11C62"
      ],
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet1/DefaultRoute"
      }
    },
    "AuroraVPCAuroraPublicSubnetSubnet1EIP7146C1A9": {
      "Type": "AWS::EC2::EIP",
      "Properties": {
        "Domain": "vpc",
        "Tags": [
          {
            "Key": "Name",
            "Value": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet1"
          }
        ]
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet1/EIP"
      }
    },
    "AuroraVPCAuroraPublicSubnetSubnet1NATGateway501621FE": {
      "Type": "AWS::EC2::NatGateway",
      "Properties": {
        "AllocationId": {
          "Fn::GetAtt": [
            "AuroraVPCAuroraPublicSubnetSubnet1EIP7146C1A9",
            "AllocationId"
          ]
        },
        "SubnetId": {
          "Ref": "AuroraVPCAuroraPublicSubnetSubnet1SubnetB8E2D156"
        },
        "Tags": [
          {
            "Key": "Name",
            "Value": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet1"
          }
        ]
      },
      "DependsOn": [
        "AuroraVPCAuroraPublicSubnetSubnet1DefaultRoute04464835",
        "AuroraVPCAuroraPublicSubnetSubnet1RouteTableAssociation263633F8"
      ],
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet1/NATGateway"
      }
    },
    "AuroraVPCAuroraPublicSubnetSubnet2Subnet313237A7": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "AvailabilityZone": {
          "Fn::Select": [
            1,
            {
              "Fn::GetAZs": ""
            }
          ]
        },
        "CidrBlock": "10.0.1.0/24",
        "MapPublicIpOnLaunch": true,
        "Tags": [
          {
            "Key": "aws-cdk:subnet-name",
            "Value": "AuroraPublicSubnet"
          },
          {
            "Key": "aws-cdk:subnet-type",
            "Value": "Public"
          },
          {
            "Key": "Name",
            "Value": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet2"
          }
        ],
        "VpcId": {
          "Ref": "AuroraVPCABFB6588"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet2/Subnet"
      }
    },
    "AuroraVPCAuroraPublicSubnetSubnet2RouteTable52D05433": {
      "Type": "AWS::EC2::RouteTable",
      "Properties": {
        "Tags": [
          {
            "Key": "Name",
            "Value": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet2"
          }
        ],
        "VpcId": {
          "Ref": "AuroraVPCABFB6588"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet2/RouteTable"
      }
    },
    "AuroraVPCAuroraPublicSubnetSubnet2RouteTableAssociationDA46222C": {
      "Type": "AWS::EC2::SubnetRouteTableAssociation",
      "Properties": {
        "RouteTableId": {
          "Ref": "AuroraVPCAuroraPublicSubnetSubnet2RouteTable52D05433"
        },
        "SubnetId": {
          "Ref": "AuroraVPCAuroraPublicSubnetSubnet2Subnet313237A7"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet2/RouteTableAssociation"
      }
    },
    "AuroraVPCAuroraPublicSubnetSubnet2DefaultRouteB88E2A49": {
      "Type": "AWS::EC2::Route",
      "Properties": {
        "DestinationCidrBlock": "0.0.0.0/0",
        "GatewayId": {
          "Ref": "AuroraVPCIGW978E55B5"
        },
        "RouteTableId": {
          "Ref": "AuroraVPCAuroraPublicSubnetSubnet2RouteTable52D05433"
        }
      },
      "DependsOn": [
        "AuroraVPCVPCGW2CE11C62"
      ],
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraPublicSubnetSubnet2/DefaultRoute"
      }
    },
    "AuroraVPCAuroraSubnetSubnet1Subnet091AAC55": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "AvailabilityZone": {
          "Fn::Select": [
            0,
            {
              "Fn::GetAZs": ""
            }
          ]
        },
        "CidrBlock": "10.0.2.0/24",
        "MapPublicIpOnLaunch": false,
        "Tags": [
          {
            "Key": "aws-cdk:subnet-name",
            "Value": "AuroraSubnet"
          },
          {
            "Key": "aws-cdk:subnet-type",
            "Value": "Isolated"
          },
          {
            "Key": "Name",
            "Value": "CdkAuroraLambdaStack/AuroraVPC/AuroraSubnetSubnet1"
          }
        ],
        "VpcId": {
          "Ref": "AuroraVPCABFB6588"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraSubnetSubnet1/Subnet"
      }
    },
    "AuroraVPCAuroraSubnetSubnet1RouteTableBB68B00D": {
      "Type": "AWS::EC2::RouteTable",
      "Properties": {
        "Tags": [
          {
            "Key": "Name",
            "Value": "CdkAuroraLambdaStack/AuroraVPC/AuroraSubnetSubnet1"
          }
        ],
        "VpcId": {
          "Ref": "AuroraVPCABFB6588"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraSubnetSubnet1/RouteTable"
      }
    },
    "AuroraVPCAuroraSubnetSubnet1RouteTableAssociation41962FD0": {
      "Type": "AWS::EC2::SubnetRouteTableAssociation",
      "Properties": {
        "RouteTableId": {
          "Ref": "AuroraVPCAuroraSubnetSubnet1RouteTableBB68B00D"
        },
        "SubnetId": {
          "Ref": "AuroraVPCAuroraSubnetSubnet1Subnet091AAC55"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraSubnetSubnet1/RouteTableAssociation"
      }
    },
    "AuroraVPCAuroraSubnetSubnet2Subnet38A92A83": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "AvailabilityZone": {
          "Fn::Select": [
            1,
            {
              "Fn::GetAZs": ""
            }
          ]
        },
        "CidrBlock": "10.0.3.0/24",
        "MapPublicIpOnLaunch": false,
        "Tags": [
          {
            "Key": "aws-cdk:subnet-name",
            "Value": "AuroraSubnet"
          },
          {
            "Key": "aws-cdk:subnet-type",
            "Value": "Isolated"
          },
          {
            "Key": "Name",
            "Value": "CdkAuroraLambdaStack/AuroraVPC/AuroraSubnetSubnet2"
          }
        ],
        "VpcId": {
          "Ref": "AuroraVPCABFB6588"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraSubnetSubnet2/Subnet"
      }
    },
    "AuroraVPCAuroraSubnetSubnet2RouteTable4513F13F": {
      "Type": "AWS::EC2::RouteTable",
      "Properties": {
        "Tags": [
          {
            "Key": "Name",
            "Value": "CdkAuroraLambdaStack/AuroraVPC/AuroraSubnetSubnet2"
          }
        ],
        "VpcId": {
          "Ref": "AuroraVPCABFB6588"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraSubnetSubnet2/RouteTable"
      }
    },
    "AuroraVPCAuroraSubnetSubnet2RouteTableAssociation76A03163": {
      "Type": "AWS::EC2::SubnetRouteTableAssociation",
      "Properties": {
        "RouteTableId": {
          "Ref": "AuroraVPCAuroraSubnetSubnet2RouteTable4513F13F"
        },
        "SubnetId": {
          "Ref": "AuroraVPCAuroraSubnetSubnet2Subnet38A92A83"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/AuroraSubnetSubnet2/RouteTableAssociation"
      }
    },
    "AuroraVPCIGW978E55B5": {
      "Type": "AWS::EC2::InternetGateway",
      "Properties": {
        "Tags": [
          {
            "Key": "Name",
            "Value": "CdkAuroraLambdaStack/AuroraVPC"
          }
        ]
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/IGW"
      }
    },
    "AuroraVPCVPCGW2CE11C62": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "InternetGatewayId": {
          "Ref": "AuroraVPCIGW978E55B5"
        },
        "VpcId": {
          "Ref": "AuroraVPCABFB6588"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/VPCGW"
      }
    },
    "AuroraVPCRestrictDefaultSecurityGroupCustomResourceD86D1603": {
      "Type": "Custom::VpcRestrictDefaultSG",
      "Properties": {
        "ServiceToken": {
          "Fn::GetAtt": [
            "CustomVpcRestrictDefaultSGCustomResourceProviderHandlerDC833E5E",
            "Arn"
          ]
        },
        "DefaultSecurityGroupId": {
          "Fn::GetAtt": [
            "AuroraVPCABFB6588",
            "DefaultSecurityGroup"
          ]
        },
        "Account": {
          "Ref": "AWS::AccountId"
        }
      },
      "UpdateReplacePolicy": "Delete",
      "DeletionPolicy": "Delete",
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraVPC/RestrictDefaultSecurityGroupCustomResource/Default"
      }
    },
    "CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "lambda.amazonaws.com"
              }
            }
          ]
        },
        "ManagedPolicyArns": [
          {
            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
          }
        ],
        "Policies": [
          {
            "PolicyName": "Inline",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:RevokeSecurityGroupIngress",
                    "ec2:RevokeSecurityGroupEgress"
                  ],
                  "Resource": [
                    {
                      "Fn::Join": [
                        "",
                        [
                          "arn:",
                          {
                            "Ref": "AWS::Partition"
                          },
                          ":ec2:",
                          {
                            "Ref": "AWS::Region"
                          },
                          ":",
                          {
                            "Ref": "AWS::AccountId"
                          },
                          ":security-group/",
                          {
                            "Fn::GetAtt": [
                              "AuroraVPCABFB6588",
                              "DefaultSecurityGroup"
                            ]
                          }
                        ]
                      ]
                    }
                  ]
                }
              ]
            }
          }
        ]
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/Custom::VpcRestrictDefaultSGCustomResourceProvider/Role"
      }
    },
    "CustomVpcRestrictDefaultSGCustomResourceProviderHandlerDC833E5E": {
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Code": {
          "S3Bucket": {
            "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
          },
          "S3Key": "ee7de53d64cc9d6248fa6aa550f92358f6c907b5efd6f3298aeab1b5e7ea358a.zip"
        },
        "Timeout": 900,
        "MemorySize": 128,
        "Handler": "__entrypoint__.handler",
        "Role": {
          "Fn::GetAtt": [
            "CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0",
            "Arn"
          ]
        },
        "Runtime": "nodejs18.x",
        "Description": "Lambda function for removing all inbound/outbound rules from the VPC default security group"
      },
      "DependsOn": [
        "CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0"
      ],
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/Custom::VpcRestrictDefaultSGCustomResourceProvider/Handler",
        "aws:asset:path": "asset.ee7de53d64cc9d6248fa6aa550f92358f6c907b5efd6f3298aeab1b5e7ea358a",
        "aws:asset:property": "Code"
      }
    },
    "AuroraSecurityGroup75F699F6": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Security group for Aurora Serverless v2 cluster",
        "SecurityGroupEgress": [
          {
            "CidrIp": "0.0.0.0/0",
            "Description": "Allow all outbound traffic by default",
            "IpProtocol": "-1"
          }
        ],
        "VpcId": {
          "Ref": "AuroraVPCABFB6588"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraSecurityGroup/Resource"
      }
    },
    "AuroraSecurityGroupfromCdkAuroraLambdaStackLambdaSecurityGroupD135FCB95432A44D7803": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "Properties": {
        "Description": "from CdkAuroraLambdaStackLambdaSecurityGroupD135FCB9:5432",
        "FromPort": 5432,
        "GroupId": {
          "Fn::GetAtt": [
            "AuroraSecurityGroup75F699F6",
            "GroupId"
          ]
        },
        "IpProtocol": "tcp",
        "SourceSecurityGroupId": {
          "Fn::GetAtt": [
            "LambdaSecurityGroup0BD9FC99",
            "GroupId"
          ]
        },
        "ToPort": 5432
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraSecurityGroup/from CdkAuroraLambdaStackLambdaSecurityGroupD135FCB9:5432"
      }
    },
    "AuroraSecurityGroupfromCdkAuroraLambdaStackAuroraProxyProxySecurityGroup43E67004IndirectPort499CAC31": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "Properties": {
        "Description": "Allow connections to the database Cluster from the Proxy",
        "FromPort": {
          "Fn::GetAtt": [
            "AuroraCluster23D869C0",
            "Endpoint.Port"
          ]
        },
        "GroupId": {
          "Fn::GetAtt": [
            "AuroraSecurityGroup75F699F6",
            "GroupId"
          ]
        },
        "IpProtocol": "tcp",
        "SourceSecurityGroupId": {
          "Fn::GetAtt": [
            "AuroraProxyProxySecurityGroupD8C4B20F",
            "GroupId"
          ]
        },
        "ToPort": {
          "Fn::GetAtt": [
            "AuroraCluster23D869C0",
            "Endpoint.Port"
          ]
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraSecurityGroup/from CdkAuroraLambdaStackAuroraProxyProxySecurityGroup43E67004:{IndirectPort}"
      }
    },
    "LambdaSecurityGroup0BD9FC99": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Security group for Lambda functions",
        "SecurityGroupEgress": [
          {
            "CidrIp": "0.0.0.0/0",
            "Description": "Allow all outbound traffic by default",
            "IpProtocol": "-1"
          }
        ],
        "VpcId": {
          "Ref": "AuroraVPCABFB6588"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/LambdaSecurityGroup/Resource"
      }
    },
    "AuroraClusterSubnetsF3E9E6AD": {
      "Type": "AWS::RDS::DBSubnetGroup",
      "Properties": {
        "DBSubnetGroupDescription": "Subnets for AuroraCluster database",
        "SubnetIds": [
          {
            "Ref": "AuroraVPCAuroraSubnetSubnet1Subnet091AAC55"
          },
          {
            "Ref": "AuroraVPCAuroraSubnetSubnet2Subnet38A92A83"
          }
        ]
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraCluster/Subnets/Default"
      }
    },
    "CdkAuroraLambdaStackAuroraClusterSecret75F4774F3fdaad7efa858a3daf9490cf0a702aeb": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Description": {
          "Fn::Join": [
            "",
            [
              "Generated by the CDK for stack: ",
              {
                "Ref": "AWS::StackName"
              }
            ]
          ]
        },
        "GenerateSecretString": {
          "ExcludeCharacters": " %+~`#$&*()|[]{}:;<>?!'/@\"\\",
          "GenerateStringKey": "password",
          "PasswordLength": 30,
          "SecretStringTemplate": "{\"username\":\"AuroraSecret\"}"
        }
      },
      "UpdateReplacePolicy": "Delete",
      "DeletionPolicy": "Delete",
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraCluster/Secret/Resource"
      }
    },
    "AuroraClusterSecretAttachmentDB8032DA": {
      "Type": "AWS::SecretsManager::SecretTargetAttachment",
      "Properties": {
        "SecretId": {
          "Ref": "CdkAuroraLambdaStackAuroraClusterSecret75F4774F3fdaad7efa858a3daf9490cf0a702aeb"
        },
        "TargetId": {
          "Ref": "AuroraCluster23D869C0"
        },
        "TargetType": "AWS::RDS::DBCluster"
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraCluster/Secret/Attachment/Resource"
      }
    },
    "AuroraCluster23D869C0": {
      "Type": "AWS::RDS::DBCluster",
      "Properties": {
        "CopyTagsToSnapshot": true,
        "DBClusterParameterGroupName": "default.aurora-postgresql16",
        "DBSubnetGroupName": {
          "Ref": "AuroraClusterSubnetsF3E9E6AD"
        },
        "DatabaseName": "AuroraDB",
        "Engine": "aurora-postgresql",
        "EngineVersion": "16.2",
        "MasterUserPassword": {
          "Fn::Join": [
            "",
            [
              "{{resolve:secretsmanager:",
              {
                "Ref": "CdkAuroraLambdaStackAuroraClusterSecret75F4774F3fdaad7efa858a3daf9490cf0a702aeb"
              },
              ":SecretString:password::}}"
            ]
          ]
        },
        "MasterUsername": "AuroraSecret",
        "Port": 5432,
        "VpcSecurityGroupIds": [
          {
            "Fn::GetAtt": [
              "AuroraSecurityGroup75F699F6",
              "GroupId"
            ]
          }
        ]
      },
      "UpdateReplacePolicy": "Snapshot",
      "DeletionPolicy": "Snapshot",
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraCluster/Resource"
      }
    },
    "AuroraClusterwriter499C523E": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "DBClusterIdentifier": {
          "Ref": "AuroraCluster23D869C0"
        },
        "DBInstanceClass": "db.t3.medium",
        "Engine": "aurora-postgresql",
        "PromotionTier": 0,
        "PubliclyAccessible": false
      },
      "DependsOn": [
        "AuroraVPCAuroraSubnetSubnet1RouteTableAssociation41962FD0",
        "AuroraVPCAuroraSubnetSubnet2RouteTableAssociation76A03163"
      ],
      "UpdateReplacePolicy": "Delete",
      "DeletionPolicy": "Delete",
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraCluster/writer/Resource"
      }
    },
    "AuroraProxyIAMRoleA8549DEC": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "rds.amazonaws.com"
              }
            }
          ],
          "Version": "2012-10-17"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraProxy/IAMRole/Resource"
      }
    },
    "AuroraProxyIAMRoleDefaultPolicy2E562659": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue"
              ],
              "Effect": "Allow",
              "Resource": {
                "Ref": "AuroraClusterSecretAttachmentDB8032DA"
              }
            }
          ],
          "Version": "2012-10-17"
        },
        "PolicyName": "AuroraProxyIAMRoleDefaultPolicy2E562659",
        "Roles": [
          {
            "Ref": "AuroraProxyIAMRoleA8549DEC"
          }
        ]
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraProxy/IAMRole/DefaultPolicy/Resource"
      }
    },
    "AuroraProxyProxySecurityGroupD8C4B20F": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "SecurityGroup for Database Proxy",
        "SecurityGroupEgress": [
          {
            "CidrIp": "0.0.0.0/0",
            "Description": "Allow all outbound traffic by default",
            "IpProtocol": "-1"
          }
        ],
        "VpcId": {
          "Ref": "AuroraVPCABFB6588"
        }
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraProxy/ProxySecurityGroup/Resource"
      }
    },
    "AuroraProxy1E1757CC": {
      "Type": "AWS::RDS::DBProxy",
      "Properties": {
        "Auth": [
          {
            "AuthScheme": "SECRETS",
            "ClientPasswordAuthType": "POSTGRES_MD5",
            "IAMAuth": "DISABLED",
            "SecretArn": {
              "Ref": "AuroraClusterSecretAttachmentDB8032DA"
            }
          }
        ],
        "DBProxyName": "CdkAuroraLambdaStackAuroraProxy0EF49657",
        "EngineFamily": "POSTGRESQL",
        "RequireTLS": true,
        "RoleArn": {
          "Fn::GetAtt": [
            "AuroraProxyIAMRoleA8549DEC",
            "Arn"
          ]
        },
        "VpcSecurityGroupIds": [
          {
            "Fn::GetAtt": [
              "AuroraProxyProxySecurityGroupD8C4B20F",
              "GroupId"
            ]
          }
        ],
        "VpcSubnetIds": [
          {
            "Ref": "AuroraVPCAuroraSubnetSubnet1Subnet091AAC55"
          },
          {
            "Ref": "AuroraVPCAuroraSubnetSubnet2Subnet38A92A83"
          }
        ]
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraProxy/Resource"
      }
    },
    "AuroraProxyProxyTargetGroupA7D69AA9": {
      "Type": "AWS::RDS::DBProxyTargetGroup",
      "Properties": {
        "ConnectionPoolConfigurationInfo": {},
        "DBClusterIdentifiers": [
          {
            "Ref": "AuroraCluster23D869C0"
          }
        ],
        "DBProxyName": {
          "Ref": "AuroraProxy1E1757CC"
        },
        "TargetGroupName": "default"
      },
      "DependsOn": [
        "AuroraCluster23D869C0"
      ],
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/AuroraProxy/ProxyTargetGroup"
      }
    },
    "GetLambdaServiceRole4767C6E2": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "lambda.amazonaws.com"
              }
            }
          ],
          "Version": "2012-10-17"
        },
        "ManagedPolicyArns": [
          {
            "Fn::Join": [
              "",
              [
                "arn:",
                {
                  "Ref": "AWS::Partition"
                },
                ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
              ]
            ]
          },
          {
            "Fn::Join": [
              "",
              [
                "arn:",
                {
                  "Ref": "AWS::Partition"
                },
                ":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
              ]
            ]
          }
        ]
      },
      "DependsOn": [
        "AuroraVPCAuroraSubnetSubnet1RouteTableAssociation41962FD0",
        "AuroraVPCAuroraSubnetSubnet2RouteTableAssociation76A03163"
      ],
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/GetLambda/ServiceRole/Resource"
      }
    },
    "GetLambda3B1776D4": {
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Code": {
          "S3Bucket": {
            "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
          },
          "S3Key": "518449451bec4606934b87a437f5656963f2d35de91cda85c884947610c9671f.zip"
        },
        "Environment": {
          "Variables": {
            "CLUSTER_ARN": {
              "Fn::Join": [
                "",
                [
                  "arn:",
                  {
                    "Ref": "AWS::Partition"
                  },
                  ":rds:",
                  {
                    "Ref": "AWS::Region"
                  },
                  ":",
                  {
                    "Ref": "AWS::AccountId"
                  },
                  ":cluster:",
                  {
                    "Ref": "AuroraCluster23D869C0"
                  }
                ]
              ]
            },
            "SECRET_ARN": {
              "Ref": "AuroraClusterSecretAttachmentDB8032DA"
            }
          }
        },
        "Handler": "index.handler",
        "Role": {
          "Fn::GetAtt": [
            "GetLambdaServiceRole4767C6E2",
            "Arn"
          ]
        },
        "Runtime": "nodejs20.x",
        "VpcConfig": {
          "SecurityGroupIds": [
            {
              "Fn::GetAtt": [
                "LambdaSecurityGroup0BD9FC99",
                "GroupId"
              ]
            }
          ],
          "SubnetIds": [
            {
              "Ref": "AuroraVPCAuroraSubnetSubnet1Subnet091AAC55"
            },
            {
              "Ref": "AuroraVPCAuroraSubnetSubnet2Subnet38A92A83"
            }
          ]
        }
      },
      "DependsOn": [
        "AuroraVPCAuroraSubnetSubnet1RouteTableAssociation41962FD0",
        "AuroraVPCAuroraSubnetSubnet2RouteTableAssociation76A03163",
        "GetLambdaServiceRole4767C6E2"
      ],
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/GetLambda/Resource",
        "aws:asset:path": "asset.518449451bec4606934b87a437f5656963f2d35de91cda85c884947610c9671f",
        "aws:asset:is-bundled": true,
        "aws:asset:property": "Code"
      }
    },
    "GetLambdaFunctionUrl1E971B8F": {
      "Type": "AWS::Lambda::Url",
      "Properties": {
        "AuthType": "NONE",
        "Cors": {
          "AllowMethods": [
            "GET"
          ],
          "AllowOrigins": [
            "*"
          ]
        },
        "TargetFunctionArn": {
          "Fn::GetAtt": [
            "GetLambda3B1776D4",
            "Arn"
          ]
        }
      },
      "DependsOn": [
        "AuroraVPCAuroraSubnetSubnet1RouteTableAssociation41962FD0",
        "AuroraVPCAuroraSubnetSubnet2RouteTableAssociation76A03163"
      ],
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/GetLambda/FunctionUrl/Resource"
      }
    },
    "GetLambdainvokefunctionurl8A0E8BE1": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "Action": "lambda:InvokeFunctionUrl",
        "FunctionName": {
          "Fn::GetAtt": [
            "GetLambda3B1776D4",
            "Arn"
          ]
        },
        "FunctionUrlAuthType": "NONE",
        "Principal": "*"
      },
      "DependsOn": [
        "AuroraVPCAuroraSubnetSubnet1RouteTableAssociation41962FD0",
        "AuroraVPCAuroraSubnetSubnet2RouteTableAssociation76A03163"
      ],
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/GetLambda/invoke-function-url"
      }
    },
    "PostLambdaServiceRole1CD56985": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "lambda.amazonaws.com"
              }
            }
          ],
          "Version": "2012-10-17"
        },
        "ManagedPolicyArns": [
          {
            "Fn::Join": [
              "",
              [
                "arn:",
                {
                  "Ref": "AWS::Partition"
                },
                ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
              ]
            ]
          },
          {
            "Fn::Join": [
              "",
              [
                "arn:",
                {
                  "Ref": "AWS::Partition"
                },
                ":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
              ]
            ]
          }
        ]
      },
      "DependsOn": [
        "AuroraVPCAuroraSubnetSubnet1RouteTableAssociation41962FD0",
        "AuroraVPCAuroraSubnetSubnet2RouteTableAssociation76A03163"
      ],
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/PostLambda/ServiceRole/Resource"
      }
    },
    "PostLambda0EF1C7F9": {
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Code": {
          "S3Bucket": {
            "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
          },
          "S3Key": "3d28048826a163981d52ba7d4fd37f93149308641f16b186dae81c938596d5e3.zip"
        },
        "Environment": {
          "Variables": {
            "CLUSTER_ARN": {
              "Fn::Join": [
                "",
                [
                  "arn:",
                  {
                    "Ref": "AWS::Partition"
                  },
                  ":rds:",
                  {
                    "Ref": "AWS::Region"
                  },
                  ":",
                  {
                    "Ref": "AWS::AccountId"
                  },
                  ":cluster:",
                  {
                    "Ref": "AuroraCluster23D869C0"
                  }
                ]
              ]
            },
            "SECRET_ARN": {
              "Ref": "AuroraClusterSecretAttachmentDB8032DA"
            }
          }
        },
        "Handler": "index.handler",
        "Role": {
          "Fn::GetAtt": [
            "PostLambdaServiceRole1CD56985",
            "Arn"
          ]
        },
        "Runtime": "nodejs20.x",
        "VpcConfig": {
          "SecurityGroupIds": [
            {
              "Fn::GetAtt": [
                "LambdaSecurityGroup0BD9FC99",
                "GroupId"
              ]
            }
          ],
          "SubnetIds": [
            {
              "Ref": "AuroraVPCAuroraSubnetSubnet1Subnet091AAC55"
            },
            {
              "Ref": "AuroraVPCAuroraSubnetSubnet2Subnet38A92A83"
            }
          ]
        }
      },
      "DependsOn": [
        "AuroraVPCAuroraSubnetSubnet1RouteTableAssociation41962FD0",
        "AuroraVPCAuroraSubnetSubnet2RouteTableAssociation76A03163",
        "PostLambdaServiceRole1CD56985"
      ],
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/PostLambda/Resource",
        "aws:asset:path": "asset.3d28048826a163981d52ba7d4fd37f93149308641f16b186dae81c938596d5e3",
        "aws:asset:is-bundled": true,
        "aws:asset:property": "Code"
      }
    },
    "PostLambdaFunctionUrlE8076EBC": {
      "Type": "AWS::Lambda::Url",
      "Properties": {
        "AuthType": "NONE",
        "Cors": {
          "AllowMethods": [
            "POST"
          ],
          "AllowOrigins": [
            "*"
          ]
        },
        "TargetFunctionArn": {
          "Fn::GetAtt": [
            "PostLambda0EF1C7F9",
            "Arn"
          ]
        }
      },
      "DependsOn": [
        "AuroraVPCAuroraSubnetSubnet1RouteTableAssociation41962FD0",
        "AuroraVPCAuroraSubnetSubnet2RouteTableAssociation76A03163"
      ],
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/PostLambda/FunctionUrl/Resource"
      }
    },
    "PostLambdainvokefunctionurl440319AB": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "Action": "lambda:InvokeFunctionUrl",
        "FunctionName": {
          "Fn::GetAtt": [
            "PostLambda0EF1C7F9",
            "Arn"
          ]
        },
        "FunctionUrlAuthType": "NONE",
        "Principal": "*"
      },
      "DependsOn": [
        "AuroraVPCAuroraSubnetSubnet1RouteTableAssociation41962FD0",
        "AuroraVPCAuroraSubnetSubnet2RouteTableAssociation76A03163"
      ],
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/PostLambda/invoke-function-url"
      }
    },
    "CDKMetadata": {
      "Type": "AWS::CDK::Metadata",
      "Properties": {
        "Analytics": "v2:deflate64:H4sIAAAAAAAA/31R0U7DMAz8Ft6zAB0/sHWA9oKqFXid3NQr2doExc7GVPXfUZKtRUjwdPb57Lsombx/mMu7GzjRTNWHWasr2ZcM6iDgRNseVSb7908l8p15L3JR+KrVqvSVQQ7cVG2sZ3yFqsWJn7gFkVUaWFszikPxuC4CvAA/A+MJzqJw+giM0+G1YXQGR0FKcukWzKA+OjQsSlTeaT4/O+s/Y4Z/ibVpHBINwtUk+xUwVECYt54YnUj24+Zq+ZO4iktULmVcLa+LsVkbYjAKR2Xh7Nc5zX6Xr+Cay+FBULxIHRho0Mk+hQ4mCZL4x6NHwe/JIDR0st/Y9B8RC9tqFb1TNYgWuqqGrbE17km+RHjyRsV/ovkWiJBJLgIImsulVwfkJRBeVmPEceNavLk2uFygQNdpIm3NMIgNkvVOocg9se2mdmf+GBXOHnWNLrrGJCVDo00TdnJrah0sBxEeIfd0e8zu5H0ms5s9aT1z3rDuUG4SfgMJxTCe8AIAAA=="
      },
      "Metadata": {
        "aws:cdk:path": "CdkAuroraLambdaStack/CDKMetadata/Default"
      },
      "Condition": "CDKMetadataAvailable"
    }
  },
  "Conditions": {
    "CDKMetadataAvailable": {
      "Fn::Or": [
        {
          "Fn::Or": [
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "af-south-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "ap-east-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "ap-northeast-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "ap-northeast-2"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "ap-south-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "ap-southeast-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "ap-southeast-2"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "ca-central-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "cn-north-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "cn-northwest-1"
              ]
            }
          ]
        },
        {
          "Fn::Or": [
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "eu-central-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "eu-north-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "eu-south-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "eu-west-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "eu-west-2"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "eu-west-3"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "il-central-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "me-central-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "me-south-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "sa-east-1"
              ]
            }
          ]
        },
        {
          "Fn::Or": [
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "us-east-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "us-east-2"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "us-west-1"
              ]
            },
            {
              "Fn::Equals": [
                {
                  "Ref": "AWS::Region"
                },
                "us-west-2"
              ]
            }
          ]
        }
      ]
    }
  },
  "Parameters": {
    "BootstrapVersion": {
      "Type": "AWS::SSM::Parameter::Value<String>",
      "Default": "/cdk-bootstrap/hnb659fds/version",
      "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
    }
  },
  "Rules": {
    "CheckBootstrapVersion": {
      "Assertions": [
        {
          "Assert": {
            "Fn::Not": [
              {
                "Fn::Contains": [
                  [
                    "1",
                    "2",
                    "3",
                    "4",
                    "5"
                  ],
                  {
                    "Ref": "BootstrapVersion"
                  }
                ]
              }
            ]
          },
          "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
        }
      ]
    }
  }
}

Notice how AuroraProxyProxyTargetGroupA7D69AA9 has a ref for AuroraCluster23D869C0 and a DependsOn for AuroraCluster23D869C0 also (which I don't think it needs). I double checked that the AuroraCluster23D869C0 resource doesn't have a dependency on the writer instance (AuroraClusterwriter499C523E) which it doesn't (and this makes sense).

So this explains my theory. The writer is taking a while to deploy and the target group has an internal dependency on it, but no CloudFormation dependency.

This is why I added the explicit DependsOn line proxy.node.addDependency(cluster).

To explain why you cannot reproduce it, it could possibly be a race condition? I have a 3/3 record reproducing it and a 1/1 record of deploying successfully with the DependsOn added.

Let me know if you need anything else from me

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Sep 4, 2024
@khushail khushail added the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Sep 4, 2024
@khushail
Copy link
Contributor

khushail commented Sep 5, 2024

Hey @ServerlessSam , your observation is right on. I checked the cloudformation template in my code and seems like there is a reference in writer instance but no depends-on ias pointed out by you, which might be leading to creation failure causing the race condition.
cloudformation template snippet -

"AuroraCluster23D869C0": {
   "Type": "AWS::RDS::DBCluster",
   "Properties": {
    "CopyTagsToSnapshot": true,
    "DBClusterParameterGroupName": "default.aurora-postgresql16",
    "DBSubnetGroupName": {
     "Ref": "AuroraClusterSubnetsF3E9E6AD"
    },
    "DatabaseName": "AuroraDB",
    "Engine": "aurora-postgresql",
    "EngineVersion": "16.2",
    "MasterUserPassword": {
     "Fn::Join": [
      "",
      [
       "{{resolve:secretsmanager:",
       {
        "Ref": "ProxyRdsIssueStackAuroraClusterSecretB6AFBD693fdaad7efa858a3daf9490cf0a702aeb"
       },
       ":SecretString:password::}}"
      ]
     ]
    },
    "MasterUsername": "AuroraSecret",
    "Port": 5432,
    "VpcSecurityGroupIds": [
     {
      "Fn::GetAtt": [
       "AuroraSecurityGroup75F699F6",
       "GroupId"
      ]
     }
    ]
   },
   "UpdateReplacePolicy": "Snapshot",
   "DeletionPolicy": "Snapshot",
   "Metadata": {
    "aws:cdk:path": "ProxyRdsIssueStack/AuroraCluster/Resource"
   }
  },
  "AuroraClusterwriter499C523E": {
   "Type": "AWS::RDS::DBInstance",
   "Properties": {
    "DBClusterIdentifier": {
     "Ref": "AuroraCluster23D869C0"
    },
    "DBInstanceClass": "db.t3.medium",
    "Engine": "aurora-postgresql",
    "PromotionTier": 0,
    "PubliclyAccessible": false
   },
   "DependsOn": [
    "AuroraVPCAuroraSubnetSubnet1RouteTableAssociation41962FD0",
    "AuroraVPCAuroraSubnetSubnet2RouteTableAssociation76A03163"
   ],
   "UpdateReplacePolicy": "Delete",
   "DeletionPolicy": "Delete",
   "Metadata": {
    "aws:cdk:path": "ProxyRdsIssueStack/AuroraCluster/writer/Resource"
   }
  },

Marking it as P2 as it won't be addressed by team immediately as it has a workaround.
Thanks for reporting this issue and your insights!

@khushail khushail added effort/small Small work item – less than a day of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Sep 5, 2024
@khushail khushail removed their assignment Sep 5, 2024
@mergify mergify bot closed this as completed in #31354 Sep 9, 2024
mergify bot pushed a commit that referenced this issue Sep 9, 2024
…en using writer property for database cluster (#31354)

### Issue # (if applicable)

Closes #31304 .

### Reason for this change



Proxy Target Group should depend on and wait for Aurora instances to be ready before creating CloudFormation resource. (see the issue).

Now, the dependency is added when using a legacy `instanceProps`, but not added when using a `writer` property. 

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-rds/lib/proxy.ts#L535-L539

(The cluster has `CfnDBInstance` directly when using the `instanceProps`, but it has `AuroraClusterInstance` with `CfnDBInstance` as `defaultChild` when using the `writer`. So the cluster doesn't have the `CfnDBInstance` directly in the latter case.)

### Description of changes



Added the dependency when using a `writer` property instead of `instanceProps`.

### Description of how you validated changes



Both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Copy link

github-actions bot commented Sep 9, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 9, 2024
pahud pushed a commit to pahud/aws-cdk that referenced this issue Sep 9, 2024
…en using writer property for database cluster (aws#31354)

### Issue # (if applicable)

Closes aws#31304 .

### Reason for this change



Proxy Target Group should depend on and wait for Aurora instances to be ready before creating CloudFormation resource. (see the issue).

Now, the dependency is added when using a legacy `instanceProps`, but not added when using a `writer` property. 

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-rds/lib/proxy.ts#L535-L539

(The cluster has `CfnDBInstance` directly when using the `instanceProps`, but it has `AuroraClusterInstance` with `CfnDBInstance` as `defaultChild` when using the `writer`. So the cluster doesn't have the `CfnDBInstance` directly in the latter case.)

### Description of changes



Added the dependency when using a `writer` property instead of `instanceProps`.

### Description of how you validated changes



Both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
xazhao pushed a commit to xazhao/aws-cdk that referenced this issue Sep 12, 2024
…en using writer property for database cluster (aws#31354)

### Issue # (if applicable)

Closes aws#31304 .

### Reason for this change



Proxy Target Group should depend on and wait for Aurora instances to be ready before creating CloudFormation resource. (see the issue).

Now, the dependency is added when using a legacy `instanceProps`, but not added when using a `writer` property. 

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-rds/lib/proxy.ts#L535-L539

(The cluster has `CfnDBInstance` directly when using the `instanceProps`, but it has `AuroraClusterInstance` with `CfnDBInstance` as `defaultChild` when using the `writer`. So the cluster doesn't have the `CfnDBInstance` directly in the latter case.)

### Description of changes



Added the dependency when using a `writer` property instead of `instanceProps`.

### Description of how you validated changes



Both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.