Redshiftserverless.CfnWorkgroup.VpcEndpointProperty: creation of Redshift-managed VPC endpoints not working #29977

ozggumus-aws · 2024-04-26T14:12:18Z

Describe the bug

I am trying to create a Redshift-managed VPC endpoints in Redshift Serverless workgroup in typescript, but this does not seem to be supported with CDK.

Expected Behavior

CfnWorkgroup construct should have a construct prop where we can assign interface VpcEndpointProperty.

Current Behavior

class CfnWorkgroup (construct) doesnt have the necessary prop so we cant create a redshift managed vpc endpoint using cdk in typescript

Reproduction Steps


        this.cfnWorkgroup = new redshiftserverless.CfnWorkgroup(this, 'Workgroup', {
            workgroupName: props.workgroupName,
            baseCapacity: 32,
            namespaceName: cfnNamespace.namespaceName,
            port: 5439,
            publiclyAccessible: false,
            securityGroupIds: [this.securityGroup.securityGroupId],
            subnetIds: this.redshiftSubnets.subnetIds

        })

        const vpcEndpointProperty: redshiftserverless.CfnWorkgroup.VpcEndpointProperty = {
            networkInterfaces: [{
              subnetId: "subnet-XXXXX", // can be changed later
            }],
            vpcId: props.vpc.vpcId,
          };

        //  The code below doesnt work
        // this.cfnWorkgroup.addOverride('workgroup.vpcEndpoint', vpcEndpointProperty);

Possible Solution

construct prop for interface VpcEndpointProperty

Additional Information/Context

No response

CDK CLI Version

2.139.0

Framework Version

No response

Node.js Version

v21.3.0

OS

14.4.1

Language

TypeScript

Language Version

No response

Other information

No response

The text was updated successfully, but these errors were encountered:

ashishdhingra · 2024-04-26T21:33:12Z

@ozggumus-aws Good afternoon. Please suggest if you are getting any error when synthesizing your CDK code.

AWS::RedshiftServerless::Workgroup resource does include an Endpoint attribute that you can reference. This Endpoint attribute is part of the properties of the Workgroup resource. Per https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-redshiftserverless-workgroup-endpoint.html, you could specify VpcEndpoints as part of AWS::RedshiftServerless::Workgroup Workgroup Endpoint property.

Using the below CDK code (for demonstration purposes only):

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as redshiftserverless from 'aws-cdk-lib/aws-redshiftserverless';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as iam from 'aws-cdk-lib/aws-iam';
import * as secretmanager from 'aws-cdk-lib/aws-secretsmanager';
import * as kms from 'aws-cdk-lib/aws-kms';

export class Issue29977RedshiftStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = new ec2.Vpc(this, 'RedshiftVPC', {
      ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/16'),
      maxAzs: 2,
    });

    const redshiftserverlessSecurityGroup = new ec2.SecurityGroup(this, 'RedshiftServerlessSecurityGroup', {
      vpc: vpc
    });

    const redshiftserverlessAdminSecret = new secretmanager.Secret(this, 'RedshiftserverlessAdminSecret', {
      generateSecretString: {
        secretStringTemplate: JSON.stringify({ username: 'admin'}),
        generateStringKey: 'password',
        excludeCharacters: '/@"\\\'',
        passwordLength: 32
      }
    });

    const redshiftserverlessKmsKey = new kms.Key(this, 'RedshiftserverlessKmsKey', {
      enabled: true,
      enableKeyRotation: true
    });

    const redshiftserverlessNamespaceRole = new iam.Role(this, 'RedshiftServerlessNamespaceRole', {
      assumedBy: new iam.CompositePrincipal(
        new iam.ServicePrincipal('sagemaker.amazonaws.com'),
        new iam.ServicePrincipal('redshift.amazonaws.com'),
        new iam.ServicePrincipal('redshift-serverless.amazonaws.com')
      ),
      managedPolicies: [
        iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonRedshiftAllCommandsFullAccess')
      ]
    });

    redshiftserverlessNamespaceRole.addToPolicy(
      new iam.PolicyStatement({
        actions: [
          "s3:GetObject",
          "s3:GetBucketAcl"
        ],
        effect: iam.Effect.ALLOW,
        resources: [
          "arn:aws:s3:::redshift/*",
          "arn:aws:s3:::redshift"
        ]
      })
    );

    const cfnNamespace = new redshiftserverless.CfnNamespace(this, 'RedshiftServerlessNamespace', {
      namespaceName: 'default',
      adminUsername: redshiftserverlessAdminSecret.secretValueFromJson('username').unsafeUnwrap(),
      adminUserPassword: redshiftserverlessAdminSecret.secretValueFromJson('password').unsafeUnwrap(),
      dbName: 'dev',
      defaultIamRoleArn: redshiftserverlessNamespaceRole.roleArn,
      iamRoles: [redshiftserverlessNamespaceRole.roleArn],
      kmsKeyId: redshiftserverlessKmsKey.keyId,
      logExports: ['userlog','connectionlog','useractivitylog']

    });

    const cfnWorkgroup = new redshiftserverless.CfnWorkgroup(this, 'Workgroup', {
      workgroupName: 'workgroupName',

      // the properties below are optional
      baseCapacity: 32,
      configParameters: [{
        parameterKey: 'parameterKey',
        parameterValue: 'parameterValue',
      }],
      enhancedVpcRouting: true,
      maxCapacity: 32,
      namespaceName: cfnNamespace.namespaceName,
      //port: 123,
      publiclyAccessible: false,
      securityGroupIds: [redshiftserverlessSecurityGroup.securityGroupId],
      subnetIds: vpc.selectSubnets({subnetGroupName: 'Private'}).subnetIds,
    });

    const vpcEndpointProperty: redshiftserverless.CfnWorkgroup.VpcEndpointProperty = {
      networkInterfaces: [{
        subnetId: "subnet-XXXXX", // can be changed later
      }],
      vpcId: vpc.vpcId,
    };
    
    cfnWorkgroup.addOverride('Endpoint.VpcEndpoints', [vpcEndpointProperty]);
    cfnWorkgroup.addDependency(cfnNamespace);
  }
}

Running cdk synth successfully generated the below template:

Resources:
...
...
  RedshiftServerlessNamespace:
    Type: AWS::RedshiftServerless::Namespace
    Properties:
      AdminUserPassword:
        Fn::Join:
          - ""
          - - "{{resolve:secretsmanager:"
            - Ref: RedshiftserverlessAdminSecret20CA274D
            - :SecretString:password::}}
      AdminUsername:
        Fn::Join:
          - ""
          - - "{{resolve:secretsmanager:"
            - Ref: RedshiftserverlessAdminSecret20CA274D
            - :SecretString:username::}}
      DbName: dev
      DefaultIamRoleArn:
        Fn::GetAtt:
          - RedshiftServerlessNamespaceRole433DCFA2
          - Arn
      IamRoles:
        - Fn::GetAtt:
            - RedshiftServerlessNamespaceRole433DCFA2
            - Arn
      KmsKeyId:
        Ref: RedshiftserverlessKmsKeyAB9F3897
      LogExports:
        - userlog
        - connectionlog
        - useractivitylog
      NamespaceName: default
    Metadata:
      aws:cdk:path: Issue29977RedshiftStack/RedshiftServerlessNamespace
  Workgroup:
    Type: AWS::RedshiftServerless::Workgroup
    Properties:
      BaseCapacity: 32
      ConfigParameters:
        - ParameterKey: parameterKey
          ParameterValue: parameterValue
      EnhancedVpcRouting: true
      MaxCapacity: 32
      NamespaceName: default
      PubliclyAccessible: false
      SecurityGroupIds:
        - Fn::GetAtt:
            - RedshiftServerlessSecurityGroup47F26F9E
            - GroupId
      SubnetIds:
        - Ref: RedshiftVPCPrivateSubnet1Subnet5DDEC5B3
        - Ref: RedshiftVPCPrivateSubnet2Subnet520D5025
      WorkgroupName: workgroupName
    DependsOn:
      - RedshiftServerlessNamespace
    Metadata:
      aws:cdk:path: Issue29977RedshiftStack/Workgroup
    Endpoint:
      VpcEndpoints:
        - networkInterfaces:
            - subnetId: subnet-XXXXX
            - subnetId: test
          vpcId:
            Ref: RedshiftVPCA4DF34BB
...
...

Thanks,
Ashish

github-actions · 2024-04-29T00:16:16Z

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

ashishdhingra · 2024-04-29T17:28:10Z

Internal tracking: P127889658

ashishdhingra · 2024-05-02T17:45:06Z

@ozggumus-aws Good morning. I got an update from CDK team. From CloudFormation perspective, to create Redshift-managed VPC endpoints, the property EnhancedVpcRouting needs to be set True.

When this is true, the resource type will create VPC resource for RedShift Workgroup in back-end, in another word, this is not something explicit can be specified and configured with CloudFormtion template.

With EnhancedVpcRouting set to True, other part of CFN template can use Fn::GetAtt to retrieve the workgroup's VPC endpoint information.

Thanks,
Ashish

github-actions · 2024-05-04T20:05:27Z

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

ozggumus-aws added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 26, 2024

github-actions bot added the @aws-cdk/aws-athena Related to AWS Athena label Apr 26, 2024

ozggumus-aws changed the title ~~aws_redshiftserverless.CfnWorkgroup.VpcEndpointProperty: creation of Redshift-managed VPC endpoints not working~~ Redshiftserverless.CfnWorkgroup.VpcEndpointProperty: creation of Redshift-managed VPC endpoints not working Apr 26, 2024

ashishdhingra self-assigned this Apr 26, 2024

ashishdhingra added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Apr 26, 2024

ashishdhingra added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-reproduction This issue needs reproduction. labels Apr 26, 2024

github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Apr 29, 2024

github-actions bot mentioned this issue Apr 29, 2024

Weekly issue metrics report #29993

Closed

github-actions bot mentioned this issue May 1, 2024

Monthly issue metrics report #30025

Closed

ashishdhingra added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label May 2, 2024

github-actions bot closed this as completed May 10, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Redshiftserverless.CfnWorkgroup.VpcEndpointProperty: creation of Redshift-managed VPC endpoints not working #29977

Redshiftserverless.CfnWorkgroup.VpcEndpointProperty: creation of Redshift-managed VPC endpoints not working #29977

ozggumus-aws commented Apr 26, 2024 •

edited

ashishdhingra commented Apr 26, 2024

github-actions bot commented Apr 29, 2024

ashishdhingra commented Apr 29, 2024 •

edited

ashishdhingra commented May 2, 2024

github-actions bot commented May 4, 2024

Redshiftserverless.CfnWorkgroup.VpcEndpointProperty: creation of Redshift-managed VPC endpoints not working #29977

Redshiftserverless.CfnWorkgroup.VpcEndpointProperty: creation of Redshift-managed VPC endpoints not working #29977

Comments

ozggumus-aws commented Apr 26, 2024 • edited

Describe the bug

Expected Behavior

Current Behavior

Reproduction Steps

Possible Solution

Additional Information/Context

CDK CLI Version

Framework Version

Node.js Version

OS

Language

Language Version

Other information

ashishdhingra commented Apr 26, 2024

github-actions bot commented Apr 29, 2024

ashishdhingra commented Apr 29, 2024 • edited

ashishdhingra commented May 2, 2024

github-actions bot commented May 4, 2024

ozggumus-aws commented Apr 26, 2024 •

edited

ashishdhingra commented Apr 29, 2024 •

edited