feat(redshift): support default role for redshift clusters #23554
Conversation
|
|
github-actions
bot
added
p2
repeat-contributor
github-actions
bot
added
effort/small
sean-beath
changed the title
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.
There was a problem hiding this comment.
Overall seems pretty good, but given we would be adding a custom resource to this construct, I'd like to see unit testing, as well as integ testing. If we did execute on the default role list I mention in the comments instead of default role, I'd like to see error checking to ensure it doesn't go over 10. May need to do this anyway but I'm not sure how this works with previously provisioned clusters.
Unit tests could just be added here https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-redshift/lib/cluster.ts
| }), | ||
| }); | ||
|
|
||
| defaultIamRole.grantPassRole(defaultRoleCustomeResource.grantPrincipal); |
There was a problem hiding this comment.
I don't see why this wouldn't be a valid use case for using a custom resource, and I like the functionality of the design, but just to be pedantic gonna verify with another team member.
There was a problem hiding this comment.
I would have expected not to require this line, but was facing an error when it wasn't included.
| * @param defaultIamRole the IAM role to be set as the default role | ||
| */ | ||
| public addDefaultIamRole(defaultIamRole: iam.IRole): void { | ||
| const defaultRoleCustomeResource = new AwsCustomResource(this, 'default-role', { |
There was a problem hiding this comment.
why is there an e in custom here? Can we change this to be just "Custom"?
There was a problem hiding this comment.
Fixed spelling mistake
| * | ||
| * @default - No default role is attached to the cluster. | ||
| */ | ||
| readonly defaultRole?: iam.IRole; |
There was a problem hiding this comment.
I'm absolutely fine with keeping this as a singleton, but given the roles prop is a list could this not also be a list? Is there a reason why a default singleton role would be preferable over a potential list of default roles?
There was a problem hiding this comment.
Redshift only allows the one default role per cluster.
Assume your cluster has two IAM roles (role1 and role2). If role1 is default and then you modify the cluster to make role2 the default, role1 will still be a role for the cluster but no longer the default role.
| }); | ||
| ``` | ||
|
|
||
| A default role can also be added to a cluster using the `addDefaultIamRole` method. |
There was a problem hiding this comment.
Might be misunderstanding but can this be added to an already existing cluster? If so is there a possibility this default role could attempt to append an 11th role to an existing cluster and then go over 10?
There was a problem hiding this comment.
The way this is set up it could be added to an already existing cluster which would push the number of IAM roles to more than 10. It's interesting that this limit has been imposed as for most regions the role limit for a cluster is 50. Is there a way to make this limit region specific?
I'll try to find a way to check the total number of roles before adding the default role.
There was a problem hiding this comment.
It's also interesting that there doesn't seem to be a check for the IAM role list to make sure there's less than 10 - should this be added?
There was a problem hiding this comment.
I am thinking of changing the functionality so that the default role needs to be defined in the roles parameter on cluster creation, or already attached to the cluster if adding post-creation. This would remove the need to check for the total number of IAM roles and I think would reflect better practice.
What are your thoughts?
There was a problem hiding this comment.
I've now changed the behaviour so that the method will check to see if the role is already associated to the cluster, if it is not then an error will be thrown. This will stop the max roles being exceeded.
|
Also this is more a question for myself as well. How should we note that this custom resource functionality should be replaced when the cfn redshift cluster adds support for this. Another issue? Will sync with another engineer on that as well |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
mergify
bot
dismissed
HBobertz’s stale review
Pull request has been modified.
|
@HBobertz - the build has failed due to a change in the integ test that is being created with this PR (integ.cluster-defaultiamrole) - is there something specific that needs to be done here? |
|
@sean-beath run |
|
@HBobertz - any movement on this PR? |
|
If I remember correctly it will need to be merged from live again. I'll double check it and approve tommorow. I pulled it down and I think an integ test was failing due to a recent change, I don't think the pr will need to be changed though. Either way I'll let you know |
| }); | ||
| ``` | ||
|
|
||
| A default role can also be added to a cluster using the `addDefaultIamRole` method. |
mergify
bot
dismissed
HBobertz’s stale review
Pull request has been modified.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
PR was merged manually without squash
Redshift clusters have the ability to specify a default role for the cluster. This is not currently available as a feature in CloudFormation so requires a AwsCustomResource to be done at runtime.
This feature allows users to specify a default role at cluster creation or post-cluster creation.
closes #22551
All Submissions:
Adding new Construct Runtime Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license