[neptune] AssociatedRoles for CfnDBCluster

[namedgraph]

AssociatedRoles is now supported by CF templates for Amazon Neptune, but not available in the CDK (as of v1.62.0).

Use Case

Associating an IAM role with a Neptune's CfnDBCluster.

Proposed Solution

Should be possible as AssociatedRoles is available for other types of DBCluster.

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[njlynch]

This is being done as part of #10201. Closing this out as a duplicate.

[namedgraph]

@njlynch so when is this going to be released?

I see CfnDBCluster::setAssociatedRoles in the documentation, but the method is not available in the latest CDK version 1.63.0.

[njlynch]

@namedgraph - This was released in 1.64.0 (released 2020-09-22).

[namedgraph]

Thanks!

[namedgraph]

@njlynch I'm getting circular reference error when attempting to assign an associated role to a Neptune cluster:

Caused by: software.amazon.jsii.JsiiException: Resolution error: Resolution error: Unable to resolve object tree with circular reference. Path:
/Resources/${Token[CdkTestStack.NeptuneCluster.LogicalID.157]}/Properties/associatedRoles/0/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host..

What could be the problem?

Role code:

Role bulkLoaderRole = new Role(this, "RDFBulkLoaderRole", RoleProps.builder().
        assumedBy(new ServicePrincipal("rds.amazonaws.com")).
        build());
bulkLoaderRole.addToPolicy(PolicyStatement.Builder.create().
        effect(Effect.ALLOW).
        actions(Arrays.asList("s3:Get*", "s3:List*")).
        resources(Arrays.asList("*")).
        build());

Cluster code:

return CfnDBCluster.Builder.create(this, "NeptuneCluster").
        dbSubnetGroupName(subnetGroup.getDbSubnetGroupName()).
        vpcSecurityGroupIds(securityGroups).
        associatedRoles(Arrays.asList(bulkLoaderRole)).
        dbClusterIdentifier("OctopusTriplestoreCluster").
        iamAuthEnabled(Boolean.TRUE).
        deletionProtection(Boolean.TRUE).
        engineVersion("1.0.2.2").
        availabilityZones(getAvailabilityZones()).
        port(8182).
        deletionProtection(false).
        //enableCloudwatchLogsExports(securityGroups).
        build();

[njlynch]

Caused by: software.amazon.jsii.JsiiException: Resolution error: Resolution error: Unable to resolve object tree with circular reference. Path:
/Resources/${Token[CdkTestStack.NeptuneCluster.LogicalID.157]}/Properties/associatedRoles/0/node/host/node/host/node/host/node/host/...

That repeating '/node/host/node/host' is certainly suspect. I'm not seeing anything from your code above. I suspect the issue lies somewhere in the translation from bulkLoaderRole to associatedRole in the cluster code. Do you have any constructs/nodes named 'host' there, and/or referencing the 'host' property of another construct?

[namedgraph]

The only related code that I can see is the following -- which I commented out, but still get the same error:

//        String neptuneHost = Token.asString("https://" + neptune.getAttrEndpoint() + ":" + neptune.getAttrPort());

        Function bulkLoader = bulkLoader(vpc, neptuneSg);
//        bulkLoader.addEnvironment("ENDPOINT_URI", neptuneHost).
//                addEnvironment("FORMAT", "ntriples").
//                addEnvironment("IAM_ROLE_ARN", bulkLoaderRole.getRoleArn()).
//                addEnvironment("REGION", getRegion());

[namedgraph]

I can try to make a minimal case if that helps. So far the only way to get rid of the error is to remove the associatedRoles() call from the cluster.

[njlynch]

Sure, a minimal case would be useful.

[namedgraph]

@njlynch here you go: https://github.com/namedgraph/neptune-cdk-test/blob/master/src/main/java/com/myorg/NeptuneCdkTestStack.java

I hope it's enough to demonstrate the problem (running cdk synth leads to the Resolution error: Unable to resolve object tree with circular reference.). Very possibly something's wrong in my code, but I just cannot spot it.

[namedgraph]

@njlynch can you confirm?

[njlynch]

Ah, I see it now.

tl;dr - Here's the fix to your code:

CfnDBCluster.DBClusterRoleProperty clusterRole = new CfnDBCluster.DBClusterRoleProperty.Builder().
    roleArn(associatedRole.getRoleArn()).
    build();

return CfnDBCluster.Builder.create(this, "NeptuneCluster").
    // ...
    associatedRoles(Arrays.asList(clusterRole)).
    // ...
    .build();

The associated roles isn't just an IAM Role, it's a specific type expected by CloudFormation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-neptune-dbcluster.html#cfn-neptune-dbcluster-associatedroles

The Java docs are not helpful here, showing the type of associatedRoles as java.util.List<? extends java.lang.Object>.
https://docs.aws.amazon.com/cdk/api/latest/java/software/amazon/awscdk/services/neptune/CfnDBCluster.Builder.html#associatedRoles-java.util.List- . What it should be is java.util.List<CfnDBCluster.DBClusterRoleProperty>.
https://docs.aws.amazon.com/cdk/api/latest/java/software/amazon/awscdk/services/neptune/CfnDBCluster.DBClusterRoleProperty.html

If you look at the Typescript or Python docs, you'll see slightly more helpful types:

• Typescript - Type: IResolvable | DBClusterRoleProperty | IResolvable[]
• Python - Union[IResolvable, List[Union[DBClusterRoleProperty, IResolvable]], None]

I am really intrigued by the bad error message you got, and by the poor Java docs in this example. I'll follow up on our jsii project -- responsible for both -- and see if we can't make some improvements.

Either way, hopefully this gets you up and running now.

[RomainMuller]

This is type-union-induced, hence this RFC is relevant: aws/aws-cdk-rfcs#193

[njlynch]

I'm closing this out, as it seems to be resolved; feel free to comment/re-open if you have any other follow-ups. The fixes to the messaging and docs are being tracked as part of the above RFC.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.