aws-redshift-alpha: create method that adds IAM role to cluster

[sean-beath]

Describe the feature

Create a method that will allow users to add an IAM role to an already created cluster. This would allow a user to do the following:
myCluster.add_role(myRole)

Use Case

I'm always frustrated when I can't add a role to an already created cluster, and instead need to add it to the cluster on creation.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.25.0a0

Environment details (OS name and version, etc.)

MacOS Monterey 12.5

[indrora]

If I'm understanding you right, you want to import an extant cluster and add a role to it?

If that's the case, imported resources can't easily be modified with CloudFormation: CloudFormation can't directly modify an already extant, referenced resource. However, since AWS Redshift has an API call that you can use to modify an extant role set, you can use a Custom Resource to do your work.

Using the API Call custom resource and the ModifyCluster API method, you should be able to do what you're looking to do.

[Rizxcviii]

@indrora I understood this differently. I think what @sean-beath is referring to is the ability to add roles, after initially declaring a new cluster WITHIN the code, not using an import function. I've come across the issue before to attach multiple roles to the cluster after declaring it within the code.

[sean-beath]

The functionality I am referring to here more closely aligns with @Rizxcviii however I believe the functionality would need to be implemented using an AWSCustomResource as mentioned by @indrora

Desired functionaility:

role1 = iam.Role(self, "role1", assumed_by=iam.ServicePrincipal("redshift.amazonaws.com"))
myCluster = redshift.Cluster(self, "myCluster", roles[role1])

role2 = iam.Role(self, "role2", assumed_by=iam.ServicePrincipal("redshift.amazonaws.com"))
myCluster.add_iam_role(role2) # OR myCluster.add_iam_role([role2,...])

I've recently created a PR for default roles on Redshift so I believe it would follow a similar format.

Pseudocode for add_iam_role:

if number of roles > limit or roles on cluster
    then throw error
else
    Create new custom resource that will:
        add iam role to cluster on update
        remove iam role from cluster on delete

[comcalvi]

@sean-beath I'm not sure I understand the ask here.

You can already modify the IAM resources on a created Cluster, you just need to modify the constructor, eg:

const cluster = new Cluster(this, 'Redshift', {
  roles: [new iam.Role(...)],
  ...,
});

you can create the addRole() as a convenience, but it shouldn't be blocking.

More importantly, why the custom resource? Why do you need the custom resource to manage the roles?

[Rizxcviii]

@comcalvi I've personally had this issue, where within another stack, I would create an IAM role for another resource. However the resource would need to access the redshift cluster. Therefore, I would have to declare the role (for the other resource) within the stack where the redshift cluster resides. I would then have to import it into the second stack and use it for the resource. This is where the 'issue' resides for me personally. It would be good to have this method available to use, but only if it does not block.

In regards to the custom resource, I believe that would be the only way to allow for modification of the IAM roles that can interact with the redshift cluster. Unless there is a better way to achieve this?

[comcalvi]

why do you need to import the cluster? You can export the role you need to the cluster, eg:

lib:

export interface ClusterStackProps extends cdk.StackProps {
  role: iam.IRole,
}

export class LambdaStack extends cdk.Stack {
  public readonly role: iam.IRole;
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const func = new lambda.Function(this, 'function', {
      code: lambda.Code.fromInline(''),
      runtime: lambda.Runtime.DOTNET_6,
      handler: 'index.handler',
    });

    this.role = func.role!;
  }
}

export class ClusterStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props: ClusterStackProps) {
    super(scope, id, props);

    const cluster = new redshift.Cluster(this, 'cluster', {
      vpc: new ec2.Vpc(this, 'vpc'),
      masterUser: {
        masterUsername: 'admin',
      },
      roles: [
        props.role
      ]
    });
  }
}

bin:

const app = new cdk.App();
const lambdaStack = new LambdaStack(app, 'ApiStack', );
const role = lambdaStack.role;

new ClusterStack(app, 'ClusterStack', {
  role,
});

[Rizxcviii]

Interesting, would this implementation work if the ClusterStack was created first, and thereafter the LambdaStack was created after?

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.