fix: specifying writer on DatabaseCluster publiclyAccessable is ignor…

…ed for clusters in a public subnet

packages/aws-cdk-lib/aws-rds/lib/aurora-cluster-instance.ts

@@ -450,11 +450,11 @@ class AuroraClusterInstance extends Resource implements IAuroraClusterInstance {
 
     const isOwnedResource = Resource.isOwnedResource(props.cluster);
     let internetConnected;
-    let publiclyAccessible = props.publiclyAccessible;
+    let publiclyAccessible;
     if (isOwnedResource) {
       const ownedCluster = props.cluster as DatabaseCluster;
       internetConnected = ownedCluster.vpc.selectSubnets(ownedCluster.vpcSubnets).internetConnectivityEstablished;
-      publiclyAccessible = ownedCluster.vpcSubnets && ownedCluster.vpcSubnets.subnetType === ec2.SubnetType.PUBLIC;
+      publiclyAccessible = props.publiclyAccessible ?? (ownedCluster.vpcSubnets && ownedCluster.vpcSubnets.subnetType === ec2.SubnetType.PUBLIC);
     }
 
     // Get the actual subnet objects so we can depend on internet connectivity.

packages/aws-cdk-lib/aws-rds/test/cluster.test.ts

@@ -3700,6 +3700,29 @@ describe('cluster', () => {
     });
   });
 
+  test('can set public accessibility to false on writer instance with cluster in public subnet', () => {
+    // GIVEN
+    const stack = testStack();
+    const vpc = new ec2.Vpc(stack, 'VPC');
+
+    // WHEN
+    new DatabaseCluster(stack, 'Database', {
+      engine: DatabaseClusterEngine.AURORA,
+      writer: ClusterInstance.serverlessV2('writer', {
+        publiclyAccessible: false,
+      }),
+      vpc,
+      vpcSubnets: {
+        subnetType: ec2.SubnetType.PUBLIC,
+      },
+    });
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::RDS::DBInstance', {
+      Engine: 'aurora',
+      PubliclyAccessible: false,
+    });
+  });
+
   test('database cluster instances in public subnet should by default have publiclyAccessible set to true', () => {
     // GIVEN
     const stack = testStack();