test(api): restrict e2e rds instances public access

[sundersc]

Description of changes

1. Restrict inbound security role added by E2E tests to smaller CIDR range (example: x.y.0.0/16). Also, now the ports are open for a very short time to execute the initial DDLs to create tables. The total time the port kept open has decreased from an average of 15 minutes to less than 5 seconds.

2. Improve SSM read parameter timeout issue. Instead of throwing an exception from wait method, now it returns a string which is used to determine whether to throw an error or not. (This avoids incorrect logging of exception message in the cloudwatch logs).

CDK / CloudFormation Parameters Changed

NA

Issue #, if available

NA

Description of how you validated changes

• Manual test.
• E2E test in local.

Checklist

• PR description included
• yarn test passes
• Tests are changed or added
• Relevant documentation is changed or added (and PR referenced)
• New AWS SDK calls or CloudFormation actions have been added to relevant test and service IAM policies
• Any CDK or CloudFormation parameter changes are called out explicitly

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[palpatim]

A lot of repetition in the setup code, any chance to centralize & reuse?

[sundersc]

A lot of repetition in the setup code, any chance to centralize & reuse?

Addressed it. Moved the complete database setup and port opening logic to the E2E core.

[palpatim]

On my workstation, I get the same result from both services. We should dedupe the result set so we don't create multiple rules with the same IP ranges.

[sundersc]

Are you connected to VPN? If yes, then the IPs would differ. We can't create a duplicate rule. If there is already an entry, the second API call would fail and we ignore the error.