fix(rds): database proxies use ids as their resource names directly (…

…under feature flag) (#23703) fixes #18578 ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Feb 10, 2023 · 03a0f79 · 03a0f79
1 parent 0570e01
commit 03a0f79
Show file tree

Hide file tree

Showing 14 changed files with 1,297 additions and 44 deletions.
diff --git a/packages/@aws-cdk/aws-rds/lib/proxy.ts b/packages/@aws-cdk/aws-rds/lib/proxy.ts
@@ -2,6 +2,7 @@ import * as ec2 from '@aws-cdk/aws-ec2';
 import * as iam from '@aws-cdk/aws-iam';
 import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
 import * as cdk from '@aws-cdk/core';
+import * as cxapi from '@aws-cdk/cx-api';
 import { Construct } from 'constructs';
 import { IDatabaseCluster } from './cluster-ref';
 import { IEngine } from './engine';
@@ -414,7 +415,12 @@ export class DatabaseProxy extends DatabaseProxyBase
   private readonly resource: CfnDBProxy;
 
   constructor(scope: Construct, id: string, props: DatabaseProxyProps) {
-    super(scope, id, { physicalName: props.dbProxyName || id });
+    super(scope, id);
+
+    const physicalName = props.dbProxyName || (
+      cdk.FeatureFlags.of(this).isEnabled(cxapi.DATABASE_PROXY_UNIQUE_RESOURCE_NAME) ?
+        cdk.Names.uniqueResourceName(this, { maxLength: 60 }) : id
+    );
 
     const role = props.role || new iam.Role(this, 'IAMRole', {
       assumedBy: new iam.ServicePrincipal('rds.amazonaws.com'),
@@ -447,7 +453,7 @@ export class DatabaseProxy extends DatabaseProxyBase
           secretArn: _.secretArn,
         };
       }),
-      dbProxyName: this.physicalName,
+      dbProxyName: physicalName,
       debugLogging: props.debugLogging,
       engineFamily: bindResult.engineFamily,
       idleClientTimeout: props.idleClientTimeout?.toSeconds(),

diff --git a/packages/@aws-cdk/aws-rds/test/integ.proxy.js.snapshot/aws-cdk-rds-proxy.assets.json b/packages/@aws-cdk/aws-rds/test/integ.proxy.js.snapshot/aws-cdk-rds-proxy.assets.json
@@ -1,15 +1,15 @@
 {
-  "version": "20.0.0",
+  "version": "29.0.0",
   "files": {
-    "4f288f361e05d7a0cadc909ac72cad71f5ffa327848daac454f6f4717925e6fb": {
+    "eade7d2d48419acaec1228343071922ec168779f7a6dd46405c9605c5652b43e": {
       "source": {
         "path": "aws-cdk-rds-proxy.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "4f288f361e05d7a0cadc909ac72cad71f5ffa327848daac454f6f4717925e6fb.json",
+          "objectKey": "eade7d2d48419acaec1228343071922ec168779f7a6dd46405c9605c5652b43e.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/packages/@aws-cdk/aws-rds/test/integ.proxy.js.snapshot/aws-cdk-rds-proxy.template.json b/packages/@aws-cdk/aws-rds/test/integ.proxy.js.snapshot/aws-cdk-rds-proxy.template.json
@@ -607,7 +607,7 @@
       }
      }
     ],
-    "DBProxyName": "dbProxy",
+    "DBProxyName": "awscdkrdsproxydbProxy0E60A1B7",
     "EngineFamily": "POSTGRESQL",
     "RoleArn": {
      "Fn::GetAtt": [
@@ -651,6 +651,315 @@
      }
     ]
    }
+  },
+  "dbClusterSubnets03B9B0E1": {
+   "Type": "AWS::RDS::DBSubnetGroup",
+   "Properties": {
+    "DBSubnetGroupDescription": "Subnets for dbCluster database",
+    "SubnetIds": [
+     {
+      "Ref": "vpcPrivateSubnet1Subnet934893E8"
+     },
+     {
+      "Ref": "vpcPrivateSubnet2Subnet7031C2BA"
+     }
+    ]
+   }
+  },
+  "dbClusterSecurityGroupCAA1A91F": {
+   "Type": "AWS::EC2::SecurityGroup",
+   "Properties": {
+    "GroupDescription": "RDS security group",
+    "SecurityGroupEgress": [
+     {
+      "CidrIp": "0.0.0.0/0",
+      "Description": "Allow all outbound traffic by default",
+      "IpProtocol": "-1"
+     }
+    ],
+    "VpcId": {
+     "Ref": "vpcA2121C38"
+    }
+   }
+  },
+  "dbClusterSecurityGroupfromawscdkrdsproxyProxyProxySecurityGroup9F179E6FIndirectPortED421002": {
+   "Type": "AWS::EC2::SecurityGroupIngress",
+   "Properties": {
+    "IpProtocol": "tcp",
+    "Description": "Allow connections to the database Cluster from the Proxy",
+    "FromPort": {
+     "Fn::GetAtt": [
+      "dbClusterE86E47AE",
+      "Endpoint.Port"
+     ]
+    },
+    "GroupId": {
+     "Fn::GetAtt": [
+      "dbClusterSecurityGroupCAA1A91F",
+      "GroupId"
+     ]
+    },
+    "SourceSecurityGroupId": {
+     "Fn::GetAtt": [
+      "ProxyProxySecurityGroupC42FC3CE",
+      "GroupId"
+     ]
+    },
+    "ToPort": {
+     "Fn::GetAtt": [
+      "dbClusterE86E47AE",
+      "Endpoint.Port"
+     ]
+    }
+   }
+  },
+  "dbClusterSecretCEA6D7B6": {
+   "Type": "AWS::SecretsManager::Secret",
+   "Properties": {
+    "Description": {
+     "Fn::Join": [
+      "",
+      [
+       "Generated by the CDK for stack: ",
+       {
+        "Ref": "AWS::StackName"
+       }
+      ]
+     ]
+    },
+    "GenerateSecretString": {
+     "ExcludeCharacters": " %+~`#$&*()|[]{}:;<>?!'/@\"\\",
+     "GenerateStringKey": "password",
+     "PasswordLength": 30,
+     "SecretStringTemplate": "{\"username\":\"postgres\"}"
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "dbClusterSecretAttachmentAB67A752": {
+   "Type": "AWS::SecretsManager::SecretTargetAttachment",
+   "Properties": {
+    "SecretId": {
+     "Ref": "dbClusterSecretCEA6D7B6"
+    },
+    "TargetId": {
+     "Ref": "dbClusterE86E47AE"
+    },
+    "TargetType": "AWS::RDS::DBCluster"
+   }
+  },
+  "dbClusterE86E47AE": {
+   "Type": "AWS::RDS::DBCluster",
+   "Properties": {
+    "CopyTagsToSnapshot": true,
+    "DBClusterParameterGroupName": "default.aurora-postgresql14",
+    "DBSubnetGroupName": {
+     "Ref": "dbClusterSubnets03B9B0E1"
+    },
+    "Engine": "aurora-postgresql",
+    "EngineVersion": "14.5",
+    "MasterUsername": {
+     "Fn::Join": [
+      "",
+      [
+       "{{resolve:secretsmanager:",
+       {
+        "Ref": "dbClusterSecretCEA6D7B6"
+       },
+       ":SecretString:username::}}"
+      ]
+     ]
+    },
+    "MasterUserPassword": {
+     "Fn::Join": [
+      "",
+      [
+       "{{resolve:secretsmanager:",
+       {
+        "Ref": "dbClusterSecretCEA6D7B6"
+       },
+       ":SecretString:password::}}"
+      ]
+     ]
+    },
+    "Port": 5432,
+    "VpcSecurityGroupIds": [
+     {
+      "Fn::GetAtt": [
+       "dbClusterSecurityGroupCAA1A91F",
+       "GroupId"
+      ]
+     }
+    ]
+   },
+   "UpdateReplacePolicy": "Snapshot",
+   "DeletionPolicy": "Snapshot"
+  },
+  "dbClusterInstance1BCE092AC": {
+   "Type": "AWS::RDS::DBInstance",
+   "Properties": {
+    "DBClusterIdentifier": {
+     "Ref": "dbClusterE86E47AE"
+    },
+    "DBInstanceClass": "db.t3.medium",
+    "DBSubnetGroupName": {
+     "Ref": "dbClusterSubnets03B9B0E1"
+    },
+    "Engine": "aurora-postgresql"
+   },
+   "DependsOn": [
+    "vpcPrivateSubnet1DefaultRoute1AA8E2E5",
+    "vpcPrivateSubnet1RouteTableAssociation67945127",
+    "vpcPrivateSubnet2DefaultRouteB0E07F99",
+    "vpcPrivateSubnet2RouteTableAssociation007E94D3"
+   ],
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "dbClusterInstance20BA1ECD9": {
+   "Type": "AWS::RDS::DBInstance",
+   "Properties": {
+    "DBClusterIdentifier": {
+     "Ref": "dbClusterE86E47AE"
+    },
+    "DBInstanceClass": "db.t3.medium",
+    "DBSubnetGroupName": {
+     "Ref": "dbClusterSubnets03B9B0E1"
+    },
+    "Engine": "aurora-postgresql"
+   },
+   "DependsOn": [
+    "vpcPrivateSubnet1DefaultRoute1AA8E2E5",
+    "vpcPrivateSubnet1RouteTableAssociation67945127",
+    "vpcPrivateSubnet2DefaultRouteB0E07F99",
+    "vpcPrivateSubnet2RouteTableAssociation007E94D3"
+   ],
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "ProxyIAMRole2FE8AB0F": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "rds.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "ProxyIAMRoleDefaultPolicy59EB0117": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Ref": "dbClusterSecretAttachmentAB67A752"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "ProxyIAMRoleDefaultPolicy59EB0117",
+    "Roles": [
+     {
+      "Ref": "ProxyIAMRole2FE8AB0F"
+     }
+    ]
+   }
+  },
+  "ProxyProxySecurityGroupC42FC3CE": {
+   "Type": "AWS::EC2::SecurityGroup",
+   "Properties": {
+    "GroupDescription": "SecurityGroup for Database Proxy",
+    "SecurityGroupEgress": [
+     {
+      "CidrIp": "0.0.0.0/0",
+      "Description": "Allow all outbound traffic by default",
+      "IpProtocol": "-1"
+     }
+    ],
+    "VpcId": {
+     "Ref": "vpcA2121C38"
+    }
+   }
+  },
+  "ProxyCB0DFB71": {
+   "Type": "AWS::RDS::DBProxy",
+   "Properties": {
+    "Auth": [
+     {
+      "AuthScheme": "SECRETS",
+      "IAMAuth": "DISABLED",
+      "SecretArn": {
+       "Ref": "dbClusterSecretAttachmentAB67A752"
+      }
+     }
+    ],
+    "DBProxyName": "cluster-db-proxy",
+    "EngineFamily": "POSTGRESQL",
+    "RoleArn": {
+     "Fn::GetAtt": [
+      "ProxyIAMRole2FE8AB0F",
+      "Arn"
+     ]
+    },
+    "VpcSubnetIds": [
+     {
+      "Ref": "vpcPrivateSubnet1Subnet934893E8"
+     },
+     {
+      "Ref": "vpcPrivateSubnet2Subnet7031C2BA"
+     }
+    ],
+    "RequireTLS": true,
+    "VpcSecurityGroupIds": [
+     {
+      "Fn::GetAtt": [
+       "ProxyProxySecurityGroupC42FC3CE",
+       "GroupId"
+      ]
+     }
+    ]
+   }
+  },
+  "ProxyProxyTargetGroupB462B5C5": {
+   "Type": "AWS::RDS::DBProxyTargetGroup",
+   "Properties": {
+    "DBProxyName": {
+     "Ref": "ProxyCB0DFB71"
+    },
+    "TargetGroupName": "default",
+    "ConnectionPoolConfigurationInfo": {},
+    "DBClusterIdentifiers": [
+     {
+      "Ref": "dbClusterE86E47AE"
+     }
+    ]
+   },
+   "DependsOn": [
+    "dbClusterInstance1BCE092AC",
+    "dbClusterInstance20BA1ECD9",
+    "dbClusterE86E47AE",
+    "dbClusterSecretAttachmentAB67A752",
+    "dbClusterSecretCEA6D7B6",
+    "dbClusterSecurityGroupfromawscdkrdsproxyProxyProxySecurityGroup9F179E6FIndirectPortED421002",
+    "dbClusterSecurityGroupCAA1A91F",
+    "dbClusterSubnets03B9B0E1"
+   ]
   }
  },
  "Parameters": {

diff --git a/packages/@aws-cdk/aws-rds/test/integ.proxy.js.snapshot/cdk.out b/packages/@aws-cdk/aws-rds/test/integ.proxy.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"29.0.0"}