diff --git a/packages/@aws-cdk/aws-rds/README.md b/packages/@aws-cdk/aws-rds/README.md index fa3375fb4d0d1..78d58f64041ec 100644 --- a/packages/@aws-cdk/aws-rds/README.md +++ b/packages/@aws-cdk/aws-rds/README.md @@ -639,7 +639,7 @@ declare const vpc: ec2.Vpc; const cluster = new rds.ServerlessCluster(this, 'AnotherCluster', { engine: rds.DatabaseClusterEngine.AURORA_MYSQL, - vpc, + vpc, // this parameter is optional for serverless Clusters enableDataApi: true, // Optional - will be automatically set if you call grantDataApiAccess() }); @@ -659,3 +659,11 @@ cluster.grantDataApiAccess(fn); **Note**: To invoke the Data API, the resource will need to read the secret associated with the cluster. To learn more about using the Data API, see the [documentation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html). + +### Default VPC + +The `vpc` parameter is optional. + +If not provided, the cluster will be created in the default VPC of the account and region. +As this VPC is not deployed with AWS CDK, you can't configure the `vpcSubnets`, `subnetGroup` or `securityGroups` of the Aurora Serverless Cluster. +If you want to provide one of `vpcSubnets`, `subnetGroup` or `securityGroups` parameter, please provide a `vpc`. diff --git a/packages/@aws-cdk/aws-rds/lib/serverless-cluster.ts b/packages/@aws-cdk/aws-rds/lib/serverless-cluster.ts index 0365bfd98c9e9..955b92ac58e5f 100644 --- a/packages/@aws-cdk/aws-rds/lib/serverless-cluster.ts +++ b/packages/@aws-cdk/aws-rds/lib/serverless-cluster.ts @@ -99,11 +99,14 @@ interface ServerlessClusterNewProps { /** * The VPC that this Aurora Serverless cluster has been created in. + * + * @default - the default VPC in the account and region will be used */ - readonly vpc: ec2.IVpc; + readonly vpc?: ec2.IVpc; /** - * Where to place the instances within the VPC + * Where to place the instances within the VPC. + * If provided, the `vpc` property must also be specified. * * @default - the VPC default strategy if not specified. */ @@ -129,7 +132,8 @@ interface ServerlessClusterNewProps { /** * Security group. * - * @default - a new security group is created. + * @default - a new security group is created if `vpc` was provided. + * If the `vpc` property was not provided, no VPC security groups will be associated with the DB cluster. */ readonly securityGroups?: ec2.ISecurityGroup[]; @@ -143,7 +147,8 @@ interface ServerlessClusterNewProps { /** * Existing subnet group for the cluster. * - * @default - a new subnet group will be created. + * @default - a new subnet group is created if `vpc` was provided. + * If the `vpc` property was not provided, no subnet group will be associated with the DB cluster */ readonly subnetGroup?: ISubnetGroup; } @@ -351,19 +356,42 @@ abstract class ServerlessClusterNew extends ServerlessClusterBase { constructor(scope: Construct, id: string, props: ServerlessClusterNewProps) { super(scope, id); - const { subnetIds } = props.vpc.selectSubnets(props.vpcSubnets); - - // Cannot test whether the subnets are in different AZs, but at least we can test the amount. - if (subnetIds.length < 2) { - Annotations.of(this).addError(`Cluster requires at least 2 subnets, got ${subnetIds.length}`); + if (props.vpc === undefined) { + if (props.vpcSubnets !== undefined) { + throw new Error('A VPC is required to use vpcSubnets in ServerlessCluster. Please add a VPC or remove vpcSubnets'); + } + if (props.subnetGroup !== undefined) { + throw new Error('A VPC is required to use subnetGroup in ServerlessCluster. Please add a VPC or remove subnetGroup'); + } + if (props.securityGroups !== undefined) { + throw new Error('A VPC is required to use securityGroups in ServerlessCluster. Please add a VPC or remove securityGroups'); + } } - const subnetGroup = props.subnetGroup ?? new SubnetGroup(this, 'Subnets', { - description: `Subnets for ${id} database`, - vpc: props.vpc, - vpcSubnets: props.vpcSubnets, - removalPolicy: props.removalPolicy === RemovalPolicy.RETAIN ? props.removalPolicy : undefined, - }); + let subnetGroup: ISubnetGroup | undefined = props.subnetGroup; + this.securityGroups = props.securityGroups ?? []; + if (props.vpc !== undefined) { + const { subnetIds } = props.vpc.selectSubnets(props.vpcSubnets); + + // Cannot test whether the subnets are in different AZs, but at least we can test the amount. + if (subnetIds.length < 2) { + Annotations.of(this).addError(`Cluster requires at least 2 subnets, got ${subnetIds.length}`); + } + + subnetGroup = props.subnetGroup ?? new SubnetGroup(this, 'Subnets', { + description: `Subnets for ${id} database`, + vpc: props.vpc, + vpcSubnets: props.vpcSubnets, + removalPolicy: props.removalPolicy === RemovalPolicy.RETAIN ? props.removalPolicy : undefined, + }); + + this.securityGroups = props.securityGroups ?? [ + new ec2.SecurityGroup(this, 'SecurityGroup', { + description: 'RDS security group', + vpc: props.vpc, + }), + ]; + } if (props.backupRetention) { const backupRetentionDays = props.backupRetention.toDays(); @@ -379,12 +407,6 @@ abstract class ServerlessClusterNew extends ServerlessClusterBase { const clusterParameterGroup = props.parameterGroup ?? clusterEngineBindConfig.parameterGroup; const clusterParameterGroupConfig = clusterParameterGroup?.bindToCluster({}); - this.securityGroups = props.securityGroups ?? [ - new ec2.SecurityGroup(this, 'SecurityGroup', { - description: 'RDS security group', - vpc: props.vpc, - }), - ]; const clusterIdentifier = FeatureFlags.of(this).isEnabled(cxapi.RDS_LOWERCASE_DB_IDENTIFIER) ? props.clusterIdentifier?.toLowerCase() @@ -395,7 +417,7 @@ abstract class ServerlessClusterNew extends ServerlessClusterBase { databaseName: props.defaultDatabaseName, dbClusterIdentifier: clusterIdentifier, dbClusterParameterGroupName: clusterParameterGroupConfig?.parameterGroupName, - dbSubnetGroupName: subnetGroup.subnetGroupName, + dbSubnetGroupName: subnetGroup?.subnetGroupName, deletionProtection: defaultDeletionProtection(props.deletionProtection, props.removalPolicy), engine: props.engine.engineType, engineVersion: props.engine.engineVersion?.fullVersion, @@ -476,7 +498,7 @@ export class ServerlessCluster extends ServerlessClusterNew { public readonly secret?: secretsmanager.ISecret; - private readonly vpc: ec2.IVpc; + private readonly vpc?: ec2.IVpc; private readonly vpcSubnets?: ec2.SubnetSelection; private readonly singleUserRotationApplication: secretsmanager.SecretRotationApplication; @@ -525,6 +547,10 @@ export class ServerlessCluster extends ServerlessClusterNew { throw new Error('Cannot add single user rotation for a cluster without secret.'); } + if (this.vpc === undefined) { + throw new Error('Cannot add single user rotation for a cluster without VPC.'); + } + const id = 'RotationSingleUser'; const existing = this.node.tryFindChild(id); if (existing) { @@ -549,6 +575,11 @@ export class ServerlessCluster extends ServerlessClusterNew { if (!this.secret) { throw new Error('Cannot add multi user rotation for a cluster without secret.'); } + + if (this.vpc === undefined) { + throw new Error('Cannot add multi user rotation for a cluster without VPC.'); + } + return new secretsmanager.SecretRotation(this, id, { ...options, excludeCharacters: options.excludeCharacters ?? DEFAULT_PASSWORD_EXCLUDE_CHARS, @@ -680,4 +711,4 @@ export class ServerlessClusterFromSnapshot extends ServerlessClusterNew { this.secret = secret.attach(this); } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-rds/test/integ.serverless-cluster-no-vpc.expected.json b/packages/@aws-cdk/aws-rds/test/integ.serverless-cluster-no-vpc.expected.json new file mode 100644 index 0000000000000..7d81d78c4e34f --- /dev/null +++ b/packages/@aws-cdk/aws-rds/test/integ.serverless-cluster-no-vpc.expected.json @@ -0,0 +1,18 @@ +{ + "Resources": { + "ServerlessDatabaseWithoutVPC93F9A752": { + "Type": "AWS::RDS::DBCluster", + "Properties": { + "Engine": "aurora-mysql", + "DBClusterParameterGroupName": "default.aurora-mysql5.7", + "EngineMode": "serverless", + "MasterUsername": "admin", + "MasterUserPassword": "7959866cacc02c2d243ecfe177464fe6", + "StorageEncrypted": true, + "VpcSecurityGroupIds": [] + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-rds/test/integ.serverless-cluster-no-vpc.ts b/packages/@aws-cdk/aws-rds/test/integ.serverless-cluster-no-vpc.ts new file mode 100644 index 0000000000000..807cf1a894601 --- /dev/null +++ b/packages/@aws-cdk/aws-rds/test/integ.serverless-cluster-no-vpc.ts @@ -0,0 +1,17 @@ +import * as cdk from '@aws-cdk/core'; +import * as rds from '../lib'; + +const app = new cdk.App(); +const stack = new cdk.Stack(app, 'aws-cdk-sls-cluster-no-vpc-integ'); + +const cluster = new rds.ServerlessCluster(stack, 'Serverless Database Without VPC', { + engine: rds.DatabaseClusterEngine.AURORA_MYSQL, + credentials: { + username: 'admin', + password: cdk.SecretValue.plainText('7959866cacc02c2d243ecfe177464fe6'), + }, + removalPolicy: cdk.RemovalPolicy.DESTROY, +}); +cluster.connections.allowDefaultPortFromAnyIpv4('Open to the world'); + +app.synth(); diff --git a/packages/@aws-cdk/aws-rds/test/serverless-cluster.test.ts b/packages/@aws-cdk/aws-rds/test/serverless-cluster.test.ts index 3849a99cdeb02..a55a23df02421 100644 --- a/packages/@aws-cdk/aws-rds/test/serverless-cluster.test.ts +++ b/packages/@aws-cdk/aws-rds/test/serverless-cluster.test.ts @@ -1,10 +1,10 @@ -import { Template } from '@aws-cdk/assertions'; +import { Template, Match } from '@aws-cdk/assertions'; import * as ec2 from '@aws-cdk/aws-ec2'; import * as iam from '@aws-cdk/aws-iam'; import * as kms from '@aws-cdk/aws-kms'; import * as cdk from '@aws-cdk/core'; import * as cxapi from '@aws-cdk/cx-api'; -import { AuroraPostgresEngineVersion, ServerlessCluster, DatabaseClusterEngine, ParameterGroup, AuroraCapacityUnit, DatabaseSecret } from '../lib'; +import { AuroraPostgresEngineVersion, ServerlessCluster, DatabaseClusterEngine, ParameterGroup, AuroraCapacityUnit, DatabaseSecret, SubnetGroup } from '../lib'; describe('serverless cluster', () => { test('can create a Serverless Cluster with Aurora Postgres database engine', () => { @@ -70,28 +70,18 @@ describe('serverless cluster', () => { }, EngineMode: 'serverless', MasterUsername: { - 'Fn::Join': [ - '', - [ - '{{resolve:secretsmanager:', - { - Ref: 'ServerlessDatabaseSecret1C9BF4F1', - }, - ':SecretString:username::}}', - ], - ], + 'Fn::Join': ['', [ + '{{resolve:secretsmanager:', + { Ref: 'ServerlessDatabaseSecret1C9BF4F1' }, + ':SecretString:username::}}', + ]], }, MasterUserPassword: { - 'Fn::Join': [ - '', - [ - '{{resolve:secretsmanager:', - { - Ref: 'ServerlessDatabaseSecret1C9BF4F1', - }, - ':SecretString:password::}}', - ], - ], + 'Fn::Join': ['', [ + '{{resolve:secretsmanager:', + { Ref: 'ServerlessDatabaseSecret1C9BF4F1' }, + ':SecretString:password::}}', + ]], }, StorageEncrypted: true, VpcSecurityGroupIds: [ @@ -131,28 +121,18 @@ describe('serverless cluster', () => { EngineMode: 'serverless', DBSubnetGroupName: { Ref: 'DatabaseSubnets56F17B9A' }, MasterUsername: { - 'Fn::Join': [ - '', - [ - '{{resolve:secretsmanager:', - { - Ref: 'DatabaseSecret3B817195', - }, - ':SecretString:username::}}', - ], - ], + 'Fn::Join': ['', [ + '{{resolve:secretsmanager:', + { Ref: 'DatabaseSecret3B817195' }, + ':SecretString:username::}}', + ]], }, MasterUserPassword: { - 'Fn::Join': [ - '', - [ - '{{resolve:secretsmanager:', - { - Ref: 'DatabaseSecret3B817195', - }, - ':SecretString:password::}}', - ], - ], + 'Fn::Join': ['', [ + '{{resolve:secretsmanager:', + { Ref: 'DatabaseSecret3B817195' }, + ':SecretString:password::}}', + ]], }, VpcSecurityGroupIds: ['SecurityGroupId12345'], }); @@ -192,28 +172,18 @@ describe('serverless cluster', () => { // THEN Template.fromStack(stack).hasResourceProperties('AWS::RDS::DBCluster', { MasterUsername: { - 'Fn::Join': [ - '', - [ - '{{resolve:secretsmanager:', - { - Ref: 'DatabaseSecret3B817195', - }, - ':SecretString:username::}}', - ], - ], + 'Fn::Join': ['', [ + '{{resolve:secretsmanager:', + { Ref: 'DatabaseSecret3B817195' }, + ':SecretString:username::}}', + ]], }, MasterUserPassword: { - 'Fn::Join': [ - '', - [ - '{{resolve:secretsmanager:', - { - Ref: 'DatabaseSecret3B817195', - }, - ':SecretString:password::}}', - ], - ], + 'Fn::Join': ['', [ + '{{resolve:secretsmanager:', + { Ref: 'DatabaseSecret3B817195' }, + ':SecretString:password::}}', + ]], }, }); @@ -351,7 +321,7 @@ describe('serverless cluster', () => { expect(cluster.clusterReadEndpoint.socketAddress).toEqual('reader-address:3306'); }); - test('throws when trying to add rotation to a serverless cluster without secret', () => { + test('throws when trying to add single-user rotation to a serverless cluster without secret', () => { // GIVEN const stack = new cdk.Stack(); const vpc = new ec2.Vpc(stack, 'VPC'); @@ -387,6 +357,39 @@ describe('serverless cluster', () => { expect(() => cluster.addRotationSingleUser()).toThrow(/A single user rotation was already added to this cluster/); }); + test('throws when trying to add single-user rotation to a serverless cluster without VPC', () => { + // GIVEN + const stack = new cdk.Stack(); + + // WHEN + const cluster = new ServerlessCluster(stack, 'Database', { + engine: DatabaseClusterEngine.AURORA_MYSQL, + }); + + // THEN + expect(() => { + cluster.addRotationSingleUser(); + }).toThrow(/Cannot add single user rotation for a cluster without VPC/); + }); + + test('throws when trying to add multi-user rotation to a serverless cluster without VPC', () => { + // GIVEN + const stack = new cdk.Stack(); + const secret = new DatabaseSecret(stack, 'Secret', { + username: 'admin', + }); + + // WHEN + const cluster = new ServerlessCluster(stack, 'Database', { + engine: DatabaseClusterEngine.AURORA_MYSQL, + }); + + // THEN + expect(() => { + cluster.addRotationMultiUser('someId', { secret }); + }).toThrow(/Cannot add multi user rotation for a cluster without VPC/); + }); + test('can set deletion protection', () => { // GIVEN const stack = testStack(); @@ -612,15 +615,12 @@ describe('serverless cluster', () => { // THEN expect(stack.resolve(cluster.clusterArn)).toEqual({ - 'Fn::Join': [ - '', - [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':rds:us-test-1:12345:cluster:', - { Ref: 'DatabaseB269D8BB' }, - ], - ], + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':rds:us-test-1:12345:cluster:', + { Ref: 'DatabaseB269D8BB' }, + ]], }); }); @@ -803,6 +803,65 @@ describe('serverless cluster', () => { DBClusterIdentifier: clusterIdentifier, }); }); + + test('can create a Serverless cluster without VPC', () => { + // GIVEN + const stack = testStack(); + + // WHEN + new ServerlessCluster(stack, 'Database', { + engine: DatabaseClusterEngine.AURORA_MYSQL, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::RDS::DBCluster', { + Engine: 'aurora-mysql', + EngineMode: 'serverless', + DbSubnetGroupName: Match.absent(), + VpcSecurityGroupIds: [], + }); + }); + + test('cannot create a Serverless cluster without VPC but specifying a security group', () => { + // GIVEN + const stack = testStack(); + const sg = ec2.SecurityGroup.fromSecurityGroupId(stack, 'SG', 'SecurityGroupId12345'); + + // THEN + expect(() => new ServerlessCluster(stack, 'Database', { + engine: DatabaseClusterEngine.AURORA_MYSQL, + securityGroups: [sg], + })).toThrow(/A VPC is required to use securityGroups in ServerlessCluster. Please add a VPC or remove securityGroups/); + }); + + test('cannot create a Serverless cluster without VPC but specifying a subnet group', () => { + // GIVEN + const stack = testStack(); + const SubnetGroupName = 'SubnetGroupId12345'; + const subnetGroup = SubnetGroup.fromSubnetGroupName(stack, 'SubnetGroup12345', SubnetGroupName); + + // THEN + expect(() => new ServerlessCluster(stack, 'Database', { + engine: DatabaseClusterEngine.AURORA_MYSQL, + subnetGroup, + })).toThrow(/A VPC is required to use subnetGroup in ServerlessCluster. Please add a VPC or remove subnetGroup/); + }); + + test('cannot create a Serverless cluster without VPC but specifying VPC subnets', () => { + // GIVEN + const stack = testStack(); + + // WHEN + const vpcSubnets = { + subnetName: 'AVpcSubnet', + }; + + // THEN + expect(() => new ServerlessCluster(stack, 'Database', { + engine: DatabaseClusterEngine.AURORA_MYSQL, + vpcSubnets, + })).toThrow(/A VPC is required to use vpcSubnets in ServerlessCluster. Please add a VPC or remove vpcSubnets/); + }); }); function testStack(app?: cdk.App, id?: string): cdk.Stack {