feat(rds): new DatabaseInstance.fromLookup

[pcheungamz]

Issue # (if applicable)

Closes #31720

This replaces my previous PR #32901. I addressed the PR comments in this new PR.

This depends on this PR: cdklabs/cloud-assembly-schema#124.

Also depends on this CDK CLI PR: aws/aws-cdk-cli#138. That PR should be merged first and the CLI released, before this PR can be merged.

Reason for this change

Add DatabaseInstance.fromLookup() feature

Description of changes

• Add CC API Context Provider. Needs this PR: feat: Add CC API based Context Query.  cdklabs/cloud-assembly-schema#124
• DatabaseInstance.fromLookup call CC API to get the database instance info from instanceIdentifier.
• Add units tests.

Describe any new or updated permissions being added

User will need to have permission to run CloudControl API.

Description of how you validated changes

Tested with this code. I already have an RDS DB in my AWS account. I want to look it up and grant connect to a new user.
Saved to packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/my-test-app.ts

import * as cdk from 'aws-cdk-lib';
import * as iam from 'aws-cdk-lib/aws-iam';
import * as rds from 'aws-cdk-lib/aws-rds';

const awsAccountId = 'XXXXXXXXXX79';
const instanceId = 'XXXXXXXXXX-instance-1';

const appWithDb = new cdk.App();
const stack = new cdk.Stack(appWithDb, 'StackWithVpc', {
  env: {
    region: 'us-east-1',
    account: awsAccountId,
  },
});

const dbFromLookup = rds.DatabaseInstance.fromLookup(stack, 'dbFromLookup', {
  instanceIdentifier: instanceId,
});

/* eslint-disable no-console */
console.log('lookup values', dbFromLookup.dbInstanceEndpointAddress, dbFromLookup.dbInstanceEndpointPort);

const consoleReadOnlyRole = new iam.Role(stack, 'TestRole', {
  assumedBy: new iam.ArnPrincipal('arn_for_trusted_principal'),
});
dbFromLookup.grantConnect(consoleReadOnlyRole, 'dbTestUser');

Ran this command:

../../aws-cdk/bin/cdk -a 'npx ts-node test/aws-rds/test/my-test-app.ts' synth 

Checklist

• [ X ] My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[rix0rrr]

💅 Instead of using forEach for a list.push() side effect, it's nicer to use a list.map() to produce another list.

const securityGroups = instance.DBSecurityGroups.map(id => ec2.SecurityGroup.fromSecurityGroupid(...))

[pcheungamz]

thanks. will do

[rix0rrr]

💅 Object.assign() is a way to copy fields from object A to object B, usually useful if you don't know what fields an object might have. Since all values are constants known in advance here, we could also have done:

const dataObj = {
  'DBInstanceArn': 'arn:aws...',
  'Endpoint.Address': 'instance-1.testserver',
  'Endpoint.Port': '5432',
  // ...
};

Which is a lot simpler.

[pcheungamz]

I ran into a linter error. I guess it is better to turn off linter for this test files than to use Object.assign.

[rix0rrr]

💅 Same comment here.

[rix0rrr]

Did you copy this from elsewhere? Because using a Jest mock is simpler than this and it's the currently recommended way to write this.

// GIVEN
const mock = jest.spyOn(ContextProvider.prototype, 'getValue').mockResolvedValue(...);

// WHEN
// ...

// THEN
expect(mock).toHaveBeenCalledWith(...);

mock.restore();

[pcheungamz]

yes, I borrowed it from aws-kms/test/key.from-lookup.test.ts. Will change that to follow the recommended standard.

[pcheungamz]

I couldn't get jest.spyOn to work with ContextProvider. I got:

Property `getValue` does not exist in the provided object

[pcheungamz]

NVM, this is a static method, so I have to use

const mock = jest.spyOn(ContextProvider, 'getValue').mockReturnValue(value);

[rix0rrr]

Slightly annoying but I believe that cc.getResource and cc.listResources will return different properties (at the discretion of the resource handler implementation). getResource will definitely return everything, and listResources wil return some summarized version.

That will probably be an annoying an unexpected behavior for users in the future. The safer behavior would be to call listResources first, and then call getResource for every resource returned that way. I'm debating whether we cast that behavior in stone right now, or wait for problems to turn up...

At least this behavior should be documented somewhere.

[pcheungamz]

I tested with

aws cloudcontrol list-resources --type-name AWS::RDS::DBInstance

and

aws cloudcontrol get-resource --type-name AWS::RDS::DBInstance --identifier shine-reporting-aurora-instance-1

The properties return are the same. getResource and listResources are consistent at least for DBInstance.

[rix0rrr]

Can we make returning Identifier part of getResultObj as well? Then that function is entirely responsible for producing the returned object, which seems nice and comprehensible, and we don't have to remember to do this in both query functions.

[pcheungamz]

make sense. will do

[rix0rrr]

This could be formulated as:

const filters = Object.values(args.propertyMatch);

const isMatch = filters.every(([key, expected] => {
  const actual = findJsonValue(propsObject, key);
  return propertyMatchesFilter(actual, expected);
});

function propertyMatchesFilter(actual: any, expected: any) {
  // For now we just check for strict equality, but we can implement pattern matching and fuzzy matching here later
  return expected === actual;
}

I did 3 things here:

• Use Object.values() instead of Object.keys(), so we iterate over key/value pairs (saves a lookup and some visual noise, imo).
• Use list.every() instead of a forEach combined with mutating a boolean
• Extract the actual comparison to a helper function, so that we have a clear location to start implementing more advanced filtering later

[pcheungamz]

Thanks. will use this pattern.

[pcheungamz]

I couldn't get your code to work. Object.values() doesn't give me back the key, but Object.entries() gave me both key and value. I also had trouble with every. It only gave me the first element.

This is my playground code: https://www.typescriptlang.org/play/?#code/MYewdgzgLgBAtgTwEoFNQCcAmAuGqOYA806AlmAOYA0MArmANZggDuYAfDALwwDeAUDBgByAMpQQ6AIYUUAUTDB0CAA5QUmYbmFR0tFMKqCRCzCpDkoAOgAKkqFpEBWACwBmAEyH+AXwDc-PygkLAAZqQANuroENwwAPIARgBWaNYAblIR+hAAFIj4kpgAlAH8APTlMOFRKDFWKOl1CLm5KAAeKmkaNOSYHcXcnAKVQmPBECARKFYRIBS5fR00HV3A6iUBoz6lgUmp6w1guqQoeQVoRcVWoZJyUsAAFq0A2gwoCDSZ2SgAuoNcYbGCZTGZzBYAAwA0h9cAASXjvBA+GgANSy+nhvG++h8EN2OwCQA

[pcheungamz]

I got this to work

const filters = Object.entries(myRecord);

filters.every((expected, index, arr) => {
    const key = arr[index][0];
    const expected = arr[index][1];
    const actual = findJsonValue(propsObject, key);
    return propertyMatchesFilter(actual, expected);
});

Playground code: https://www.typescriptlang.org/play/?#code/MYewdgzgLgBAtgTwEoFNQCcAmAuGqOYA806AlmAOYA0MArmANZggDuYAfDALwwDeAUDBgByAMpQQ6AIYUUAUTDB0CAA5QUmYbmFR0tFMKqCRCzCpDkoAOgAKkqFpEBWACwBmAEyH+AXwDc-PwA9EEwoJCwAGakADbq6BDcMADyAEYAVmjWAG5SMfoQABSI+JKYAJQB4dAw0XEoCUlpmcDWKGC6pChFJWhllYF18RBWKNkNCIWFKAAeKlkaNOSYszRS6NII5dycAkJC1SAxKFYxIBSFy6sws-OtizDrmwDaVzMAus8ADO9rG1IIV5gFYfZ4ARneA32MHQKCgtHQYBgun0AR8A2CoWaWVGHTI3WKyD6WHKVkikjkUmAAAsps8GCgEDRcvkUJCdnxMftDsdTudCgADADSjNwABJeAyED4aAA1PL6cW8Fn6HwCgYhGDogJAA

[rix0rrr]

I see you decided to return a object with a { results: [...] } key, rather than a list directly.

I'm not against it because it's more easily extensible, but I'm not sure I see the need yet and I'm curious if there are any specific reasons to do it this wat? Just returning a direct list seems simpler to me, but I wonder if you're predicting some future change I'm not seeing yet.

[pcheungamz]

I was following the Coral results within the return object that I am used to seeing. I am not tied to it. Happy to change it to a direct list, since this is more idiomatic for CDK.

[rix0rrr]

💅 Could also do:

expect(propsObj).toEqual({
  DBInstanceArn: 'arn:...',
  StorageEncrypted: 'true',
  // ...
});

Or even

expect(propsObj).toEqual(expect.objectContaining({
  DBInstanceArn: 'arn:...',
  StorageEncrypted: 'true',
  // ...
}));

[pcheungamz]

thanks. will use this pattern.

[rix0rrr]

Please add in the error message here.

And I don't agree that this is a TypeError.

[pcheungamz]

Will use ContextProviderError instead.

[rix0rrr]

Please add in the error message here.

And I don't agree that this is a TypeError.

[pcheungamz]

will use ContextProviderError and include err in the message.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[rix0rrr]

One more thing!

[rix0rrr]

This cast shouldn't be necessary. Because of the { ... } you added, securityGroups will always turn out to be an array of voids [void, void, void]. The forms for an anonymous function in JavaScript are:

// Form 1: pure expression
const fn1 = (...args) => expr;

// Form 2: statements
const fn2 = (...args) => {
  // potentially more statements
  return expr;
};

You did:

const fn3 = (...args) => {
  // Missing 'return'
  expr;
}

Which is a function that evaluates <expr>, drops the result on the floor, then returns void.

This tells me there's no test for it 🥸

[pcheungamz]

Without the cast, I got this error:

Type 'void[]' is not assignable to type 'ISecurityGroup[]'.
  Type 'void' is not assignable to type 'ISecurityGroup'.ts(2322)

[pcheungamz]

NVM, I understand your comment now. New Code:

    if (dbsg) {
      securityGroups = dbsg.map(securityGroupId => {
        return ec2.SecurityGroup.fromSecurityGroupId(
          scope,
          `LSG-${securityGroupId}`,
          securityGroupId,
        );
      });
    }

I have a test for that here: https://github.com/pcheungamz/aws-cdk/blob/rds-cc-api-2/packages/aws-cdk-lib/aws-rds/test/instance.from-lookup.test.ts#L94.

 expect(instance.connections.securityGroups.length).toEqual(2);

[pcheungamz]

ah ok. I get it now. Will do a new commit to check securityGroupId for each of the two security groups.

[rix0rrr]

💅 I generally prefer early returns, it makes code easier to read because the straight-down code path is the expected code path.

// ❌ Don't
if (goodCondition) {
  doThing();
} else {
  throw new Error('oh no');
}

// ✅ Do
if (badCondition) {
  throw new Error('oh no');
}

doThing();

(Style, not a hard blocker, I'll leave this to you to decide what to do with)

[rix0rrr]

Approved, but it shouldn't be merged before the matching CLI PR has been released.

[mrgrain]

Approved, but it shouldn't be merged before the matching CLI PR has been released.

The matching CLI PR has been released! 🎉
https://github.com/aws/aws-cdk-cli/releases/tag/aws-cdk%40v2.1001.0

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

Pull request has been modified.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.24%. Comparing base (3ed7c4d) to head (b1bb804).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33258   +/-   ##
=======================================
  Coverage   82.24%   82.24%           
=======================================
  Files         119      119           
  Lines        6875     6875           
  Branches     1161     1161           
=======================================
  Hits         5654     5654           
  Misses       1118     1118           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.24% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.24% <ø> (ø)

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: b1bb804
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository