feat(rds): new DatabaseInstance.fromLookup

[pcheungamz]

Issue # (if applicable)

Closes #31720

This replaces my previous PR #32901. I addressed the PR comments in this new PR.

This depends on this PR: cdklabs/cloud-assembly-schema#124.

Also depends on this CDK CLI PR: aws/aws-cdk-cli#138. That PR should be merged first and the CLI released, before this PR can be merged.

Reason for this change

Add DatabaseInstance.fromLookup() feature

Description of changes

• Add CC API Context Provider. Needs this PR: feat: Add CC API based Context Query.  cdklabs/cloud-assembly-schema#124
• DatabaseInstance.fromLookup call CC API to get the database instance info from instanceIdentifier.
• Add units tests.

Describe any new or updated permissions being added

User will need to have permission to run CloudControl API.

Description of how you validated changes

Tested with this code. I already have an RDS DB in my AWS account. I want to look it up and grant connect to a new user.
Saved to packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/my-test-app.ts

import * as cdk from 'aws-cdk-lib';
import * as iam from 'aws-cdk-lib/aws-iam';
import * as rds from 'aws-cdk-lib/aws-rds';

const awsAccountId = 'XXXXXXXXXX79';
const instanceId = 'XXXXXXXXXX-instance-1';

const appWithDb = new cdk.App();
const stack = new cdk.Stack(appWithDb, 'StackWithVpc', {
  env: {
    region: 'us-east-1',
    account: awsAccountId,
  },
});

const dbFromLookup = rds.DatabaseInstance.fromLookup(stack, 'dbFromLookup', {
  instanceIdentifier: instanceId,
});

/* eslint-disable no-console */
console.log('lookup values', dbFromLookup.dbInstanceEndpointAddress, dbFromLookup.dbInstanceEndpointPort);

const consoleReadOnlyRole = new iam.Role(stack, 'TestRole', {
  assumedBy: new iam.ArnPrincipal('arn_for_trusted_principal'),
});
dbFromLookup.grantConnect(consoleReadOnlyRole, 'dbTestUser');

Ran this command:

../../aws-cdk/bin/cdk -a 'npx ts-node test/aws-rds/test/my-test-app.ts' synth 

Checklist

• [ X ] My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[rix0rrr]

💅 Instead of using forEach for a list.push() side effect, it's nicer to use a list.map() to produce another list.

const securityGroups = instance.DBSecurityGroups.map(id => ec2.SecurityGroup.fromSecurityGroupid(...))

[pcheungamz]

thanks. will do

[rix0rrr]

💅 Object.assign() is a way to copy fields from object A to object B, usually useful if you don't know what fields an object might have. Since all values are constants known in advance here, we could also have done:

const dataObj = {
  'DBInstanceArn': 'arn:aws...',
  'Endpoint.Address': 'instance-1.testserver',
  'Endpoint.Port': '5432',
  // ...
};

Which is a lot simpler.

[pcheungamz]

I ran into a linter error. I guess it is better to turn off linter for this test files than to use Object.assign.

[rix0rrr]

💅 Same comment here.

[rix0rrr]

Did you copy this from elsewhere? Because using a Jest mock is simpler than this and it's the currently recommended way to write this.

// GIVEN
const mock = jest.spyOn(ContextProvider.prototype, 'getValue').mockResolvedValue(...);

// WHEN
// ...

// THEN
expect(mock).toHaveBeenCalledWith(...);

mock.restore();

[pcheungamz]

yes, I borrowed it from aws-kms/test/key.from-lookup.test.ts. Will change that to follow the recommended standard.

[pcheungamz]

I couldn't get jest.spyOn to work with ContextProvider. I got:

Property `getValue` does not exist in the provided object

[pcheungamz]

NVM, this is a static method, so I have to use

const mock = jest.spyOn(ContextProvider, 'getValue').mockReturnValue(value);

[rix0rrr]

Slightly annoying but I believe that cc.getResource and cc.listResources will return different properties (at the discretion of the resource handler implementation). getResource will definitely return everything, and listResources wil return some summarized version.

That will probably be an annoying an unexpected behavior for users in the future. The safer behavior would be to call listResources first, and then call getResource for every resource returned that way. I'm debating whether we cast that behavior in stone right now, or wait for problems to turn up...

At least this behavior should be documented somewhere.

[pcheungamz]

I tested with

aws cloudcontrol list-resources --type-name AWS::RDS::DBInstance

and

aws cloudcontrol get-resource --type-name AWS::RDS::DBInstance --identifier shine-reporting-aurora-instance-1

The properties return are the same. getResource and listResources are consistent at least for DBInstance.

[rix0rrr]

Can we make returning Identifier part of getResultObj as well? Then that function is entirely responsible for producing the returned object, which seems nice and comprehensible, and we don't have to remember to do this in both query functions.

[pcheungamz]

make sense. will do

[rix0rrr]

This could be formulated as:

const filters = Object.values(args.propertyMatch);

const isMatch = filters.every(([key, expected] => {
  const actual = findJsonValue(propsObject, key);
  return propertyMatchesFilter(actual, expected);
});

function propertyMatchesFilter(actual: any, expected: any) {
  // For now we just check for strict equality, but we can implement pattern matching and fuzzy matching here later
  return expected === actual;
}

I did 3 things here:

• Use Object.values() instead of Object.keys(), so we iterate over key/value pairs (saves a lookup and some visual noise, imo).
• Use list.every() instead of a forEach combined with mutating a boolean
• Extract the actual comparison to a helper function, so that we have a clear location to start implementing more advanced filtering later

[pcheungamz]

Thanks. will use this pattern.

[pcheungamz]

I couldn't get your code to work. Object.values() doesn't give me back the key, but Object.entries() gave me both key and value. I also had trouble with every. It only gave me the first element.

This is my playground code: https://www.typescriptlang.org/play/?#code/MYewdgzgLgBAtgTwEoFNQCcAmAuGqOYA806AlmAOYA0MArmANZggDuYAfDALwwDeAUDBgByAMpQQ6AIYUUAUTDB0CAA5QUmYbmFR0tFMKqCRCzCpDkoAOgAKkqFpEBWACwBmAEyH+AXwDc-PygkLAAZqQANuroENwwAPIARgBWaNYAblIR+hAAFIj4kpgAlAH8APTlMOFRKDFWKOl1CLm5KAAeKmkaNOSYHcXcnAKVQmPBECARKFYRIBS5fR00HV3A6iUBoz6lgUmp6w1guqQoeQVoRcVWoZJyUsAAFq0A2gwoCDSZ2SgAuoNcYbGCZTGZzBYAAwA0h9cAASXjvBA+GgANSy+nhvG++h8EN2OwCQA

[pcheungamz]

I got this to work

const filters = Object.entries(myRecord);

filters.every((expected, index, arr) => {
    const key = arr[index][0];
    const expected = arr[index][1];
    const actual = findJsonValue(propsObject, key);
    return propertyMatchesFilter(actual, expected);
});

Playground code: https://www.typescriptlang.org/play/?#code/MYewdgzgLgBAtgTwEoFNQCcAmAuGqOYA806AlmAOYA0MArmANZggDuYAfDALwwDeAUDBgByAMpQQ6AIYUUAUTDB0CAA5QUmYbmFR0tFMKqCRCzCpDkoAOgAKkqFpEBWACwBmAEyH+AXwDc-PwA9EEwoJCwAGakADbq6BDcMADyAEYAVmjWAG5SMfoQABSI+JKYAJQB4dAw0XEoCUlpmcDWKGC6pChFJWhllYF18RBWKNkNCIWFKAAeKlkaNOSYszRS6NII5dycAkJC1SAxKFYxIBSFy6sws-OtizDrmwDaVzMAus8ADO9rG1IIV5gFYfZ4ARneA32MHQKCgtHQYBgun0AR8A2CoWaWVGHTI3WKyD6WHKVkikjkUmAAAsps8GCgEDRcvkUJCdnxMftDsdTudCgADADSjNwABJeAyED4aAA1PL6cW8Fn6HwCgYhGDogJAA

[rix0rrr]

I see you decided to return a object with a { results: [...] } key, rather than a list directly.

I'm not against it because it's more easily extensible, but I'm not sure I see the need yet and I'm curious if there are any specific reasons to do it this wat? Just returning a direct list seems simpler to me, but I wonder if you're predicting some future change I'm not seeing yet.

[pcheungamz]

I was following the Coral results within the return object that I am used to seeing. I am not tied to it. Happy to change it to a direct list, since this is more idiomatic for CDK.

[rix0rrr]

💅 Could also do:

expect(propsObj).toEqual({
  DBInstanceArn: 'arn:...',
  StorageEncrypted: 'true',
  // ...
});

Or even

expect(propsObj).toEqual(expect.objectContaining({
  DBInstanceArn: 'arn:...',
  StorageEncrypted: 'true',
  // ...
}));

[pcheungamz]

thanks. will use this pattern.

[rix0rrr]

Please add in the error message here.

And I don't agree that this is a TypeError.

[pcheungamz]

Will use ContextProviderError instead.

[rix0rrr]

Please add in the error message here.

And I don't agree that this is a TypeError.

[pcheungamz]

will use ContextProviderError and include err in the message.

Pull request has been modified.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.35%. Comparing base (45623d6) to head (2a687f6).
Report is 62 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33258   +/-   ##
=======================================
  Coverage   82.35%   82.35%           
=======================================
  Files         120      120           
  Lines        6941     6941           
  Branches     1172     1172           
=======================================
  Hits         5716     5716           
  Misses       1120     1120           
  Partials      105      105           

Flag	Coverage Δ
suite.unit	82.35% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.35% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. Note that PRs with failing linting check or builds are not reviewed, please ensure your build is passing

To prevent automatic closure:

• Resume work on the PR
• OR request an exemption by adding a comment containing 'Exemption Request' with justification e.x "Exemption Request: "
• OR request clarification by adding a comment containing 'Clarification Request' with a question e.x "Clarification Request: "

This PR will automatically close in 14 days if no action is taken.

[aws-cdk-automation]

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

Pull request has been modified.

[aws-cdk-automation]

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: d5f4d9c
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository