Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(rds): retain cluster and instances on deletion and replacement #2063

Merged
merged 4 commits into from
Mar 26, 2019
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-rds/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ const cluster = new DatabaseCluster(this, 'Database', {
}
});
```
By default, the master password will be generated and stored in AWS Secrets Manager.
By default, the master password will be generated and stored in AWS Secrets Manager and the storage will be encrypted with the default master key.

Your cluster will be empty by default. To add a default database upon construction, specify the
`defaultDatabaseName` attribute.
Expand Down Expand Up @@ -61,7 +61,7 @@ When the master password is generated and stored in AWS Secrets Manager, it can

Rotation of the master password is also supported for an existing cluster:
```ts
new rds.RotationSingleUser(stack, 'Rotation', {
new RotationSingleUser(stack, 'Rotation', {
secret: importedSecret,
engine: DatabaseEngine.Oracle,
target: importedCluster,
Expand Down
18 changes: 14 additions & 4 deletions packages/@aws-cdk/aws-rds/lib/cluster.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import ec2 = require('@aws-cdk/aws-ec2');
import kms = require('@aws-cdk/aws-kms');
import secretsmanager = require('@aws-cdk/aws-secretsmanager');
import cdk = require('@aws-cdk/cdk');
import { IClusterParameterGroup } from './cluster-parameter-group';
Expand Down Expand Up @@ -72,9 +73,18 @@ export interface DatabaseClusterProps {
defaultDatabaseName?: string;

/**
* ARN of KMS key if you want to enable storage encryption
* Whether to enable storage encryption
*
* @default true
*/
storageEncrypted?: boolean
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we have an issue with this default due to implicit costs to customers.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even when using the default master key? The cost is rather small compared to the cost of RDS. Isn't the CDK supposed to enforce best (security) practices?

But OK, I see that the same philosophy has been adopted for S3 buckets. You want me to change this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm also not sure I'm comfortable with replacing everyone's RDS instances. As far as I know, that will destroy their data, right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you change the default I'm all for it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm also not sure I'm comfortable with replacing everyone's RDS instances. As far as I know, that will destroy their data, right?

Yes, and the solution lies in here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html for resources such as database instances

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My experience with RDS is limited, but is it possible to replace the database without loss of data? It doesn't look so, right?

I'm MAYBE willing to accept loss of availabillity (even though that's not great either), by means of a Delete-to-Snapshot and then Restore-from-Snapshot, but given that CloudFormation will do the CREATE before the DELETE, doesn't seem like we can sequence those correctly in one deployment.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While you're in here, would you mind adding a property to control DeletionPoliycy and UpdateReplacePolicy? I'm horrified to see those aren't being set yet.

I think one property to control both policies should be fine, and it should default to Retain.


/**
* The KMS key for storage encryption
*
* @default default master key
*/
kmsKeyArn?: string;
kmsKey?: kms.IEncryptionKey;

/**
* A daily time range in 24-hours UTC format in which backups preferably execute.
Expand Down Expand Up @@ -261,8 +271,8 @@ export class DatabaseCluster extends DatabaseClusterBase implements IDatabaseClu
preferredMaintenanceWindow: props.preferredMaintenanceWindow,
databaseName: props.defaultDatabaseName,
// Encryption
kmsKeyId: props.kmsKeyArn,
storageEncrypted: props.kmsKeyArn ? true : false,
kmsKeyId: props.kmsKey && props.kmsKey.keyArn,
storageEncrypted: props.kmsKey ? true : props.storageEncrypted !== false,
});

this.clusterIdentifier = cluster.ref;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -650,7 +650,7 @@
]
]
},
"StorageEncrypted": false,
"StorageEncrypted": true,
"VpcSecurityGroupIds": [
{
"Fn::GetAtt": [
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-rds/test/integ.cluster.ts
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ const cluster = new DatabaseCluster(stack, 'Database', {
vpc
},
parameterGroup: params,
kmsKeyArn: kmsKey.keyArn,
kmsKey,
});

cluster.connections.allowDefaultPortFromAnyIpv4('Open to the world');
Expand Down
36 changes: 35 additions & 1 deletion packages/@aws-cdk/aws-rds/test/test.cluster.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import { expect, haveResource } from '@aws-cdk/assert';
import ec2 = require('@aws-cdk/aws-ec2');
import kms = require('@aws-cdk/aws-kms');
import cdk = require('@aws-cdk/cdk');
import { Test } from 'nodeunit';
import { ClusterParameterGroup, DatabaseCluster, DatabaseClusterEngine } from '../lib';
Expand Down Expand Up @@ -29,7 +30,8 @@ export = {
DBSubnetGroupName: { Ref: "DatabaseSubnets56F17B9A" },
MasterUsername: "admin",
MasterUserPassword: "tooshort",
VpcSecurityGroupIds: [ {"Fn::GetAtt": ["DatabaseSecurityGroup5C91FDCB", "GroupId"]}]
VpcSecurityGroupIds: [ {"Fn::GetAtt": ["DatabaseSecurityGroup5C91FDCB", "GroupId"]}],
StorageEncrypted: true
}));

test.done();
Expand Down Expand Up @@ -232,6 +234,38 @@ export = {
}
}));

test.done();
},

'create an encrypted cluster with custom KMS key'(test: Test) {
// GIVEN
const stack = testStack();
const vpc = new ec2.VpcNetwork(stack, 'VPC');

// WHEN
new DatabaseCluster(stack, 'Database', {
engine: DatabaseClusterEngine.AuroraMysql,
masterUser: {
username: 'admin'
},
instanceProps: {
instanceType: new ec2.InstanceTypePair(ec2.InstanceClass.Burstable2, ec2.InstanceSize.Small),
vpc
},
kmsKey: new kms.EncryptionKey(stack, 'Key')
});

// THEN
expect(stack).to(haveResource('AWS::RDS::DBCluster', {
KmsKeyId: {
'Fn::GetAtt': [
'Key961B73FD',
'Arn'
]
},
StorageEncrypted: true
}));

test.done();
}
};
Expand Down