feat(rds): make VPC optional for serverless Clusters

[CorentinDoue]

Fixes #17401

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[skinny85]

Thanks for the contribution @CorentinDoue! In general looks great, just a few minor comments, mainly on the tests.

[skinny85]

Is it actually legal to pass dbSubnetGroupName without vpcSecurityGroupIds? Seems kind of weird...

[CorentinDoue]

I have no idea, the CFN doc treats them independently

[CorentinDoue]

cf 66e9b55#r781963251

[skinny85]

Suggested change

	test('can\'t create a Serverless cluster without vpc but with imported vpc subnets', () => {
	test("can't create a Serverless cluster without VPC but with imported VPC subnets", () => {

Please use the same casing in the other test descriptions.

[CorentinDoue]

idem this could be handled by prettier to avoid you loosing your time ;)

[skinny85]

BTW, a unit test is currently failing:

@aws-cdk/aws-rds: FAIL test/serverless-cluster.test.js (14.717 s)
@aws-cdk/aws-rds:   � serverless cluster › can create a Serverless cluster without vpc but with imported subnet group
@aws-cdk/aws-rds:     None of 1 resources matches resource 'AWS::RDS::DBCluster' with {
@aws-cdk/aws-rds:       "$objectLike": {
@aws-cdk/aws-rds:         "Engine": "aurora-postgresql",
@aws-cdk/aws-rds:         "DBClusterParameterGroupName": "default.aurora-postgresql10",
@aws-cdk/aws-rds:         "EngineMode": "serverless",
@aws-cdk/aws-rds:         "DBSubnetGroupName": {
@aws-cdk/aws-rds:           "Ref": "SubnetGroup12345"
@aws-cdk/aws-rds:         },
@aws-cdk/aws-rds:         "MasterUsername": {
@aws-cdk/aws-rds:           "Fn::Join": [
@aws-cdk/aws-rds:             "",
@aws-cdk/aws-rds:             [
@aws-cdk/aws-rds:               "{{resolve:secretsmanager:",
@aws-cdk/aws-rds:               {
@aws-cdk/aws-rds:                 "Ref": "DatabaseSecret3B817195"
@aws-cdk/aws-rds:               },
@aws-cdk/aws-rds:               ":SecretString:username::}}"
@aws-cdk/aws-rds:             ]
@aws-cdk/aws-rds:           ]
@aws-cdk/aws-rds:         },
@aws-cdk/aws-rds:         "MasterUserPassword": {
@aws-cdk/aws-rds:           "Fn::Join": [
@aws-cdk/aws-rds:             "",
@aws-cdk/aws-rds:             [
@aws-cdk/aws-rds:               "{{resolve:secretsmanager:",
@aws-cdk/aws-rds:               {
@aws-cdk/aws-rds:                 "Ref": "DatabaseSecret3B817195"
@aws-cdk/aws-rds:               },
@aws-cdk/aws-rds:               ":SecretString:password::}}"
@aws-cdk/aws-rds:             ]
@aws-cdk/aws-rds:           ]
@aws-cdk/aws-rds:         },
@aws-cdk/aws-rds:         "VpcSecurityGroupIds": [
@aws-cdk/aws-rds:           "SecurityGroupId12345"
@aws-cdk/aws-rds:         ]
@aws-cdk/aws-rds:       }
@aws-cdk/aws-rds:     }.
@aws-cdk/aws-rds:     - Field DBSubnetGroupName mismatch: Object type mismatch, Field VpcSecurityGroupIds missing in:
@aws-cdk/aws-rds:         {
@aws-cdk/aws-rds:           "Type": "AWS::RDS::DBCluster",
@aws-cdk/aws-rds:           "Properties": {
@aws-cdk/aws-rds:             "Engine": "aurora-postgresql",
@aws-cdk/aws-rds:             "DBClusterParameterGroupName": "default.aurora-postgresql10",
@aws-cdk/aws-rds:             "DBSubnetGroupName": "SubnetGroupId12345",
@aws-cdk/aws-rds:             "EngineMode": "serverless",
@aws-cdk/aws-rds:             "MasterUsername": {
@aws-cdk/aws-rds:               "Fn::Join": [
@aws-cdk/aws-rds:                 "",
@aws-cdk/aws-rds:                 [
@aws-cdk/aws-rds:                   "{{resolve:secretsmanager:",
@aws-cdk/aws-rds:                   {
@aws-cdk/aws-rds:                     "Ref": "DatabaseSecret3B817195"
@aws-cdk/aws-rds:                   },
@aws-cdk/aws-rds:                   ":SecretString:username::}}"
@aws-cdk/aws-rds:                 ]
@aws-cdk/aws-rds:               ]
@aws-cdk/aws-rds:             },
@aws-cdk/aws-rds:             "MasterUserPassword": {
@aws-cdk/aws-rds:               "Fn::Join": [
@aws-cdk/aws-rds:                 "",
@aws-cdk/aws-rds:                 [
@aws-cdk/aws-rds:                   "{{resolve:secretsmanager:",
@aws-cdk/aws-rds:                   {
@aws-cdk/aws-rds:                     "Ref": "DatabaseSecret3B817195"
@aws-cdk/aws-rds:                   },
@aws-cdk/aws-rds:                   ":SecretString:password::}}"
@aws-cdk/aws-rds:                 ]
@aws-cdk/aws-rds:               ]
@aws-cdk/aws-rds:             },
@aws-cdk/aws-rds:             "StorageEncrypted": true
@aws-cdk/aws-rds:           },
@aws-cdk/aws-rds:           "UpdateReplacePolicy": "Snapshot",
@aws-cdk/aws-rds:           "DeletionPolicy": "Snapshot"
@aws-cdk/aws-rds:         }
@aws-cdk/aws-rds:       983 |
@aws-cdk/aws-rds:       984 |     // THEN
@aws-cdk/aws-rds:     > 985 |     expect(stack).toHaveResource('AWS::RDS::DBCluster', {
@aws-cdk/aws-rds:           |                   ^
@aws-cdk/aws-rds:       986 |       Engine: 'aurora-postgresql',
@aws-cdk/aws-rds:       987 |       DBClusterParameterGroupName: 'default.aurora-postgresql10',
@aws-cdk/aws-rds:       988 |       EngineMode: 'serverless',
@aws-cdk/aws-rds:       at Object.<anonymous> (test/serverless-cluster.test.ts:985:19)

[CorentinDoue]

BTW, a unit test is currently failing

I was using yarn test locally. I didn't realize it only test the js files. It's a little misleading ;)

Pull request has been modified.

[CorentinDoue]

@skinny85 You can check the changes in the fixup commit. I will fixup it in one commit when the PR will be ready to merge

[skinny85]

Looks great @CorentinDoue! I've commented on the simple trick below that allows you to assert the absence of a value in the template.

[skinny85]

@CorentinDoue what's the status here? Are you still planning to work on this, or should someone take this over?

[CorentinDoue]

@skinny85 sorry I forgot about this PR. It should be ok now.

[skinny85]

In general, looks really good @CorentinDoue! I have a few minor last-minute comments, if you'll humor me 😉.

[skinny85]

Hmm. Is this implying that when enableDataApi is false, a VPC is required?

[CorentinDoue]

No, the two notions are separated

[skinny85]

Can we polish this wording then? Because that's what it's implying right now (at least that's how I read it).

[skinny85]

Suggested change

	* @default - No VPC related construct will be created:
	* @default - no VPC will be used

[CorentinDoue]

An RDS cluster can't be outside a VPC. So if no VPC is provided the cluster will be created in a VPC, with subnets and security groups but we will not manage them at all. That's what I expect when I use the Data API, I don't want to handle network configuration.
Here an example of Aurora Cluster created without VPC (directly with CfnDBCluster)

The created cluster is

You can see there is a VPC, 3 subnets, and a security group but I never provided them and I will never interact with them.

So I propose you the folowing description:

Suggested change

	* @default - No VPC related construct will be created:
	* @default - The cluster will be created in the default VPC

That's what I understand of the Cloud Formation doc

https://docs.aws.amazon.com/fr_fr/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html#aws-resource-rds-dbcluster-properties

[skinny85]

Thanks for the detailed explanation. I agree with your suggestion 🙂.

[skinny85]

So here, if props.vpc is undefined, but props.securityGroups is not, we will actually set these Security Groups in the Cluster. Is that even correct? Should we check this, and error out, similarly like we do if props. vpcSubnets is set without props.vpc?

[CorentinDoue]

I think it's possible to pass some securityGroups linked to the default VPC without passing it explicitly. But I agree it's better to force the VPC to be provided to use them. I add an error.

Pull request has been modified.

[CorentinDoue]

@skinny85 I rebased and treated the last comments :)

[skinny85]

Looks great @CorentinDoue! A few small documentation tweaks, and we're good to go.

[skinny85]

Actually, let's leave this example as-is, and add a new sub-section, with the appropriate header level, talking about VPC being optional.

If optional VPC and enableDataApi are indeed separate, let's separate them in our documentation as well.

[skinny85]

After #18366 is merged, updating from master should fix the build (it's a problem during a release).

[CorentinDoue]

@skinny85 I found some time to work on this PR. It should be ok now.

[skinny85]

Looks like our backwards compatibility checker doesn't like some of the changes:

err  - PROP @aws-cdk/aws-rds.ServerlessCluster.securityGroups: type Optional<Array<@aws-cdk/aws-ec2.ISecurityGroup>> (formerly Array<@aws-cdk/aws-ec2.ISecurityGroup>): output type is now optional [changed-type:@aws-cdk/aws-rds.ServerlessCluster.securityGroups]
err  - PROP @aws-cdk/aws-rds.ServerlessClusterFromSnapshot.securityGroups: type Optional<Array<@aws-cdk/aws-ec2.ISecurityGroup>> (formerly Array<@aws-cdk/aws-ec2.ISecurityGroup>): output type is now optional [changed-type:@aws-cdk/aws-rds.ServerlessClusterFromSnapshot.securityGroups]

I guess since they are protected, we can't change them to be optional.

Would you mind making these required again? Simply returning an empty list should be good enough.

[CorentinDoue]

Looks like our backwards compatibility checker doesn't like some of the changes:

err  - PROP @aws-cdk/aws-rds.ServerlessCluster.securityGroups: type Optional<Array<@aws-cdk/aws-ec2.ISecurityGroup>> (formerly Array<@aws-cdk/aws-ec2.ISecurityGroup>): output type is now optional [changed-type:@aws-cdk/aws-rds.ServerlessCluster.securityGroups]
err  - PROP @aws-cdk/aws-rds.ServerlessClusterFromSnapshot.securityGroups: type Optional<Array<@aws-cdk/aws-ec2.ISecurityGroup>> (formerly Array<@aws-cdk/aws-ec2.ISecurityGroup>): output type is now optional [changed-type:@aws-cdk/aws-rds.ServerlessClusterFromSnapshot.securityGroups]

I guess since they are protected, we can't change them to be optional.

Would you mind making these required again? Simply returning an empty list should be good enough.

@skinny85 fixed :)

[skinny85]

Looks great @CorentinDoue! A few tiny last comments, and we'll get this merged in!

[skinny85]

Let's revert these changes. It's enough to mention that vpc is optional below.

[CorentinDoue]

The example shows the minimal configuration to enable the data API. As the vpc is now optional, I think it shouldn't be in the example

[CorentinDoue]

@skinny85 it should be ok

[skinny85]

Thanks @CorentinDoue!

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
• Commit ID: bc8ec49
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).