Skip to content

Commit bc9d0b4

Browse files
badmintoncryerbadmintoncryer
authored
feat(rds): eliminating the need for explicit secret.grantRead() invokes when using DataAPI with Aurora cluster (#29399)
### Issue # (if applicable) Closes #29362. ### Reason for this change As discussed [there](#29338 (comment)), we should invoke `secret.grantRead()` explicitly when using DataAPI with Aurora cluster. Because it's inconvenient for users, I made `secret.grantRead()` be invoked within `cluster.grantDataApiAccess()`. ### Description of changes - move `cluster.secret` from `DatabaseClusterNew` to `DatabaseClusterBase` to use it within `DatabaseClusterBase.grantDataApiAccess()` - add `secret.grantRead()` in `cluster.grantDataApiAccess()` - add `secret` property to `DatabaseClusterAttributes` #### Points of concern `DatabaseClusterBase` class is extended by `ImportedDatabaseCluster` class. Therefore, it is necessary to define `ImportedDatabaseCluster.secret`. I simply added `secret` props to `DatabaseClusterAttributes` but I cannot believe this is the best way. Other ways are.. - add `secretArn` to `DatabaseClusterAttributes` - don't add secret info and `ImportedDatabaseCluster.secret` becomes always undefined ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 9076d6e commit bc9d0b4

File tree

10 files changed

+186
-169
lines changed

10 files changed

+186
-169
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-data-api.js.snapshot/cluster-kerberos.assets.json renamed to packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-data-api.js.snapshot/cluster-data-api.assets.json

+3-3
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-data-api.js.snapshot/cluster-kerberos.template.json renamed to packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-data-api.js.snapshot/cluster-data-api.template.json

+24-24
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
"Tags": [
1111
{
1212
"Key": "Name",
13-
"Value": "cluster-kerberos/VPC"
13+
"Value": "cluster-data-api/VPC"
1414
}
1515
]
1616
}
@@ -39,7 +39,7 @@
3939
},
4040
{
4141
"Key": "Name",
42-
"Value": "cluster-kerberos/VPC/PublicSubnet1"
42+
"Value": "cluster-data-api/VPC/PublicSubnet1"
4343
}
4444
],
4545
"VpcId": {
@@ -53,7 +53,7 @@
5353
"Tags": [
5454
{
5555
"Key": "Name",
56-
"Value": "cluster-kerberos/VPC/PublicSubnet1"
56+
"Value": "cluster-data-api/VPC/PublicSubnet1"
5757
}
5858
],
5959
"VpcId": {
@@ -94,7 +94,7 @@
9494
"Tags": [
9595
{
9696
"Key": "Name",
97-
"Value": "cluster-kerberos/VPC/PublicSubnet1"
97+
"Value": "cluster-data-api/VPC/PublicSubnet1"
9898
}
9999
]
100100
}
@@ -114,7 +114,7 @@
114114
"Tags": [
115115
{
116116
"Key": "Name",
117-
"Value": "cluster-kerberos/VPC/PublicSubnet1"
117+
"Value": "cluster-data-api/VPC/PublicSubnet1"
118118
}
119119
]
120120
},
@@ -147,7 +147,7 @@
147147
},
148148
{
149149
"Key": "Name",
150-
"Value": "cluster-kerberos/VPC/PublicSubnet2"
150+
"Value": "cluster-data-api/VPC/PublicSubnet2"
151151
}
152152
],
153153
"VpcId": {
@@ -161,7 +161,7 @@
161161
"Tags": [
162162
{
163163
"Key": "Name",
164-
"Value": "cluster-kerberos/VPC/PublicSubnet2"
164+
"Value": "cluster-data-api/VPC/PublicSubnet2"
165165
}
166166
],
167167
"VpcId": {
@@ -202,7 +202,7 @@
202202
"Tags": [
203203
{
204204
"Key": "Name",
205-
"Value": "cluster-kerberos/VPC/PublicSubnet2"
205+
"Value": "cluster-data-api/VPC/PublicSubnet2"
206206
}
207207
]
208208
}
@@ -222,7 +222,7 @@
222222
"Tags": [
223223
{
224224
"Key": "Name",
225-
"Value": "cluster-kerberos/VPC/PublicSubnet2"
225+
"Value": "cluster-data-api/VPC/PublicSubnet2"
226226
}
227227
]
228228
},
@@ -255,7 +255,7 @@
255255
},
256256
{
257257
"Key": "Name",
258-
"Value": "cluster-kerberos/VPC/PrivateSubnet1"
258+
"Value": "cluster-data-api/VPC/PrivateSubnet1"
259259
}
260260
],
261261
"VpcId": {
@@ -269,7 +269,7 @@
269269
"Tags": [
270270
{
271271
"Key": "Name",
272-
"Value": "cluster-kerberos/VPC/PrivateSubnet1"
272+
"Value": "cluster-data-api/VPC/PrivateSubnet1"
273273
}
274274
],
275275
"VpcId": {
@@ -324,7 +324,7 @@
324324
},
325325
{
326326
"Key": "Name",
327-
"Value": "cluster-kerberos/VPC/PrivateSubnet2"
327+
"Value": "cluster-data-api/VPC/PrivateSubnet2"
328328
}
329329
],
330330
"VpcId": {
@@ -338,7 +338,7 @@
338338
"Tags": [
339339
{
340340
"Key": "Name",
341-
"Value": "cluster-kerberos/VPC/PrivateSubnet2"
341+
"Value": "cluster-data-api/VPC/PrivateSubnet2"
342342
}
343343
],
344344
"VpcId": {
@@ -375,7 +375,7 @@
375375
"Tags": [
376376
{
377377
"Key": "Name",
378-
"Value": "cluster-kerberos/VPC"
378+
"Value": "cluster-data-api/VPC"
379379
}
380380
]
381381
}
@@ -543,6 +543,16 @@
543543
"Properties": {
544544
"PolicyDocument": {
545545
"Statement": [
546+
{
547+
"Action": [
548+
"secretsmanager:DescribeSecret",
549+
"secretsmanager:GetSecretValue"
550+
],
551+
"Effect": "Allow",
552+
"Resource": {
553+
"Ref": "DatabaseSecretAttachmentE5D1B020"
554+
}
555+
},
546556
{
547557
"Action": [
548558
"rds-data:BatchExecuteStatement",
@@ -575,16 +585,6 @@
575585
]
576586
]
577587
}
578-
},
579-
{
580-
"Action": [
581-
"secretsmanager:DescribeSecret",
582-
"secretsmanager:GetSecretValue"
583-
],
584-
"Effect": "Allow",
585-
"Resource": {
586-
"Ref": "DatabaseSecretAttachmentE5D1B020"
587-
}
588588
}
589589
],
590590
"Version": "2012-10-17"

packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-data-api.js.snapshot/integ.json

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)