From 113ab2ab833fd06403418827e5e7bcd01d734c84 Mon Sep 17 00:00:00 2001 From: ashdhin Date: Thu, 15 Aug 2024 22:54:34 +0000 Subject: [PATCH] fix(rds): deprecated instanceResourceId property and added new instanceResourceIdV2 property in DatabaseInstanceReadReplica to use in grantConnect(). --- packages/aws-cdk-lib/aws-rds/lib/instance.ts | 45 +++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-rds/lib/instance.ts b/packages/aws-cdk-lib/aws-rds/lib/instance.ts index 39b238f489611..89303a98bbe81 100644 --- a/packages/aws-cdk-lib/aws-rds/lib/instance.ts +++ b/packages/aws-cdk-lib/aws-rds/lib/instance.ts @@ -1333,7 +1333,13 @@ export class DatabaseInstanceReadReplica extends DatabaseInstanceNew implements public readonly instanceIdentifier: string; public readonly dbInstanceEndpointAddress: string; public readonly dbInstanceEndpointPort: string; + + /** + * @deprecated use `instanceResourceIdV2` + */ public readonly instanceResourceId?: string; + + public readonly instanceResourceIdV2?: string; public readonly instanceEndpoint: Endpoint; public readonly engine?: IInstanceEngine = undefined; protected readonly instanceType: ec2.InstanceType; @@ -1366,7 +1372,8 @@ export class DatabaseInstanceReadReplica extends DatabaseInstanceNew implements this.instanceIdentifier = instance.ref; this.dbInstanceEndpointAddress = instance.attrEndpointAddress; this.dbInstanceEndpointPort = instance.attrEndpointPort; - this.instanceResourceId = instance.attrDbiResourceId; + this.instanceResourceId = instance.attrDbInstanceArn; + this.instanceResourceIdV2 = instance.attrDbiResourceId; // create a number token that represents the port of the instance const portAttribute = Token.asNumber(instance.attrEndpointPort); @@ -1376,6 +1383,42 @@ export class DatabaseInstanceReadReplica extends DatabaseInstanceNew implements this.setLogRetention(); } + + /** + * Grant the given identity connection access to the database. + * + * @param grantee the Principal to grant the permissions to + * @param dbUser the name of the database user to allow connecting as to the db instance + */ + public grantConnect(grantee: iam.IGrantable, dbUser?: string): iam.Grant { + if (this.enableIamAuthentication === false) { + throw new Error('Cannot grant connect when IAM authentication is disabled'); + } + + if (!this.instanceResourceIdV2) { + throw new Error('For imported Database Instances, instanceResourceIdV2 is required to grantConnect()'); + } + + if (!dbUser) { + throw new Error('For imported Database Instances, the dbUser is required to grantConnect()'); + } + + this.enableIamAuthentication = true; + return iam.Grant.addToPrincipal({ + grantee, + actions: ['rds-db:connect'], + resourceArns: [ + // The ARN of an IAM policy for IAM database access is not the same as the instance ARN, so we cannot use `this.instanceArn`. + // See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html + Stack.of(this).formatArn({ + arnFormat: ArnFormat.COLON_RESOURCE_NAME, + service: 'rds-db', + resource: 'dbuser', + resourceName: [this.instanceResourceIdV2, dbUser].join('/'), + }), + ], + }); + } } /**