feat(redshift): add initial L2 Redshift construct

[bweigel]

Initial commit to support Redshift as an L2 construct. This introduces the RedshiftCluster construct. It is by and large copy-pasted from @aws-cdk/aws-rds and adheres to the same functionality.

Purposeful Design Desicions

• no non-VPC clusters (a cluster will only be launched in a VPC; no L2 construct for AWS::Redshift::ClusterSecurityGroup or AWS::Redshift::ClusterSecurityGroupIngress)
• cluster can only be launched in private Subnets
• nodes will be encrypted
• cluster will not be public and won't have an elastic IP
• HSM cannot be configured

Checklist

• Implementation on L2 construct for Redshift
• initial Unit tests
• additional Unit tests to satisfy coverage requirements
• Documentation in README.md

This PR closes #5711

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[skinny85]

Thanks so much for the contribution @bweigel ! I don't have time for a full review at this exact moment, but one thing stood out for me.

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[bweigel]

@skinny85 I think I am done for now and will wait back for some feedback. One thing I need to mention is that I could not achieve a high enough coverage for the automatically generated ./lib/redshift.generated.ts:

So for now I have lowered the coverage requirements for this file.
Is there a better way to achieve coverage in this? Does this need to be tested directly?
Cheers.

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[skinny85]

One thing I need to mention is that I could not achieve a high enough coverage for the automatically generated ./lib/redshift.generated.ts:
So for now I have lowered the coverage requirements for this file.
Is there a better way to achieve coverage in this? Does this need to be tested directly?

This probably means your current proposal does not cover the entire surface area of Redshift (which is roughly what ./lib/redshift.generated.ts represents). That's totally fine though; while eventually, we want the library to have all capabilities that the L1 code has, there's absolutely no requirement to do it in one PR, so your solution of changing the coverage requirements is fine for now 🙂.

[bweigel]

Any update here? 😬

[skinny85]

Any update here? 😬

I haven't forgotten you, just been super swamped. I will try my best to get to the review this week!

[skinny85]

This looks great @bweigel ! First batch of comments (second should be coming soon, but GitHub is a little flaky, and I don't want to lose the comments I've already written).

[skinny85]

1. What's the meaning of passing multiple roles here? I'm genuinely asking (I've only ever seen a single role passed to resources that need it).
2. We usually skip the service name prefix. So this should just be roles.

[bweigel]

1. What's the meaning of passing multiple roles here? I'm genuinely asking (I've only ever seen a single role passed to resources that need it).

I thought it would model the way how Redshift does roles (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html#cfn-redshift-cluster-iamroles). You can add up to 10 roles and use them when doing queries.

The alternative would be some kind of method that allows you to attach additional roles.
What is your take on that?

Thinking about your question it could also be reasonable to just @default to no role at all. However I think it be a nicer dev experience if one was provided from the start. 🤔

[skinny85]

Maybe I don't understand how Redshift works. Can you explain:

1. What does it mean to have more than one role associated with a cluster?
2. What doe it mean to have 0 roles associated with the cluster?

[bweigel]

Roles are a means for Redshift to access other AWS services (like S3, Glue or DynamoDB) when using the UNLOAD or COPY commands (https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html). During UNLOAD or COPY you can pass an IAM role associated with the cluster for authorization like this:

copy catdemo
from 's3://awssampledbuswest2/tickit/category_pipe.txt'
iam_role 'arn:aws:iam::<aws-account-id>:role/<role-name>'
region 'us-west-2';

from https://docs.aws.amazon.com/redshift/latest/dg/r_COPY.html

1. You could have two roles attached to the cluster. One allowing access to S3, one allowing access to DynamoDB for example.
2. Redshift cannot access other AWS services

[skinny85]

Second batch of comments :)

[skinny85]

Thanks for your patience @bweigel !

I still don't see a reason we should have family on ClusterParameterGroupProps if there is a single value allowed there... but I won't hold the PR any longer, as it's really great otherwise, and you've shown a lot of perseverance already 🙂. I'll just remove it as a follow-up ;).

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: 492da13
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[skinny85]

@bweigel can you rebase / merge with latest master? The way to handle Jest changed in the meantime (we no longer use "jest" in package.json, the configuration is held in a local jest.config.js that allows you to create exclusions like this:

aws-cdk/packages/@aws-cdk/assert/jest.config.js

Lines 6 to 7 in 0567a23

	statements: 75,
	branches: 65,

)

Right now, the build is failing with:

@aws-cdk/aws-redshift: Jest: "global" coverage threshold for branches (80%) not met: 79.69%

Maybe add one more test to get that coverage through that (tiny) hump...?

Also, while you're at it, please please remove the family property from ClusterParameterGroupProps 😃

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: 7c00c58
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: 4dcb710
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: 4dcb710
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[skinny85]

I did all of the changes I mentioned in #5730 (comment) , but now our PR build is broken 😭.

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: 6dee681
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: 1e298b0
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: 8e2364c
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[bweigel]

I lost track of this for a while.
So glad you put in the work on the final steps @skinny85 . Thanks 👍

[skinny85]

No worries, thank you for the contribution 🙂