umccr · williamputraintan · Jan 30, 2024 · Jan 25, 2024 · Jan 29, 2024 · Jan 30, 2024
diff --git a/config/constants.ts b/config/constants.ts
@@ -1,11 +1,12 @@
 import { OrcaBusStatefulConfig } from '../lib/workload/orcabus-stateful-stack';
-import { AuroraMysqlEngineVersion } from 'aws-cdk-lib/aws-rds';
+import { AuroraPostgresEngineVersion } from 'aws-cdk-lib/aws-rds';
 import { OrcaBusStatelessConfig } from '../lib/workload/orcabus-stateless-stack';
-import { aws_lambda } from 'aws-cdk-lib';
+import { Duration, aws_lambda } from 'aws-cdk-lib';
 
 const regName = 'OrcaBusSchemaRegistry';
 const eventBusName = 'OrcaBusMain';
 const lambdaSecurityGroupName = 'OrcaBusLambdaSecurityGroup';
+const rdsMasterSecretName = 'orcabus/rds-master'; // pragma: allowlist secret
 
 const orcaBusStatefulConfig = {
   schemaRegistryProps: {
@@ -21,13 +22,18 @@ const orcaBusStatefulConfig = {
   databaseProps: {
     clusterIdentifier: 'orcabus-db',
     defaultDatabaseName: 'orcabus',
-    version: AuroraMysqlEngineVersion.VER_3_02_2,
-    parameterGroupName: 'default.aurora-mysql8.0',
+    version: AuroraPostgresEngineVersion.VER_15_4,
+    parameterGroupName: 'default.aurora-postgresql15',
     username: 'admin',
+    dbPort: 5432,
+    masterSecretName: rdsMasterSecretName,
+    monitoring: {
+      cloudwatchLogsExports: ['orcabus-postgresql'],
+    },
   },
   securityGroupProps: {
     securityGroupName: lambdaSecurityGroupName,
-    securityGroupDescription: 'Allow within same SecurityGroup',
+    securityGroupDescription: 'allow within same SecurityGroup and rds SG',
   },
 };
 
@@ -53,6 +59,7 @@ const orcaBusStatelessConfig = {
   lambdaSecurityGroupName: lambdaSecurityGroupName,
   lambdaRuntimePythonVersion: aws_lambda.Runtime.PYTHON_3_10,
   bclConvertFunctionName: 'orcabus_bcl_convert',
+  rdsMasterSecretName: rdsMasterSecretName,
 };
 
 interface EnvironmentConfig {
@@ -85,6 +92,8 @@ export const getEnvironmentConfig = (
               numberOfInstance: 1,
               minACU: 0.5,
               maxACU: 1,
+              enhancedMonitoringInterval: Duration.seconds(60),
+              enablePerformanceInsights: true,
             },
             securityGroupProps: {
               ...orcaBusStatefulConfig.securityGroupProps,
@@ -112,6 +121,8 @@ export const getEnvironmentConfig = (
               numberOfInstance: 1,
               minACU: 0.5,
               maxACU: 1,
+              enhancedMonitoringInterval: Duration.seconds(60),
+              enablePerformanceInsights: true,
             },
             securityGroupProps: {
               ...orcaBusStatefulConfig.securityGroupProps,

diff --git a/lib/workload/orcabus-stateful-stack.ts b/lib/workload/orcabus-stateful-stack.ts
@@ -29,18 +29,18 @@ export class OrcaBusStatefulStack extends cdk.Stack {
     // --- Create Stateful resources
 
     this.eventBus = new EventBusConstruct(this, 'OrcaBusEventBusConstruct', props.eventBusProps);
+
     this.securityGroup = new SecurityGroupConstruct(
       this,
       'OrcaBusSecurityGroupConstruct',
       vpc,
       props.securityGroupProps
     );
+
     this.database = new DatabaseConstruct(this, 'OrcaBusDatabaseConstruct', vpc, {
       ...props.databaseProps,
-      allowDbSGIngressRule: [
-        { peer: this.securityGroup.lambdaSecurityGroup, description: 'allow lambda SecurityGroup' },
-      ],
     });
+
     this.schemaRegistry = new SchemaRegistryConstruct(
       this,
       'SchemaRegistryConstruct',

diff --git a/lib/workload/orcabus-stateless-stack.ts b/lib/workload/orcabus-stateless-stack.ts
@@ -11,6 +11,7 @@ export interface OrcaBusStatelessConfig {
   lambdaSecurityGroupName: string;
   lambdaRuntimePythonVersion: aws_lambda.Runtime;
   bclConvertFunctionName: string;
+  rdsMasterSecretName: string;
 }
 
 export class OrcaBusStatelessStack extends cdk.Stack {

diff --git a/lib/workload/stateful/database/component.ts b/lib/workload/stateful/database/component.ts
@@ -1,86 +1,98 @@
 import { Construct } from 'constructs';
-import { Aspects, RemovalPolicy } from 'aws-cdk-lib';
+import { RemovalPolicy, Duration } from 'aws-cdk-lib';
 import * as rds from 'aws-cdk-lib/aws-rds';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
 
-export interface DatabaseProps {
+/**
+ * Props for enabling enhanced monitoring.
+ */
+type MonitoringProps = {
+  /**
+   * Add cloud watch exports.
+   */
+  readonly cloudwatchLogsExports?: string[];
+  /**
+   * Enable performance insights.
+   */
+  readonly enablePerformanceInsights?: boolean;
+  /**
+   * performance insights retention period
+   */
+  readonly performanceInsightsRetention?: rds.PerformanceInsightRetention;
+  /**
+   * Enable enhanced monitoring by specifying the interval
+   */
+  readonly enhancedMonitoringInterval?: Duration;
+};
+
+export type DatabaseProps = MonitoringProps & {
   clusterIdentifier: string;
   defaultDatabaseName: string;
   parameterGroupName: string;
   username: string;
-  version: rds.AuroraMysqlEngineVersion;
+  masterSecretName: string;
+  version: rds.AuroraPostgresEngineVersion;
   numberOfInstance: number;
   minACU: number;
   maxACU: number;
-  allowDbSGIngressRule?: {
-    peer: ec2.IPeer;
-    description?: string;
-  }[];
-}
+  dbPort: number;
+  allowedInboundSG?: ec2.SecurityGroup;
+};
 
 export class DatabaseConstruct extends Construct {
   readonly dbSecurityGroup: ec2.SecurityGroup;
   readonly dbCluster: rds.DatabaseCluster;
 
   constructor(scope: Construct, id: string, vpc: ec2.IVpc, props: DatabaseProps) {
     super(scope, id);
-    const dbPort = 3306;
 
-    const secret = new rds.DatabaseSecret(this, id + 'Secret', {
+    const dbSecret = new rds.DatabaseSecret(this, id + 'DbSecret', {
       username: props.username,
+      secretName: props.masterSecretName,
     });
 
     this.dbSecurityGroup = new ec2.SecurityGroup(this, 'DbSecurityGroup', {
       vpc: vpc,
-      allowAllOutbound: true,
+      allowAllOutbound: false,
+      allowAllIpv6Outbound: false,
+      description: 'security group for OrcaBus RDS',
     });
 
-    if (props.allowDbSGIngressRule) {
-      for (const i in props.allowDbSGIngressRule) {
-        const sgProps = props.allowDbSGIngressRule[i];
-        this.dbSecurityGroup.addIngressRule(
-          sgProps.peer,
-          ec2.Port.tcp(dbPort),
-          sgProps.description
-        );
-      }
+    // give compute sg to access the rds
+    if (props.allowedInboundSG) {
+      this.dbSecurityGroup.addIngressRule(
+        props.allowedInboundSG,
+        ec2.Port.tcp(props.dbPort),
+        'allow the OrcaBus compute sg to access db'
+      );
     }
 
     this.dbCluster = new rds.DatabaseCluster(this, id + 'Cluster', {
-      engine: rds.DatabaseClusterEngine.auroraMysql({
-        version: props.version,
-      }),
-      port: dbPort,
-      instances: props.numberOfInstance,
-      instanceProps: {
-        vpc: vpc,
-        vpcSubnets: {
-          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
-        },
-        securityGroups: [this.dbSecurityGroup],
-        instanceType: new ec2.InstanceType('serverless'),
-        parameterGroup: rds.ParameterGroup.fromParameterGroupName(
-          this,
-          id + 'ParameterGroup',
-          props.parameterGroupName
-        ),
-      },
-
-      removalPolicy: RemovalPolicy.DESTROY,
-      credentials: rds.Credentials.fromSecret(secret),
+      engine: rds.DatabaseClusterEngine.auroraPostgres({ version: props.version }),
       clusterIdentifier: props.clusterIdentifier,
+      credentials: rds.Credentials.fromSecret(dbSecret),
       defaultDatabaseName: props.defaultDatabaseName,
-    });
-
-    Aspects.of(this.dbCluster).add({
-      visit(node) {
-        if (node instanceof rds.CfnDBCluster) {
-          node.serverlessV2ScalingConfiguration = {
-            minCapacity: props.minACU,
-            maxCapacity: props.maxACU,
-          };
-        }
+      parameterGroup: rds.ParameterGroup.fromParameterGroupName(
+        this,
+        id + 'ParameterGroup',
+        props.parameterGroupName
+      ),
+      port: props.dbPort,
+      removalPolicy: RemovalPolicy.DESTROY,
+      securityGroups: [this.dbSecurityGroup],
+      serverlessV2MaxCapacity: props.maxACU,
+      serverlessV2MinCapacity: props.minACU,
+      vpc: vpc,
+      vpcSubnets: {
+        subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
       },
+
+      cloudwatchLogsExports: props.cloudwatchLogsExports,
+      monitoringInterval: props.enhancedMonitoringInterval,
+
+      writer: rds.ClusterInstance.serverlessV2('WriterClusterInstance', {
+        enablePerformanceInsights: props.enablePerformanceInsights,
+      }),
     });
   }
 }
diff --git a/lib/workload/stateful/securitygroup/component.ts b/lib/workload/stateful/securitygroup/component.ts
@@ -7,18 +7,19 @@ export interface SecurityGroupProps {
 }
 
 export class SecurityGroupConstruct extends Construct {
-  readonly lambdaSecurityGroup: ec2.SecurityGroup;
+  readonly computeSecurityGroup: ec2.SecurityGroup;
 
   constructor(scope: Construct, id: string, vpc: ec2.IVpc, props: SecurityGroupProps) {
     super(scope, id);
 
-    this.lambdaSecurityGroup = new ec2.SecurityGroup(this, id + 'LambdaSecurityGroup', {
+    this.computeSecurityGroup = new ec2.SecurityGroup(this, id + 'ComputeSecurityGroup', {
       securityGroupName: props.securityGroupName,
       vpc: vpc,
       allowAllOutbound: true,
     });
-    this.lambdaSecurityGroup.addIngressRule(
-      this.lambdaSecurityGroup,
+
+    this.computeSecurityGroup.addIngressRule(
+      this.computeSecurityGroup,
       ec2.Port.allTraffic(),
       props.securityGroupDescription
     );

diff --git a/test/workload/stateful/databaseConstruct.test.ts b/test/workload/stateful/databaseConstruct.test.ts
@@ -11,6 +11,7 @@ const constructConfig = getEnvironmentConfig('beta');
 if (!constructConfig) throw new Error('No construct config for the test');
 
 expect(constructConfig).toBeTruthy();
+const dbProps = constructConfig.stackProps.orcaBusStatefulConfig.databaseProps;
 
 beforeEach(() => {
   stack = new cdk.Stack();
@@ -28,10 +29,10 @@ test('Test DBCluster created props', () => {
   template.hasResourceProperties('AWS::RDS::DBCluster', {
     DBClusterIdentifier: 'orcabus-db',
     DatabaseName: 'orcabus',
-    DBClusterParameterGroupName: 'default.aurora-mysql8.0',
+    DBClusterParameterGroupName: dbProps.parameterGroupName,
     ServerlessV2ScalingConfiguration: {
-      MaxCapacity: 1,
-      MinCapacity: 0.5,
+      MaxCapacity: dbProps.maxACU,
+      MinCapacity: dbProps.minACU,
     },
   });
 });
@@ -45,13 +46,13 @@ test('Test other SG Allow Ingress to DB SG', () => {
 
   new DatabaseConstruct(stack, 'TestDatabaseConstruct', vpc, {
     ...constructConfig.stackProps.orcaBusStatefulConfig.databaseProps,
-    allowDbSGIngressRule: [{ peer: allowedSG, description: 'Allowed SG DB Ingress' }],
+    allowedInboundSG: allowedSG,
   });
   const template = Template.fromStack(stack);
 
   template.hasResourceProperties('AWS::EC2::SecurityGroupIngress', {
-    ToPort: 3306,
-    FromPort: 3306,
+    ToPort: dbProps.dbPort,
+    FromPort: dbProps.dbPort,
     SourceSecurityGroupId: {
       'Fn::GetAtt': [sgLogicalId, 'GroupId'],
     },