Skip to content

Commit

Permalink
docs: provide example of using a different subnet type
Browse files Browse the repository at this point in the history
  • Loading branch information
berenddeboer committed May 9, 2024
1 parent 2791bb9 commit af75a07
Showing 1 changed file with 28 additions and 3 deletions.
31 changes: 28 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,34 @@ const provider = new Provider(this, "Provider", {
})
```

The provider will setup a lambda, which will live in the same VPC, or
at minimum in a VPC that can get access to the database. The provider
will automatically setup a connection to the given cluster.
The provider will setup a lambda, which normally lives in the same VPC
as the database. You can give a different VPC, as long as that VPC has
access to the VPC of the database. Only the provider lambda will talk
to your database.

The provider will by default use the private isolated subnet of the
VPC. This is a breaking change from the past, where the provider used
the default strategy, which may not have been the private isolated
subnet. But from an enterprise security point of view having third
party code run in an isolated network by default is better.

Your isolated network must have a VPC endpoint to AWS Secrets Manager
and possibly KMS as well. If you want to use a subnet with egress
access in case you have no such VPC endpoints, specify the subnet as
follows:

```ts
import { Provider } from "cdk-rds-sql"

const provider = new Provider(this, "Provider", {
vpc: vpc,
vpcSubnet: {
subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
},
cluster: cluster,
secret: cluster.secret!,
})
```

## Roles

Expand Down

0 comments on commit af75a07

Please sign in to comment.