Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!: enable ssl by default #38

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 18 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ const provider = new Provider(this, "Provider", {
```

For an instance:

```ts
import { Provider } from "cdk-rds-sql"

Expand Down Expand Up @@ -107,6 +108,22 @@ const provider = new Provider(this, "Provider", {
})
```

### Disabling SSL

The default connection to RDS is ssl enabled (this used to be disabled
in versions below 4).

You can disable ssl by setting the `ssl` option to `false`:

```ts
const provider = new Provider(this, "Provider", {
vpc: vpc,
instance: instance,
secret: cluster.secret!,
ssl: false, // default is true
})
```

## Roles

Create a postgres role (user) for a cluster as follows:
Expand Down Expand Up @@ -240,11 +257,10 @@ DO $$BEGIN
drop table t;
END IF;
END$$;
`
`,
})
```


Note that there is no synchronisation between various `Sql`
constructs, in particular the order in your code does not determine
the order in which your SQL is executed. This happens in parallel,
Expand Down
2 changes: 2 additions & 0 deletions src/handler.ts
Original file line number Diff line number Diff line change
Expand Up @@ -310,13 +310,15 @@ export const handler = async (
} else {
database = databaseName ?? secretValues.dbname // connect to given database if possible, else to database mentioned in secret
}
const ssl = process.env.SSL ? JSON.parse(process.env.SSL) : true
const params = {
host: secretValues.host,
port: secretValues.port,
user: secretValues.username,
password: secretValues.password,
database: database,
connectionTimeoutMillis: 30000, // return an error if a connection could not be established within 30 seconds
ssl: ssl,
}
log(
`Connecting to host ${params.host}: ${params.port}, database ${params.database} as ${params.user}`
Expand Down
14 changes: 14 additions & 0 deletions src/provider.ts
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,13 @@ export interface RdsSqlProps {
* @default - empty
*/
readonly functionProps?: NodejsFunctionProps

/**
* Use SSL?
*
* @default - true
*/
readonly ssl?: boolean
}

export class Provider extends Construct {
Expand Down Expand Up @@ -124,6 +131,12 @@ export class Provider extends Construct {
"node_modules/cdk-rds-sql/lib/handler.js"
)
}
let ssl_options: Record<string, string> | undefined
if (props.ssl !== undefined && !props.ssl) {
ssl_options = {
SSL: JSON.stringify(props.ssl),
}
}
const logger = props.logger ?? false
const fn = new lambda.NodejsFunction(scope, id, {
...props.functionProps,
Expand All @@ -142,6 +155,7 @@ export class Provider extends Construct {
environment: {
LOGGER: logger.toString(),
NODE_OPTIONS: "--enable-source-maps",
...ssl_options,
},
})
return fn
Expand Down
1 change: 1 addition & 0 deletions test/handler.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ let pgHost: string
let pgPort: number

beforeEach(async () => {
process.env.SSL = "false"
pgContainer = await new GenericContainer("postgres")
.withExposedPorts(DB_PORT)
.withEnv("POSTGRES_USER", DB_MASTER_USERNAME)
Expand Down
23 changes: 9 additions & 14 deletions test/serverlessv2-stack.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import { Aspects, Fn, RemovalPolicy, Stack, StackProps } from "aws-cdk-lib"
import { Fn, RemovalPolicy, Stack, StackProps } from "aws-cdk-lib"
import * as ec2 from "aws-cdk-lib/aws-ec2"
import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs"
import * as rds from "aws-cdk-lib/aws-rds"
Expand All @@ -7,8 +7,12 @@ import { Construct } from "constructs"
import { Provider, Database, Role, Schema, Sql } from "./../src/index"
import { Vpc } from "./vpc"

export interface TestStackProps extends StackProps {
ssl?: boolean
}

export class TestStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
constructor(scope: Construct, id: string, props: TestStackProps) {
super(scope, id, props)

const vpc = new Vpc(this, "Vpc")
Expand All @@ -24,24 +28,14 @@ export class TestStack extends Stack {
publiclyAccessible: false,
enablePerformanceInsights: false,
}),
serverlessV2MinCapacity: 0.5,
serverlessV2MaxCapacity: 1,
vpc: vpc.vpc,
vpcSubnets: {
subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
},
})

Aspects.of(cluster).add({
// <-- cluster is an instance of DatabaseCluster
visit(node) {
if (node instanceof rds.CfnDBCluster) {
node.serverlessV2ScalingConfiguration = {
minCapacity: 0.5,
maxCapacity: 1,
}
}
},
})

const provider = new Provider(this, "Provider", {
vpc: vpc.vpc,
cluster: cluster,
Expand All @@ -52,6 +46,7 @@ export class TestStack extends Stack {
logGroupName: "/aws/lambda/provider",
}),
},
ssl: props.ssl,
})
Database.fromDatabaseName(this, "DefaultDatabase", "example")

Expand Down
32 changes: 31 additions & 1 deletion test/stack.test.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import * as cdk from "aws-cdk-lib"
import { Template } from "aws-cdk-lib/assertions"
import { Match, Template } from "aws-cdk-lib/assertions"
import * as ec2 from "aws-cdk-lib/aws-ec2"
import * as rds from "aws-cdk-lib/aws-rds"
import * as serverlessv1 from "./serverlessv1-stack"
Expand Down Expand Up @@ -103,6 +103,15 @@ test("serverless v2", () => {
],
},
})
template.hasResourceProperties("AWS::Lambda::Function", {
Runtime: "nodejs20.x",
Environment: {
Variables: {
LOGGER: "false",
SSL: Match.absent(),
},
},
})
})

test("absence of security group is detected", () => {
Expand Down Expand Up @@ -178,3 +187,24 @@ test("vpcSubnet selection can be specified", () => {
})
}).toThrowError()
})

test("ssl can be disabled", () => {
const app = new cdk.App()
const stack = new serverlessv2.TestStack(app, "TestStack", {
env: {
account: "123456789",
region: "us-east-1",
},
ssl: false,
})
const template = Template.fromStack(stack)
template.hasResourceProperties("AWS::Lambda::Function", {
Runtime: "nodejs20.x",
Environment: {
Variables: {
LOGGER: "false",
SSL: "false",
},
},
})
})