feat(rds): add RDS DatabaseInstance.fromLookup

[pcheungamz]

Issue # (if applicable)

#31720

Needs this PR: cdklabs/cloud-assembly-schema#124

Reason for this change

Add DatabaseInstance.fromLookup() feature

Description of changes

Use CloudControl API as ContextProvider to query for DatabaseInstance.

Describe any new or updated permissions being added

Use will need to have permission to run CloudControl API.

Description of how you validated changes

Included unit tests for CC API and DatabaseInstance changes.

Checklist

• [ X ] My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Features must contain a change to an integration test file and the resulting snapshot.
❌ CLI code has changed. A maintainer must run the code through the testing pipeline (git fetch origin pull/32901/head && git push -f origin FETCH_HEAD:test-main-pipeline), then add the 'pr-linter/cli-integ-tested' label when the pipeline succeeds.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 285be37
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[rix0rrr]

❤️ This looks great, thanks!

I have couple of small comments.

[rix0rrr]

Shouldn't we return some sort of error value? Perhaps throw an exception?

[pcheungamz]

ok, will throw error instead of returning {}.

[rix0rrr]

I see the API is returning a dictionary { id1 -> props1, id2 -> props2, ... }.

What's the advantage of mapping by ID? I'm honestly asking because I don't know if there's a reason for it. Wouldn't it make more sense to return a list? Just [ props1, props2, ... ] ?

I don't think there is a way for the consumer of this API to know the id in advance, so they will always need to iterate over Object.entries() anyway to get both [id, props] at the same time... but the identifier will be in the propsX object already anyway? (Or at least, if it is requested, which it should be)

[pcheungamz]

I see your point. Will change it to something like { results: [props1, props2, ...]}

[rix0rrr]

Is there an exception handler around this already?

What if findJsonValue throws because the user made a type in their path, will the error be handled sensibly? (I.e., descriptive error shown to the user, not a gory stack trace pointing somewhere to the innards of the CLI?)

[pcheungamz]

The current code returns undefined so no property of that name is set.
Since we are throwing exceptions in findJsonValue, I will add error handling and unit tests for that.

[rix0rrr]

This is clever and short, but I think I would like some more type checking on it and throwing descriptive error messages. Likely things users are going to do wrong: mistype a key, reference a key that's missing, reference a key of the wrong type...

Some errors of the kind:

Cannot read field 'foo.bar.quux': expected an object at 'foo.bar' but got "hello" 
Cannot read field 'foo.bar.quux': expected an object at 'foo.bar' but got undefined

Or something to that effect.

[pcheungamz]

Makes sense. I will add better error handling.

[rix0rrr]

Can we extract all this JSON object manipulation out to a separate file? It's independent and worthwhile enough to not confine it to the "cc api provider", where no one will ever find it again :)

[pcheungamz]

That makes sense. How about aws-cdk/lib/util/json.ts?

[rix0rrr]

You need to account for the fact that it wasn't found, right? What does that do?

[pcheungamz]

Will add try-catch and throw an Error when there is a problem with CC API lookup.

[rix0rrr]

The issue this PR is trying to close says to use databaseIdentifier. Is instanceIdentifier the same thing as databaseIdentifier?

[pcheungamz]

In RDS doc, DatabaseInstance has an instanceIdentifier property. So I try to be consistent with the doc. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html#instanceidentifier-1

[rix0rrr]

This looks great! Does it also work? Have you tested this in your actual AWS account?

I trust that the unit tests assert that the code holds to some contract... but do we actually know the contract is the right one? 😁

[rix0rrr]

We probably need to add an option to the properties object, and pass it here to fromSecurityGroupId, on whether the security groups are going to be mutable or immutable by default.

The difference is whether we will try to add rules to them. false makes more sense, but due to historical reasons the default is true... ☹️

[rix0rrr]

The example of what to do with a freshly imported database instance doesn't make a lot of sense. Adding a security group to it in this way is unlikely to be what you want (and also, this doesn't do anything because the instance itself is not owned).

Is there another example to copy/paste?

[pcheungamz]

db.grantConnect and db.connections.allowDefaultPortFrom are also popular results from my search. I will use grantConnect instead.

[mrgrain]

A new major version. This is particularly scary! Have you checked for breaking changes?

[pcheungamz]

Good point. I will try to find a 3.x version that works with client-cloudcontrol.

[pcheungamz]

Rico had already bump this to '^4'. I won't need to make this change.

[mrgrain]

A new major version. This is particularly scary! Have you checked for breaking changes?

[pcheungamz]

Will try to find a 3.x version that works with client-cloudcontrol.

[mrgrain]

This will probably require a change to packages/aws-cdk/lib/context-providers/index.ts as well.

[pcheungamz]

ok, will double check this.

[mrgrain]

Thank you for trying to be a good citizen! It's usually very much appreciated. <3

We are currently trying to keep the CLI a bit more stable. Are any of the version upgrades strictly necessary to achieve your goal - or would adding the new package be enough? If so, I'd rather just add one and keep everything else as it was.

[pcheungamz]

I had to use "@aws-sdk/client-cloudcontrol": "3.723.0". I had to bump the other ones to the same version, because of a smithy error.

[mrgrain]

Is the type casting required here? How do we guarantee type correctness? If so, please add a comment explaining why.

[rix0rrr]

Good point. We should use the keyword satisfies instead of as here.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR has been in the BUILD FAILING state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[aws-cdk-automation]

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.