390 lines
13 KiB
TypeScript
390 lines
13 KiB
TypeScript
import type { Construct } from 'constructs';
|
|
import type { IDatabaseCluster } from './cluster-ref';
|
|
import type { IDatabaseInstance } from './instance';
|
|
import type { DatabaseProxyEndpointOptions, IDatabaseProxyEndpoint } from './proxy-endpoint';
|
|
import * as ec2 from '../../aws-ec2';
|
|
import * as iam from '../../aws-iam';
|
|
import * as secretsmanager from '../../aws-secretsmanager';
|
|
import * as cdk from '../../core';
|
|
import type { aws_rds } from '../../interfaces';
|
|
/**
|
|
* Client password authentication type used by a proxy to log in as a specific database user.
|
|
*/
|
|
export declare enum ClientPasswordAuthType {
|
|
/**
|
|
* MySQL Native Password client authentication type.
|
|
*/
|
|
MYSQL_NATIVE_PASSWORD = "MYSQL_NATIVE_PASSWORD",
|
|
/**
|
|
* SCRAM SHA 256 client authentication type.
|
|
*/
|
|
POSTGRES_SCRAM_SHA_256 = "POSTGRES_SCRAM_SHA_256",
|
|
/**
|
|
* PostgreSQL MD5 client authentication type.
|
|
*/
|
|
POSTGRES_MD5 = "POSTGRES_MD5",
|
|
/**
|
|
* SQL Server Authentication client authentication type.
|
|
*/
|
|
SQL_SERVER_AUTHENTICATION = "SQL_SERVER_AUTHENTICATION",
|
|
/**
|
|
* MySQL Caching SHA2 Password client authentication type.
|
|
*/
|
|
MYSQL_CACHING_SHA2_PASSWORD = "MYSQL_CACHING_SHA2_PASSWORD"
|
|
}
|
|
/**
|
|
* The default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database.
|
|
*/
|
|
export declare enum DefaultAuthScheme {
|
|
/**
|
|
* IAM authentication.
|
|
*/
|
|
IAM_AUTH = "IAM_AUTH",
|
|
/**
|
|
* No default authentication.
|
|
*/
|
|
NONE = "NONE"
|
|
}
|
|
/**
|
|
* SessionPinningFilter
|
|
*
|
|
* @see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy.html#rds-proxy-pinning
|
|
*/
|
|
export declare class SessionPinningFilter {
|
|
/**
|
|
* Filter name
|
|
*/
|
|
readonly filterName: string;
|
|
/**
|
|
* You can opt out of session pinning for the following kinds of application statements:
|
|
*
|
|
* - Setting session variables and configuration settings.
|
|
*/
|
|
static readonly EXCLUDE_VARIABLE_SETS: SessionPinningFilter;
|
|
/**
|
|
* custom filter
|
|
*/
|
|
static of(filterName: string): SessionPinningFilter;
|
|
private constructor();
|
|
}
|
|
/**
|
|
* Proxy target: Instance or Cluster
|
|
*
|
|
* A target group is a collection of databases that the proxy can connect to.
|
|
* Currently, you can specify only one RDS DB instance or Aurora DB cluster.
|
|
*/
|
|
export declare class ProxyTarget {
|
|
private readonly dbInstance;
|
|
private readonly dbCluster;
|
|
/**
|
|
* From instance
|
|
*
|
|
* @param instance RDS database instance
|
|
*/
|
|
static fromInstance(instance: IDatabaseInstance): ProxyTarget;
|
|
/**
|
|
* From cluster
|
|
*
|
|
* @param cluster RDS database cluster
|
|
*/
|
|
static fromCluster(cluster: IDatabaseCluster): ProxyTarget;
|
|
private constructor();
|
|
/**
|
|
* Bind this target to the specified database proxy.
|
|
*/
|
|
bind(proxy: DatabaseProxy): ProxyTargetConfig;
|
|
}
|
|
/**
|
|
* The result of binding a `ProxyTarget` to a `DatabaseProxy`.
|
|
*/
|
|
export interface ProxyTargetConfig {
|
|
/**
|
|
* The engine family of the database instance or cluster this proxy connects with.
|
|
*/
|
|
readonly engineFamily: string;
|
|
/**
|
|
* The database instances to which this proxy connects.
|
|
* Either this or `dbClusters` will be set and the other `undefined`.
|
|
* @default - `undefined` if `dbClusters` is set.
|
|
*/
|
|
readonly dbInstances?: IDatabaseInstance[];
|
|
/**
|
|
* The database clusters to which this proxy connects.
|
|
* Either this or `dbInstances` will be set and the other `undefined`.
|
|
* @default - `undefined` if `dbInstances` is set.
|
|
*/
|
|
readonly dbClusters?: IDatabaseCluster[];
|
|
}
|
|
/**
|
|
* Options for a new DatabaseProxy
|
|
*/
|
|
export interface DatabaseProxyOptions {
|
|
/**
|
|
* The identifier for the proxy.
|
|
* This name must be unique for all proxies owned by your AWS account in the specified AWS Region.
|
|
* An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens;
|
|
* it can't end with a hyphen or contain two consecutive hyphens.
|
|
*
|
|
* @default - Generated by CloudFormation (recommended)
|
|
*/
|
|
readonly dbProxyName?: string;
|
|
/**
|
|
* The duration for a proxy to wait for a connection to become available in the connection pool.
|
|
* Only applies when the proxy has opened its maximum number of connections and all connections are busy with client
|
|
* sessions.
|
|
*
|
|
* Value must be between 1 second and 1 hour, or `Duration.seconds(0)` to represent unlimited.
|
|
*
|
|
* @default cdk.Duration.seconds(120)
|
|
*/
|
|
readonly borrowTimeout?: cdk.Duration;
|
|
/**
|
|
* One or more SQL statements for the proxy to run when opening each new database connection.
|
|
* Typically used with SET statements to make sure that each connection has identical settings such as time zone
|
|
* and character set.
|
|
* For multiple statements, use semicolons as the separator.
|
|
* You can also include multiple variables in a single SET statement, such as SET x=1, y=2.
|
|
*
|
|
* not currently supported for PostgreSQL.
|
|
*
|
|
* @default - no initialization query
|
|
*/
|
|
readonly initQuery?: string;
|
|
/**
|
|
* The maximum size of the connection pool for each target in a target group.
|
|
* For Aurora MySQL, it is expressed as a percentage of the max_connections setting for the RDS DB instance or Aurora DB
|
|
* cluster used by the target group.
|
|
*
|
|
* 1-100
|
|
*
|
|
* @default 100
|
|
*/
|
|
readonly maxConnectionsPercent?: number;
|
|
/**
|
|
* Controls how actively the proxy closes idle database connections in the connection pool.
|
|
* A high value enables the proxy to leave a high percentage of idle connections open.
|
|
* A low value causes the proxy to close idle client connections and return the underlying database connections
|
|
* to the connection pool.
|
|
* For Aurora MySQL, it is expressed as a percentage of the max_connections setting for the RDS DB instance
|
|
* or Aurora DB cluster used by the target group.
|
|
*
|
|
* between 0 and MaxConnectionsPercent
|
|
*
|
|
* @default 50
|
|
*/
|
|
readonly maxIdleConnectionsPercent?: number;
|
|
/**
|
|
* Each item in the list represents a class of SQL operations that normally cause all later statements in a session
|
|
* using a proxy to be pinned to the same underlying database connection.
|
|
* Including an item in the list exempts that class of SQL operations from the pinning behavior.
|
|
*
|
|
* @default - no session pinning filters
|
|
*/
|
|
readonly sessionPinningFilters?: SessionPinningFilter[];
|
|
/**
|
|
* Whether the proxy includes detailed information about SQL statements in its logs.
|
|
* This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections.
|
|
* The debug information includes the text of SQL statements that you submit through the proxy.
|
|
* Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive
|
|
* information that appears in the logs.
|
|
*
|
|
* @default false
|
|
*/
|
|
readonly debugLogging?: boolean;
|
|
/**
|
|
* Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy.
|
|
*
|
|
* @default false
|
|
*/
|
|
readonly iamAuth?: boolean;
|
|
/**
|
|
* The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it.
|
|
* You can set this value higher or lower than the connection timeout limit for the associated database.
|
|
*
|
|
* @default cdk.Duration.minutes(30)
|
|
*/
|
|
readonly idleClientTimeout?: cdk.Duration;
|
|
/**
|
|
* A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy.
|
|
* By enabling this setting, you can enforce encrypted TLS connections to the proxy.
|
|
*
|
|
* @default true
|
|
*/
|
|
readonly requireTLS?: boolean;
|
|
/**
|
|
* IAM role that the proxy uses to access secrets in AWS Secrets Manager.
|
|
*
|
|
* @default - A role will automatically be created
|
|
*/
|
|
readonly role?: iam.IRole;
|
|
/**
|
|
* The secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster.
|
|
* These secrets are stored within Amazon Secrets Manager.
|
|
* One or more secrets are required when defaultAuthScheme is `DefaultAuthScheme.NONE`.
|
|
*
|
|
* @default None
|
|
*/
|
|
readonly secrets?: secretsmanager.ISecret[];
|
|
/**
|
|
* One or more VPC security groups to associate with the new proxy.
|
|
*
|
|
* @default - No security groups
|
|
*/
|
|
readonly securityGroups?: ec2.ISecurityGroup[];
|
|
/**
|
|
* The subnets used by the proxy.
|
|
*
|
|
* @default - the VPC default strategy if not specified.
|
|
*/
|
|
readonly vpcSubnets?: ec2.SubnetSelection;
|
|
/**
|
|
* The VPC to associate with the new proxy.
|
|
*/
|
|
readonly vpc: ec2.IVpc;
|
|
/**
|
|
* Specifies the details of authentication used by a proxy to log in as a specific database user.
|
|
*
|
|
* @default - CloudFormation defaults will apply given the specified database engine.
|
|
*/
|
|
readonly clientPasswordAuthType?: ClientPasswordAuthType;
|
|
/**
|
|
* The default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database.
|
|
* When set to `DefaultAuthScheme.IAM_AUTH`, the proxy uses end-to-end IAM authentication to connect to the database.
|
|
*
|
|
* @default DefaultAuthScheme.NONE
|
|
*/
|
|
readonly defaultAuthScheme?: DefaultAuthScheme;
|
|
}
|
|
/**
|
|
* Construction properties for a DatabaseProxy
|
|
*/
|
|
export interface DatabaseProxyProps extends DatabaseProxyOptions {
|
|
/**
|
|
* DB proxy target: Instance or Cluster
|
|
*/
|
|
readonly proxyTarget: ProxyTarget;
|
|
}
|
|
/**
|
|
* Properties that describe an existing DB Proxy
|
|
*/
|
|
export interface DatabaseProxyAttributes {
|
|
/**
|
|
* DB Proxy Name
|
|
*/
|
|
readonly dbProxyName: string;
|
|
/**
|
|
* DB Proxy ARN
|
|
*/
|
|
readonly dbProxyArn: string;
|
|
/**
|
|
* Endpoint
|
|
*/
|
|
readonly endpoint: string;
|
|
/**
|
|
* The security groups of the instance.
|
|
*/
|
|
readonly securityGroups: ec2.ISecurityGroup[];
|
|
}
|
|
/**
|
|
* DB Proxy
|
|
*/
|
|
export interface IDatabaseProxy extends cdk.IResource, aws_rds.IDBProxyRef {
|
|
/**
|
|
* DB Proxy Name
|
|
*
|
|
* @attribute
|
|
*/
|
|
readonly dbProxyName: string;
|
|
/**
|
|
* DB Proxy ARN
|
|
*
|
|
* @attribute
|
|
*/
|
|
readonly dbProxyArn: string;
|
|
/**
|
|
* Endpoint
|
|
*
|
|
* @attribute
|
|
*/
|
|
readonly endpoint: string;
|
|
/**
|
|
* Grant the given identity connection access to the proxy.
|
|
*
|
|
* @param grantee the Principal to grant the permissions to
|
|
* @param dbUser the name of the database user to allow connecting as to the proxy
|
|
*
|
|
* @default - if the Proxy had been provided a single Secret value,
|
|
* the user will be taken from that Secret
|
|
*/
|
|
grantConnect(grantee: iam.IGrantable, dbUser?: string): iam.Grant;
|
|
}
|
|
/**
|
|
* Represents an RDS Database Proxy.
|
|
*
|
|
*/
|
|
declare abstract class DatabaseProxyBase extends cdk.Resource implements IDatabaseProxy {
|
|
abstract readonly dbProxyName: string;
|
|
abstract readonly dbProxyArn: string;
|
|
abstract readonly endpoint: string;
|
|
/**
|
|
* A reference to this database proxy
|
|
*/
|
|
get dbProxyRef(): aws_rds.DBProxyReference;
|
|
grantConnect(grantee: iam.IGrantable, dbUser?: string): iam.Grant;
|
|
}
|
|
/**
|
|
* RDS Database Proxy
|
|
*
|
|
* @resource AWS::RDS::DBProxy
|
|
*/
|
|
export declare class DatabaseProxy extends DatabaseProxyBase implements ec2.IConnectable, secretsmanager.ISecretAttachmentTarget {
|
|
/**
|
|
* Uniquely identifies this class.
|
|
*/
|
|
static readonly PROPERTY_INJECTION_ID: string;
|
|
/**
|
|
* Import an existing database proxy.
|
|
*/
|
|
static fromDatabaseProxyAttributes(scope: Construct, id: string, attrs: DatabaseProxyAttributes): IDatabaseProxy;
|
|
/**
|
|
* DB Proxy Name
|
|
*
|
|
* @attribute
|
|
*/
|
|
readonly dbProxyName: string;
|
|
/**
|
|
* DB Proxy ARN
|
|
*
|
|
* @attribute
|
|
*/
|
|
readonly dbProxyArn: string;
|
|
/**
|
|
* Endpoint
|
|
*
|
|
* @attribute
|
|
*/
|
|
readonly endpoint: string;
|
|
/**
|
|
* Access to network connections.
|
|
*/
|
|
readonly connections: ec2.Connections;
|
|
private readonly secrets?;
|
|
private readonly resource;
|
|
private readonly vpc;
|
|
constructor(scope: Construct, id: string, props: DatabaseProxyProps);
|
|
/**
|
|
* Add an Endpoint to this DB Proxy
|
|
*/
|
|
addEndpoint(id: string, options?: DatabaseProxyEndpointOptions): IDatabaseProxyEndpoint;
|
|
/**
|
|
* Renders the secret attachment target specifications.
|
|
*/
|
|
asSecretAttachmentTarget(): secretsmanager.SecretAttachmentTargetProps;
|
|
/**
|
|
* [disable-awslint:no-grants]
|
|
*/
|
|
grantConnect(grantee: iam.IGrantable, dbUser?: string): iam.Grant;
|
|
private validateClientPasswordAuthType;
|
|
}
|
|
export {};
|