Skip to content

Commit

Permalink
feat(docdb): cluster - deletion protection (aws#15216)
Browse files Browse the repository at this point in the history
This commit adds support for `deletionProtection` on docdb `DatabaseCluster`s.

Fixes: aws#15170

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
cjihrig authored and TikiTDO committed Sep 6, 2021
1 parent 510df5d commit 3b41873
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 0 deletions.
18 changes: 18 additions & 0 deletions packages/@aws-cdk/aws-docdb/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,24 @@ const securityGroup = new ec2.SecurityGroup(stack, 'SecurityGroup', {
cluster.addSecurityGroups(securityGroup);
```

## Deletion protection

Deletion protection can be enabled on an Amazon DocumentDB cluster to prevent accidental deletion of the cluster:

```ts
const cluster = new DatabaseCluster(this, 'Database', {
masterUser: {
username: 'myuser'
},
instanceType: ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE),
vpcSubnets: {
subnetType: ec2.SubnetType.PUBLIC,
},
vpc,
deletionProtection: true // Enable deletion protection.
});
```

## Rotating credentials

When the master password is generated and stored in AWS Secrets Manager, it can be rotated automatically:
Expand Down
11 changes: 11 additions & 0 deletions packages/@aws-cdk/aws-docdb/lib/cluster.ts
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,16 @@ export interface DatabaseClusterProps {
* @default - Retain cluster.
*/
readonly removalPolicy?: RemovalPolicy

/**
* Specifies whether this cluster can be deleted. If deletionProtection is
* enabled, the cluster cannot be deleted unless it is modified and
* deletionProtection is disabled. deletionProtection protects clusters from
* being accidentally deleted.
*
* @default - false
*/
readonly deletionProtection?: boolean;
}

/**
Expand Down Expand Up @@ -361,6 +371,7 @@ export class DatabaseCluster extends DatabaseClusterBase {
port: props.port,
vpcSecurityGroupIds: [this.securityGroupId],
dbClusterParameterGroupName: props.parameterGroup?.parameterGroupName,
deletionProtection: props.deletionProtection,
// Admin
masterUsername: secret ? secret.secretValueFromJson('username').toString() : props.masterUser.username,
masterUserPassword: secret
Expand Down
21 changes: 21 additions & 0 deletions packages/@aws-cdk/aws-docdb/test/cluster.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,27 @@ describe('DatabaseCluster', () => {
}));
});

test('can configure cluster deletion protection', () => {
// GIVEN
const stack = testStack();
const vpc = new ec2.Vpc(stack, 'VPC');

// WHEN
new DatabaseCluster(stack, 'Database', {
masterUser: {
username: 'admin',
},
instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL),
vpc,
deletionProtection: true,
});

// THEN
expectCDK(stack).to(haveResource('AWS::DocDB::DBCluster', {
DeletionProtection: true,
}));
});

test('cluster with parameter group', () => {
// GIVEN
const stack = testStack();
Expand Down

0 comments on commit 3b41873

Please sign in to comment.