feat(rds): custom security groups for OptionGroups (#10011)

Enables customers to provide a custom security group for any OptionGroup that requires a VPC and SecurityGroup. fixes #9240 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Aug 28, 2020 · 5738dc1 · 5738dc1
1 parent 7f351ff
commit 5738dc1
Show file tree

Hide file tree

Showing 3 changed files with 86 additions and 7 deletions.
diff --git a/packages/@aws-cdk/aws-rds/README.md b/packages/@aws-cdk/aws-rds/README.md
@@ -324,3 +324,27 @@ const instance = new rds.DatabaseInstance(this, 'Instance', {
   // ...
 });
 ```
+
+### Option Groups
+
+Some DB engines offer additional features that make it easier to manage data and databases, and to provide additional security for your database.
+Amazon RDS uses option groups to enable and configure these features. An option group can specify features, called options,
+that are available for a particular Amazon RDS DB instance.
+
+```ts
+const vpc: ec2.IVpc = ...;
+const securityGroup: ec2.ISecurityGroup = ...;
+new rds.OptionGroup(stack, 'Options', {
+  engine: DatabaseInstanceEngine.oracleSe({
+    version: OracleLegacyEngineVersion.VER_11_2,
+  }),
+  configurations: [
+    {
+      name: 'OEM',
+      port: 5500,
+      vpc,
+      securityGroups: [securityGroup], // Optional - a default group will be created if not provided.
+    },
+  ],
+});
+```
diff --git a/packages/@aws-cdk/aws-rds/lib/option-group.ts b/packages/@aws-cdk/aws-rds/lib/option-group.ts
@@ -53,6 +53,14 @@ export interface OptionConfiguration {
    * @default - no VPC
    */
   readonly vpc?: ec2.IVpc;
+
+  /**
+   * Optional list of security groups to use for this option, if `vpc` is specified.
+   * If no groups are provided, a default one will be created.
+   *
+   * @default - a default group will be created if `port` or `vpc` are specified.
+   */
+  readonly securityGroups?: ec2.ISecurityGroup[];
 }
 
 /**
@@ -135,20 +143,22 @@ export class OptionGroup extends Resource implements IOptionGroup {
           throw new Error('`port` and `vpc` must be specified together.');
         }
 
-        const securityGroup = new ec2.SecurityGroup(this, `SecurityGroup${config.name}`, {
-          description: `Security group for ${config.name} option`,
-          vpc: config.vpc,
-        });
+        const securityGroups = config.securityGroups && config.securityGroups.length > 0
+          ? config.securityGroups
+          : [new ec2.SecurityGroup(this, `SecurityGroup${config.name}`, {
+            description: `Security group for ${config.name} option`,
+            vpc: config.vpc,
+          })];
 
         this.optionConnections[config.name] = new ec2.Connections({
-          securityGroups: [securityGroup],
+          securityGroups: securityGroups,
           defaultPort: ec2.Port.tcp(config.port),
         });
 
         configuration = {
           ...configuration,
           port: config.port,
-          vpcSecurityGroupMemberships: [securityGroup.securityGroupId],
+          vpcSecurityGroupMemberships: securityGroups.map(sg => sg.securityGroupId),
         };
       }
 

diff --git a/packages/@aws-cdk/aws-rds/test/test.option-group.ts b/packages/@aws-cdk/aws-rds/test/test.option-group.ts
@@ -36,7 +36,7 @@ export = {
     test.done();
   },
 
-  'option group with security groups'(test: Test) {
+  'option group with new security group'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();
     const vpc = new ec2.Vpc(stack, 'VPC');
@@ -96,6 +96,51 @@ export = {
     test.done();
   },
 
+  'option group with existing security group'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'VPC');
+
+    // WHEN
+    const securityGroup = new ec2.SecurityGroup(stack, 'CustomSecurityGroup', { vpc });
+    new OptionGroup(stack, 'Options', {
+      engine: DatabaseInstanceEngine.oracleSe({
+        version: OracleLegacyEngineVersion.VER_11_2,
+      }),
+      configurations: [
+        {
+          name: 'OEM',
+          port: 1158,
+          vpc,
+          securityGroups: [securityGroup],
+        },
+      ],
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::RDS::OptionGroup', {
+      EngineName: 'oracle-se',
+      MajorEngineVersion: '11.2',
+      OptionGroupDescription: 'Option group for oracle-se 11.2',
+      OptionConfigurations: [
+        {
+          OptionName: 'OEM',
+          Port: 1158,
+          VpcSecurityGroupMemberships: [
+            {
+              'Fn::GetAtt': [
+                'CustomSecurityGroupE5E500E5',
+                'GroupId',
+              ],
+            },
+          ],
+        },
+      ],
+    }));
+
+    test.done();
+  },
+
   'throws when using an option with port and no vpc'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();