feat(rds): add support for monitoring to database cluster (#2828)

Let a user define a monitoring interval period. It will be
also possible to specify a monitoring IAM Role to manage instances
monitoring, otherwise a valid Role will be auto-generated.

This change adds optional props `monitoringInterval` and `monitoringRole`
to `DatabaseClusterProps` and optional `monitoringRole` to
`DatabaseInstanceProps`

closes #2826

Author: rpanfili

packages/@aws-cdk/aws-rds/lib/cluster.ts

@@ -1,7 +1,8 @@
 import ec2 = require('@aws-cdk/aws-ec2');
+import { IRole, ManagedPolicy, Role, ServicePrincipal } from '@aws-cdk/aws-iam';
 import kms = require('@aws-cdk/aws-kms');
 import secretsmanager = require('@aws-cdk/aws-secretsmanager');
-import { Construct,   RemovalPolicy, Resource, Token } from '@aws-cdk/core';
+import { Construct, Duration, RemovalPolicy, Resource, Token } from '@aws-cdk/core';
 import { DatabaseClusterAttributes, IDatabaseCluster } from './cluster-ref';
 import { DatabaseSecret } from './database-secret';
 import { Endpoint } from './endpoint';
@@ -128,6 +129,21 @@ export interface DatabaseClusterProps {
    * @default - Retain cluster.
    */
   readonly removalPolicy?: RemovalPolicy
+
+  /**
+   * The interval, in seconds, between points when Amazon RDS collects enhanced
+   * monitoring metrics for the DB instances.
+   *
+   * @default no enhanced monitoring
+   */
+  readonly monitoringInterval?: Duration;
+
+  /**
+   * Role that will be used to manage DB instances monitoring.
+   *
+   * @default - A role is automatically created for you
+   */
+  readonly monitoringRole?: IRole;
 }
 
 /**
@@ -345,6 +361,17 @@ export class DatabaseCluster extends DatabaseClusterBase {
 
     // Get the actual subnet objects so we can depend on internet connectivity.
     const internetConnected = props.instanceProps.vpc.selectSubnets(props.instanceProps.vpcSubnets).internetConnectivityEstablished;
+
+    let monitoringRole;
+    if (props.monitoringInterval && props.monitoringInterval.toSeconds()) {
+      monitoringRole = props.monitoringRole || new Role(this, "MonitoringRole", {
+        assumedBy: new ServicePrincipal("monitoring.rds.amazonaws.com"),
+        managedPolicies: [
+          ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonRDSEnhancedMonitoringRole')
+        ]
+      });
+    }
+
     for (let i = 0; i < instanceCount; i++) {
       const instanceIndex = i + 1;
 
@@ -366,6 +393,8 @@ export class DatabaseCluster extends DatabaseClusterBase {
         // This is already set on the Cluster. Unclear to me whether it should be repeated or not. Better yes.
         dbSubnetGroupName: subnetGroup.ref,
         dbParameterGroupName: props.instanceProps.parameterGroup && props.instanceProps.parameterGroup.parameterGroupName,
+        monitoringInterval: props.monitoringInterval && props.monitoringInterval.toSeconds(),
+        monitoringRoleArn: monitoringRole && monitoringRole.roleArn
       });
 
       instance.applyRemovalPolicy(props.removalPolicy, {

packages/@aws-cdk/aws-rds/lib/instance.ts

@@ -374,6 +374,13 @@ export interface DatabaseInstanceNewProps {
    */
   readonly monitoringInterval?: Duration;
 
+  /**
+   * Role that will be used to manage DB instance monitoring.
+   *
+   * @default - A role is automatically created for you
+   */
+  readonly monitoringRole?: iam.IRole;
+
   /**
    * Whether to enable Performance Insights for the DB instance.
    *
@@ -493,8 +500,8 @@ abstract class DatabaseInstanceNew extends DatabaseInstanceBase implements IData
     this.securityGroupId = this.securityGroup.securityGroupId;
 
     let monitoringRole;
-    if (props.monitoringInterval) {
-      monitoringRole = new iam.Role(this, 'MonitoringRole', {
+    if (props.monitoringInterval && props.monitoringInterval.toSeconds()) {
+      monitoringRole = props.monitoringRole || new iam.Role(this, 'MonitoringRole', {
         assumedBy: new iam.ServicePrincipal('monitoring.rds.amazonaws.com'),
         managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonRDSEnhancedMonitoringRole')],
       });

packages/@aws-cdk/aws-rds/test/test.cluster.ts

@@ -1,5 +1,6 @@
 import { expect, haveResource, ResourcePart } from '@aws-cdk/assert';
 import ec2 = require('@aws-cdk/aws-ec2');
+import { ManagedPolicy, Role, ServicePrincipal } from '@aws-cdk/aws-iam';
 import kms = require('@aws-cdk/aws-kms');
 import cdk = require('@aws-cdk/core');
 import { SecretValue } from '@aws-cdk/core';
@@ -371,6 +372,103 @@ export = {
       GroupId: 'sg-123456789',
     }));
 
+    test.done();
+  },
+
+  "cluster with enabled monitoring"(test: Test) {
+    // GIVEN
+    const stack = testStack();
+    const vpc = new ec2.Vpc(stack, "VPC");
+
+    // WHEN
+    new DatabaseCluster(stack, "Database", {
+      engine: DatabaseClusterEngine.AURORA,
+      instances: 1,
+      masterUser: {
+        username: "admin"
+      },
+      instanceProps: {
+        instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL),
+        vpc
+      },
+      monitoringInterval: cdk.Duration.minutes(1),
+    });
+
+    // THEN
+    expect(stack).to(haveResource("AWS::RDS::DBInstance", {
+      MonitoringInterval: 60,
+      MonitoringRoleArn: {
+        "Fn::GetAtt": ["DatabaseMonitoringRole576991DA", "Arn"]
+      }
+    }, ResourcePart.Properties));
+
+    expect(stack).to(haveResource("AWS::IAM::Role", {
+      AssumeRolePolicyDocument: {
+        Statement: [
+          {
+            Action: "sts:AssumeRole",
+            Effect: "Allow",
+            Principal: {
+              Service: "monitoring.rds.amazonaws.com"
+            }
+          }
+        ],
+        Version: "2012-10-17"
+      },
+      ManagedPolicyArns: [
+        {
+          "Fn::Join": [
+            "",
+            [
+              "arn:",
+              {
+                Ref: "AWS::Partition"
+              },
+              ":iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
+            ]
+          ]
+        }
+      ]
+    }));
+
+    test.done();
+  },
+
+  'create a cluster with imported monitoring role'(test: Test) {
+    // GIVEN
+    const stack = testStack();
+    const vpc = new ec2.Vpc(stack, "VPC");
+
+    const monitoringRole = new Role(stack, "MonitoringRole", {
+      assumedBy: new ServicePrincipal("monitoring.rds.amazonaws.com"),
+      managedPolicies: [
+        ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonRDSEnhancedMonitoringRole')
+      ]
+    });
+
+    // WHEN
+    new DatabaseCluster(stack, "Database", {
+      engine: DatabaseClusterEngine.AURORA,
+      instances: 1,
+      masterUser: {
+        username: "admin"
+      },
+      instanceProps: {
+        instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL),
+        vpc
+      },
+      monitoringInterval: cdk.Duration.minutes(1),
+      monitoringRole
+    });
+
+    // THEN
+    expect(stack).to(haveResource("AWS::RDS::DBInstance", {
+      MonitoringInterval: 60,
+      MonitoringRoleArn: {
+        "Fn::GetAtt": ["MonitoringRole90457BF9", "Arn"]
+      }
+    }, ResourcePart.Properties));
+
     test.done();
   }
 };

packages/@aws-cdk/aws-rds/test/test.instance.ts

@@ -1,6 +1,7 @@
 import { countResources, expect, haveResource, ResourcePart } from '@aws-cdk/assert';
 import ec2 = require('@aws-cdk/aws-ec2');
 import targets = require('@aws-cdk/aws-events-targets');
+import { ManagedPolicy, Role, ServicePrincipal } from '@aws-cdk/aws-iam';
 import lambda = require('@aws-cdk/aws-lambda');
 import logs = require('@aws-cdk/aws-logs');
 import cdk = require('@aws-cdk/core');
@@ -512,5 +513,38 @@ export = {
     }));
 
     test.done();
-  }
+  },
+
+  'create an instance with imported monitoring role'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'VPC');
+
+    const monitoringRole = new Role(stack, "MonitoringRole", {
+      assumedBy: new ServicePrincipal("monitoring.rds.amazonaws.com"),
+      managedPolicies: [
+        ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonRDSEnhancedMonitoringRole')
+      ]
+    });
+
+    // WHEN
+    new rds.DatabaseInstance(stack, 'Instance', {
+      engine: rds.DatabaseInstanceEngine.MYSQL,
+      instanceClass: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL),
+      masterUsername: 'admin',
+      vpc,
+      monitoringInterval: cdk.Duration.minutes(1),
+      monitoringRole
+    });
+
+    // THEN
+    expect(stack).to(haveResource("AWS::RDS::DBInstance", {
+      MonitoringInterval: 60,
+      MonitoringRoleArn: {
+        "Fn::GetAtt": ["MonitoringRole90457BF9", "Arn"]
+      }
+    }, ResourcePart.Properties));
+
+    test.done();
+  },
 };