feat(rds): allow using existing security groups for new instance

[jogold]

Closes #2949

BREAKING CHANGE: securityGroup: ec2.ISecurityGroup is now securityGroups: ec2.ISecurityGroup[] in DatabaseInstanceAttributes, removed securityGroupId from IDatabaseInstance

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[mergify]

Thanks so much for taking the time to contribute to the AWS CDK ❤️

We will shortly assign someone to review this pull request and help get it
merged. In the meantime, please take a minute to make sure you follow this
checklist:

• PR title type(scope): text
  • type: fix, feat, refactor go into CHANGELOG, chore is hidden
  • scope: name of module without aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
  • text: use all lower-case, do not end with a period, do not include issue refs
• PR Description
  • Rationale: describe rationale of change and approach taken
  • Issues: indicate issues fixed via: fixes #xxx or closes #xxx
  • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
• Testing
  • Unit test added. Prefer to add a new test rather than modify existing tests
  • CLI or init templates change? Re-run/add CLI integration tests
• Documentation
  • README: update module README to describe new features
  • API docs: public APIs must be documented. Copy from official AWS docs when possible
  • Design: for significant features, follow design process

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[skinny85]

Thanks for the contribution @jogold ! One comment.

[skinny85]

You can have an array of SecurityGroups for instance, right? So this should be readonly securityGroups: ec2.ISecurityGroup[], correct?

[jogold]

Agree but this is to be consistent with other packages/resources in the CDK, examples are ECS Service, RDS Cluster, ELBV2 Load balancers, Lambda functions, etc. All those resources accept an array of security groups but it's always implemented with a single security group.

[jogold]

The only exception is the AWS CodeBuild project.

[skinny85]

I discussed this with the team, and we came to the conclusion that array is the way to go, and the other places that don't allow arrays are actually the ones that are wrong (and they will have to change, like ECS does in #3985 ).

So, please change it to readonly securityGroups: ISecurityGroup[].

Thanks!

[jogold]

Done. Note there's now a BREAKING CHANGE documented in the PR description, someone of the team will need to squash this PR because mergify won't take it into account.

[skinny85]

Is the breaking change removing the securityGroupId property?

[jogold]

BREAKING CHANGE: securityGroup: ec2.ISecurityGroup is now securityGroups: ec2.ISecurityGroup[] in DatabaseInstanceAttributes, removed securityGroupId from IDatabaseInstance

[skinny85]

I think I'm missing something then. Wasn't it possible to use existing security groups with Instance before this PR? When you could pass in a single security group?

[skinny85]

Oh, I think I see it now. It's about allowing to use an existing security group for a new Instance, right? Before, it was only possible to pass it for imported Instances?

[jogold]

Yes, exactly

[rix0rrr]

Something unrelated to this PR, hope that's okay. @jogold I want to ask you something privately. To that end, I sent an email address to the email address you use to sign your GitHub commits (jonathan@***exchange.be). No rush, but in case you don't use that email address anymore, can you please shoot me a quick line from your current address at huijbers@amazon.com ?

Thanks a lot!

[jogold]

@rix0rrr just replied to your email 👍

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[skinny85]

I see this code:

    this.connections = new ec2.Connections({
      securityGroups: this.securityGroups,
      defaultPort: ec2.Port.tcp(this.instanceEndpoint.port)
    });

is repeated in DatabaseInstance, DatabaseInstanceFromSnapshot and DatabaseInstanceReadReplica. Is there any way we can reduce this duplication?

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[skinny85]

One more teeny comment, if you'll bear with me :)

[skinny85]

So, now that you moved creating connections here - is there any need to have this field? I believe the field can now be removed, and securityGroups can be just a local variable of the constructor of DatabaseInstanceNew, correct?

[jogold]

Correct!

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[skinny85]

Thanks for your patience!

[mergify]

Thank you for contributing! Your pull request is now being automatically merged.

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[jogold]

@skinny85 it has been merged by mergify... it doesn't have the BREAKING CHANGE in the commit message.

[skinny85]

@skinny85 it has been merged by mergify... it doesn't have the BREAKING CHANGE in the commit message.

Thanks for letting me know. I'll be doing the CDK release next week (probably Monday or Tuesday), remind me to add this to the Changelog's BREAKING CHANGES section 🙂.