feat(rds): retain cluster and instances on deletion and replacement

[jogold]

Add deleteReplacePolicy with a default of Retain to control both the deletion policy and the update replace policy of the cluster and its instances.

Also replaced kmsKeyArn: string by kmsKey: kms.IEncryptionKey and add storageEncrypted in DatabaseClusterProps

BREAKING CHANGE: Replaced kmsKeyArn: string by kmsKey: kms.IEncryptionKey in DatabaseClusterProps

---

Pull Request Checklist

• Testing
  • Unit test added (prefer not to modify an existing test, otherwise, it's probably a breaking change)
  • CLI change?: coordinate update of integration tests with team
  • cdk-init template change?: coordinated update of integration tests with team
• Docs
  • jsdocs: All public APIs documented
  • README: README and/or documentation topic updated
• Title and Description
  • Change type: title prefixed with fix, feat will appear in changelog
  • Title: use lower-case and doesn't end with a period
  • Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
  • Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
• Sensitive Modules (requires 2 PR approvers)
  • IAM Policy Document (in @aws-cdk/aws-iam)
  • EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
  • Grant APIs (only if not based on official documentation with a reference)

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

[eladb]

I think we have an issue with this default due to implicit costs to customers.

[jogold]

Even when using the default master key? The cost is rather small compared to the cost of RDS. Isn't the CDK supposed to enforce best (security) practices?

But OK, I see that the same philosophy has been adopted for S3 buckets. You want me to change this?

[rix0rrr]

I'm also not sure I'm comfortable with replacing everyone's RDS instances. As far as I know, that will destroy their data, right?

[rix0rrr]

If you change the default I'm all for it.

[jogold]

I'm also not sure I'm comfortable with replacing everyone's RDS instances. As far as I know, that will destroy their data, right?

Yes, and the solution lies in here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html for resources such as database instances

[rix0rrr]

My experience with RDS is limited, but is it possible to replace the database without loss of data? It doesn't look so, right?

I'm MAYBE willing to accept loss of availabillity (even though that's not great either), by means of a Delete-to-Snapshot and then Restore-from-Snapshot, but given that CloudFormation will do the CREATE before the DELETE, doesn't seem like we can sequence those correctly in one deployment.

[rix0rrr]

While you're in here, would you mind adding a property to control DeletionPoliycy and UpdateReplacePolicy? I'm horrified to see those aren't being set yet.

I think one property to control both policies should be fine, and it should default to Retain.