feat(rds): change the default retention policy of Cluster and DB Instance to Snapshot

The 'Snapshot' retention policy is a special one used only for RDS.
It deletes the underlying resource, but before doing that,
creates a snapshot of it, so that the data is not lost.
Use the 'Snapshot' policy instead of 'Retain',
for the DatabaseCluster and DbInstance resources.

Fixes aws#3298

BREAKING CHANGE: the default retention policy for RDS Cluster and DbInstance is now 'Snapshot'

Author: skinny85

packages/@aws-cdk/aws-rds/lib/cluster.ts

@@ -8,6 +8,7 @@ import { DatabaseClusterAttributes, IDatabaseCluster } from './cluster-ref';
 import { DatabaseSecret } from './database-secret';
 import { Endpoint } from './endpoint';
 import { ClusterParameterGroup, IParameterGroup } from './parameter-group';
+import { applyInstanceDeletionPolicy } from './private/instance-deletion-policy';
 import { BackupProps, DatabaseClusterEngine, InstanceProps, Login, RotationMultiUserOptions } from './props';
 import { CfnDBCluster, CfnDBInstance, CfnDBSubnetGroup } from './rds.generated';
 
@@ -124,9 +125,9 @@ export interface DatabaseClusterProps {
    * The removal policy to apply when the cluster and its instances are removed
    * from the stack or replaced during an update.
    *
-   * @default - Retain cluster.
+   * @default - Snapshot (remove the cluster and instances, but retain a snapshot of the data)
    */
-  readonly removalPolicy?: RemovalPolicy
+  readonly removalPolicy?: RemovalPolicy;
 
   /**
    * The interval, in seconds, between points when Amazon RDS collects enhanced
@@ -461,9 +462,11 @@ export class DatabaseCluster extends DatabaseClusterBase {
       storageEncrypted: props.kmsKey ? true : props.storageEncrypted,
     });
 
-    cluster.applyRemovalPolicy(props.removalPolicy, {
-      applyToUpdateReplacePolicy: true,
-    });
+    // if removalPolicy was not specified,
+    // leave it as the default, which is Snapshot
+    if (props.removalPolicy) {
+      cluster.applyRemovalPolicy(props.removalPolicy);
+    }
 
     this.clusterIdentifier = cluster.ref;
 
@@ -519,9 +522,7 @@ export class DatabaseCluster extends DatabaseClusterBase {
         monitoringRoleArn: monitoringRole && monitoringRole.roleArn,
       });
 
-      instance.applyRemovalPolicy(props.removalPolicy, {
-        applyToUpdateReplacePolicy: true,
-      });
+      applyInstanceDeletionPolicy(instance, props.removalPolicy);
 
       // We must have a dependency on the NAT gateway provider here to create
       // things in the right order.

packages/@aws-cdk/aws-rds/lib/instance.ts

@@ -10,6 +10,7 @@ import { DatabaseSecret } from './database-secret';
 import { Endpoint } from './endpoint';
 import { IOptionGroup } from './option-group';
 import { IParameterGroup } from './parameter-group';
+import { applyInstanceDeletionPolicy } from './private/instance-deletion-policy';
 import { DatabaseClusterEngine, RotationMultiUserOptions } from './props';
 import { CfnDBInstance, CfnDBInstanceProps, CfnDBSubnetGroup } from './rds.generated';
 
@@ -536,7 +537,7 @@ export interface DatabaseInstanceNewProps {
    * The CloudFormation policy to apply when the instance is removed from the
    * stack or replaced during an update.
    *
-   * @default RemovalPolicy.Retain
+   * @default Snapshot (remove the resource, but retain a snapshot of the data)
    */
   readonly removalPolicy?: RemovalPolicy
 
@@ -886,9 +887,7 @@ export class DatabaseInstance extends DatabaseInstanceSource implements IDatabas
     const portAttribute = Token.asNumber(instance.attrEndpointPort);
     this.instanceEndpoint = new Endpoint(instance.attrEndpointAddress, portAttribute);
 
-    instance.applyRemovalPolicy(props.removalPolicy, {
-      applyToUpdateReplacePolicy: true,
-    });
+    applyInstanceDeletionPolicy(instance, props.removalPolicy);
 
     if (secret) {
       this.secret = secret.attach(this);
@@ -984,9 +983,7 @@ export class DatabaseInstanceFromSnapshot extends DatabaseInstanceSource impleme
     const portAttribute = Token.asNumber(instance.attrEndpointPort);
     this.instanceEndpoint = new Endpoint(instance.attrEndpointAddress, portAttribute);
 
-    instance.applyRemovalPolicy(props.removalPolicy, {
-      applyToUpdateReplacePolicy: true,
-    });
+    applyInstanceDeletionPolicy(instance, props.removalPolicy);
 
     if (secret) {
       this.secret = secret.attach(this);
@@ -1054,9 +1051,7 @@ export class DatabaseInstanceReadReplica extends DatabaseInstanceNew implements
     const portAttribute = Token.asNumber(instance.attrEndpointPort);
     this.instanceEndpoint = new Endpoint(instance.attrEndpointAddress, portAttribute);
 
-    instance.applyRemovalPolicy(props.removalPolicy, {
-      applyToUpdateReplacePolicy: true,
-    });
+    applyInstanceDeletionPolicy(instance, props.removalPolicy);
 
     this.setLogRetention();
   }

packages/@aws-cdk/aws-rds/lib/private/instance-deletion-policy.ts

@@ -0,0 +1,18 @@
+import { CfnDeletionPolicy, RemovalPolicy } from '@aws-cdk/core';
+import { CfnDBInstance } from '../';
+
+export function applyInstanceDeletionPolicy(cfnDbInstance: CfnDBInstance, removalPolicy: RemovalPolicy | undefined): void {
+  const instanceDeletionPolicy = toCfnDeletionPolicy(removalPolicy);
+  const instanceCfnOptions = cfnDbInstance.cfnOptions;
+  instanceCfnOptions.deletionPolicy = instanceDeletionPolicy;
+  instanceCfnOptions.updateReplacePolicy = instanceDeletionPolicy;
+}
+
+function toCfnDeletionPolicy(removalPolicy: RemovalPolicy | undefined): CfnDeletionPolicy {
+  switch (removalPolicy) {
+    // the CFN default is actually Delete when dbClusterIdentifier is set for DBInstance!
+    case undefined: return CfnDeletionPolicy.SNAPSHOT;
+    case RemovalPolicy.RETAIN: return CfnDeletionPolicy.RETAIN;
+    case RemovalPolicy.DESTROY: return CfnDeletionPolicy.DELETE;
+  }
+}

packages/@aws-cdk/aws-rds/test/integ.cluster-rotation.lit.expected.json

@@ -705,9 +705,7 @@
             ]
           }
         ]
-      },
-      "UpdateReplacePolicy": "Retain",
-      "DeletionPolicy": "Retain"
+      }
     },
     "DatabaseInstance1844F58FD": {
       "Type": "AWS::RDS::DBInstance",
@@ -726,8 +724,8 @@
         "VPCPrivateSubnet2DefaultRouteF4F5CFD2",
         "VPCPrivateSubnet3DefaultRoute27F311AE"
       ],
-      "UpdateReplacePolicy": "Retain",
-      "DeletionPolicy": "Retain"
+      "UpdateReplacePolicy": "Snapshot",
+      "DeletionPolicy": "Snapshot"
     },
     "DatabaseInstance2AA380DEE": {
       "Type": "AWS::RDS::DBInstance",
@@ -746,8 +744,8 @@
         "VPCPrivateSubnet2DefaultRouteF4F5CFD2",
         "VPCPrivateSubnet3DefaultRoute27F311AE"
       ],
-      "UpdateReplacePolicy": "Retain",
-      "DeletionPolicy": "Retain"
+      "UpdateReplacePolicy": "Snapshot",
+      "DeletionPolicy": "Snapshot"
     },
     "DatabaseRotationSingleUserSecurityGroupAC6E0E73": {
       "Type": "AWS::EC2::SecurityGroup",
@@ -817,4 +815,4 @@
       }
     }
   }
-}
+}

packages/@aws-cdk/aws-rds/test/integ.cluster-s3.expected.json

@@ -667,9 +667,7 @@
             ]
           }
         ]
-      },
-      "UpdateReplacePolicy": "Retain",
-      "DeletionPolicy": "Retain"
+      }
     },
     "DatabaseInstance1844F58FD": {
       "Type": "AWS::RDS::DBInstance",
@@ -688,8 +686,8 @@
         "VPCPublicSubnet1DefaultRoute91CEF279",
         "VPCPublicSubnet2DefaultRouteB7481BBA"
       ],
-      "UpdateReplacePolicy": "Retain",
-      "DeletionPolicy": "Retain"
+      "UpdateReplacePolicy": "Snapshot",
+      "DeletionPolicy": "Snapshot"
     },
     "DatabaseInstance2AA380DEE": {
       "Type": "AWS::RDS::DBInstance",
@@ -708,8 +706,8 @@
         "VPCPublicSubnet1DefaultRoute91CEF279",
         "VPCPublicSubnet2DefaultRouteB7481BBA"
       ],
-      "UpdateReplacePolicy": "Retain",
-      "DeletionPolicy": "Retain"
+      "UpdateReplacePolicy": "Snapshot",
+      "DeletionPolicy": "Snapshot"
     }
   }
-}
+}

packages/@aws-cdk/aws-rds/test/integ.cluster.expected.json

@@ -499,9 +499,7 @@
             ]
           }
         ]
-      },
-      "UpdateReplacePolicy": "Retain",
-      "DeletionPolicy": "Retain"
+      }
     },
     "DatabaseInstance1844F58FD": {
       "Type": "AWS::RDS::DBInstance",
@@ -520,8 +518,8 @@
         "VPCPublicSubnet1DefaultRoute91CEF279",
         "VPCPublicSubnet2DefaultRouteB7481BBA"
       ],
-      "UpdateReplacePolicy": "Retain",
-      "DeletionPolicy": "Retain"
+      "UpdateReplacePolicy": "Snapshot",
+      "DeletionPolicy": "Snapshot"
     },
     "DatabaseInstance2AA380DEE": {
       "Type": "AWS::RDS::DBInstance",
@@ -540,8 +538,8 @@
         "VPCPublicSubnet1DefaultRoute91CEF279",
         "VPCPublicSubnet2DefaultRouteB7481BBA"
       ],
-      "UpdateReplacePolicy": "Retain",
-      "DeletionPolicy": "Retain"
+      "UpdateReplacePolicy": "Snapshot",
+      "DeletionPolicy": "Snapshot"
     }
   }
-}
+}

packages/@aws-cdk/aws-rds/test/integ.instance.lit.expected.json

@@ -694,8 +694,8 @@
           }
         ]
       },
-      "UpdateReplacePolicy": "Retain",
-      "DeletionPolicy": "Retain"
+      "UpdateReplacePolicy": "Snapshot",
+      "DeletionPolicy": "Snapshot"
     },
     "InstanceLogRetentiontrace487771C8": {
       "Type": "Custom::LogRetention",
@@ -1122,4 +1122,4 @@
       "Description": "Artifact hash for asset \"82c54bfa7c42ba410d6d18dad983ba51c93a5ea940818c5c20230f8b59c19d4e\""
     }
   }
-}
+}

packages/@aws-cdk/aws-rds/test/test.cluster.ts

@@ -1,4 +1,4 @@
-import { expect, haveResource, ResourcePart, SynthUtils } from '@aws-cdk/assert';
+import { countResources, expect, haveResource, ResourcePart, SynthUtils } from '@aws-cdk/assert';
 import * as ec2 from '@aws-cdk/aws-ec2';
 import { ManagedPolicy, Role, ServicePrincipal } from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
@@ -8,7 +8,7 @@ import { Test } from 'nodeunit';
 import { ClusterParameterGroup, DatabaseCluster, DatabaseClusterEngine, ParameterGroup } from '../lib';
 
 export = {
-  'check that instantiation works'(test: Test) {
+  'creating a Cluster also creates 2 DB Instances'(test: Test) {
     // GIVEN
     const stack = testStack();
     const vpc = new ec2.Vpc(stack, 'VPC');
@@ -28,20 +28,17 @@ export = {
 
     // THEN
     expect(stack).to(haveResource('AWS::RDS::DBCluster', {
-      Properties: {
-        Engine: 'aurora',
-        DBSubnetGroupName: { Ref: 'DatabaseSubnets56F17B9A' },
-        MasterUsername: 'admin',
-        MasterUserPassword: 'tooshort',
-        VpcSecurityGroupIds: [ {'Fn::GetAtt': ['DatabaseSecurityGroup5C91FDCB', 'GroupId']}],
-      },
-      DeletionPolicy: 'Retain',
-      UpdateReplacePolicy: 'Retain',
-    }, ResourcePart.CompleteDefinition));
+      Engine: 'aurora',
+      DBSubnetGroupName: { Ref: 'DatabaseSubnets56F17B9A' },
+      MasterUsername: 'admin',
+      MasterUserPassword: 'tooshort',
+      VpcSecurityGroupIds: [ {'Fn::GetAtt': ['DatabaseSecurityGroup5C91FDCB', 'GroupId']}],
+    }));
 
+    expect(stack).to(countResources('AWS::RDS::DBInstance', 2));
     expect(stack).to(haveResource('AWS::RDS::DBInstance', {
-      DeletionPolicy: 'Retain',
-      UpdateReplacePolicy: 'Retain',
+      DeletionPolicy: 'Snapshot',
+      UpdateReplacePolicy: 'Snapshot',
     }, ResourcePart.CompleteDefinition));
 
     test.done();

packages/@aws-cdk/aws-rds/test/test.instance.ts

@@ -105,13 +105,8 @@ export = {
           },
         ],
       },
-      DeletionPolicy: 'Retain',
-      UpdateReplacePolicy: 'Retain',
-    }, ResourcePart.CompleteDefinition));
-
-    expect(stack).to(haveResource('AWS::RDS::DBInstance', {
-      DeletionPolicy: 'Retain',
-      UpdateReplacePolicy: 'Retain',
+      DeletionPolicy: 'Snapshot',
+      UpdateReplacePolicy: 'Snapshot',
     }, ResourcePart.CompleteDefinition));
 
     expect(stack).to(haveResource('AWS::RDS::DBSubnetGroup', {