fix(rds): deprecated instanceResourceId property and added new instan…

…ceResourceIdV2 property in DatabaseInstanceReadReplica to use in grantConnect().
aws · Aug 15, 2024 · 113ab2a · 113ab2a
1 parent 51951b9
commit 113ab2a
Showing 1 changed file with 44 additions and 1 deletion.
diff --git a/packages/aws-cdk-lib/aws-rds/lib/instance.ts b/packages/aws-cdk-lib/aws-rds/lib/instance.ts
@@ -1333,7 +1333,13 @@ export class DatabaseInstanceReadReplica extends DatabaseInstanceNew implements
   public readonly instanceIdentifier: string;
   public readonly dbInstanceEndpointAddress: string;
   public readonly dbInstanceEndpointPort: string;
+
+  /**
+   * @deprecated use `instanceResourceIdV2`
+   */
   public readonly instanceResourceId?: string;
+
+  public readonly instanceResourceIdV2?: string;
   public readonly instanceEndpoint: Endpoint;
   public readonly engine?: IInstanceEngine = undefined;
   protected readonly instanceType: ec2.InstanceType;
@@ -1366,7 +1372,8 @@ export class DatabaseInstanceReadReplica extends DatabaseInstanceNew implements
     this.instanceIdentifier = instance.ref;
     this.dbInstanceEndpointAddress = instance.attrEndpointAddress;
     this.dbInstanceEndpointPort = instance.attrEndpointPort;
-    this.instanceResourceId = instance.attrDbiResourceId;
+    this.instanceResourceId = instance.attrDbInstanceArn;
+    this.instanceResourceIdV2 = instance.attrDbiResourceId;
 
     // create a number token that represents the port of the instance
     const portAttribute = Token.asNumber(instance.attrEndpointPort);
@@ -1376,6 +1383,42 @@ export class DatabaseInstanceReadReplica extends DatabaseInstanceNew implements
 
     this.setLogRetention();
   }
+
+  /**
+   * Grant the given identity connection access to the database.
+   *
+   * @param grantee the Principal to grant the permissions to
+   * @param dbUser the name of the database user to allow connecting as to the db instance
+   */
+  public grantConnect(grantee: iam.IGrantable, dbUser?: string): iam.Grant {
+    if (this.enableIamAuthentication === false) {
+      throw new Error('Cannot grant connect when IAM authentication is disabled');
+    }
+
+    if (!this.instanceResourceIdV2) {
+      throw new Error('For imported Database Instances, instanceResourceIdV2 is required to grantConnect()');
+    }
+
+    if (!dbUser) {
+      throw new Error('For imported Database Instances, the dbUser is required to grantConnect()');
+    }
+
+    this.enableIamAuthentication = true;
+    return iam.Grant.addToPrincipal({
+      grantee,
+      actions: ['rds-db:connect'],
+      resourceArns: [
+        // The ARN of an IAM policy for IAM database access is not the same as the instance ARN, so we cannot use `this.instanceArn`.
+        // See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
+        Stack.of(this).formatArn({
+          arnFormat: ArnFormat.COLON_RESOURCE_NAME,
+          service: 'rds-db',
+          resource: 'dbuser',
+          resourceName: [this.instanceResourceIdV2, dbUser].join('/'),
+        }),
+      ],
+    });
+  }
 }
 
 /**