feat(rds): add grant method for Data API

packages/@aws-cdk/aws-rds/README.md

@@ -229,7 +229,7 @@ See also [@aws-cdk/aws-secretsmanager](https://github.com/aws/aws-cdk/blob/maste
 ### IAM Authentication
 
 You can also authenticate to a database instance using AWS Identity and Access Management (IAM) database authentication;
-See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html for more information
+See <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html> for more information
 and a list of supported versions and limitations.
 
 The following example shows enabling IAM authentication for a database instance and granting connection access to an IAM role.
@@ -245,12 +245,12 @@ instance.grantConnect(role); // Grant the role connection access to the DB.
 ```
 
 **Note**: In addition to the setup above, a database user will need to be created to support IAM auth.
-See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html for setup instructions.
+See <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html> for setup instructions.
 
 ### Kerberos Authentication
 
 You can also authenticate using Kerberos to a database instance using AWS Managed Microsoft AD for authentication;
-See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html for more information
+See <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html> for more information
 and a list of supported versions and limitations.
 
 The following example shows enabling domain support for a database instance and creating an IAM role to access
@@ -274,7 +274,7 @@ const instance = new rds.DatabaseInstance(stack, 'Instance', {
 **Note**: In addition to the setup above, you need to make sure that the database instance has network connectivity
 to the domain controllers. This includes enabling cross-VPC traffic if in a different VPC and setting up the
 appropriate security groups/network ACL to allow traffic between the database instance and domain controllers.
-Once configured, see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html for details
+Once configured, see <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html> for details
 on configuring users for each available database engine.
 
 ### Metrics
@@ -412,7 +412,7 @@ in the cloud without managing any database instances.
 
 The following example initializes an Aurora Serverless PostgreSql cluster.
 Aurora Serverless clusters can specify scaling properties which will be used to
-automatically scale the database cluster seamlessly based on the workload. 
+automatically scale the database cluster seamlessly based on the workload.
 
 ```ts
 import * as ec2 from '@aws-cdk/aws-ec2';
@@ -431,7 +431,9 @@ const cluster = new rds.ServerlessCluster(this, 'AnotherCluster', {
   }
 });
 ```
+
 Aurora Serverless Clusters do not support the following features:
+
 * Loading data from an Amazon S3 bucket
 * Saving data to an Amazon S3 bucket
 * Invoking an AWS Lambda function with an Aurora MySQL native function
@@ -448,3 +450,35 @@ Aurora Serverless Clusters do not support the following features:
 Read more about the [limitations of Aurora Serverless](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html#aurora-serverless.limitations)
 
 Learn more about using Amazon Aurora Serverless by reading the [documentation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html)
+
+#### Data API
+
+You can access your Aurora Serverless DB cluster using the built-in Data API. The Data API doesn't require a persistent connection to the DB cluster. Instead, it provides a secure HTTP endpoint and integration with AWS SDKs.
+
+The following example shows granting Data API access to a Lamba function.
+
+```ts
+import * as lambda from '@aws-cdk/aws-lambda';
+import * as rds from '@aws-cdk/aws-rds';
+
+const cluster = new rds.ServerlessCluster(this, 'AnotherCluster', {
+  engine: rds.DatabaseClusterEngine.AURORA_MYSQL,
+  vpc,
+  enableDataApi: true,
+});
+
+const fn = new lambda.Function(this, 'MyFunction', {
+  runtime: lambda.Runtime.NODEJS_10_X,
+  handler: 'index.handler',
+  code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),
+  environment: {
+    CLUSTER_ARN: cluster.clusterArn,
+    SECRET_ARN: cluster.secret.secretArn,
+  },
+});
+cluster.grantDataApiAccess(fn)
+```
+
+**Note**: To invoke the Data API, the resource will need to read the secret associated with the cluster.
+
+To learn more about using the Data API, see the [documentation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html).

packages/@aws-cdk/aws-rds/lib/perms.ts

@@ -0,0 +1,8 @@
+// minimal set of permissions based on https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html#data-api.access
+export const DATA_API_ACTIONS = [
+  'rds-data:BatchExecuteStatement',
+  'rds-data:BeginTransaction',
+  'rds-data:CommitTransaction',
+  'rds-data:ExecuteStatement',
+  'rds-data:RollbackTransaction',
+];

packages/@aws-cdk/aws-rds/lib/serverless-cluster.ts

@@ -1,12 +1,14 @@
 import * as ec2 from '@aws-cdk/aws-ec2';
+import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
 import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
-import { Resource, Duration, Token, Annotations, RemovalPolicy, IResource, Stack } from '@aws-cdk/core';
+import { Resource, Duration, Token, Annotations, RemovalPolicy, IResource, Stack, Lazy } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { IClusterEngine } from './cluster-engine';
 import { DatabaseSecret } from './database-secret';
 import { Endpoint } from './endpoint';
 import { IParameterGroup } from './parameter-group';
+import { DATA_API_ACTIONS } from './perms';
 import { applyRemovalPolicy, defaultDeletionProtection, DEFAULT_PASSWORD_EXCLUDE_CHARS } from './private/util';
 import { Credentials, RotationMultiUserOptions, RotationSingleUserOptions } from './props';
 import { CfnDBCluster } from './rds.generated';
@@ -39,6 +41,13 @@ export interface IServerlessCluster extends IResource, ec2.IConnectable, secrets
    * @attribute ReadEndpointAddress
    */
   readonly clusterReadEndpoint: Endpoint;
+
+  /**
+   * Grant the given identity to access to the Data API
+   *
+   * @param grantee The principal to grant access to
+   */
+  grantDataApiAccess(grantee: iam.IGrantable): iam.Grant
 }
 /**
  *  Properties to configure an Aurora Serverless Cluster
@@ -89,14 +98,13 @@ export interface ServerlessClusterProps {
   readonly deletionProtection?: boolean;
 
   /**
-   * Whether to enable the HTTP endpoint for an Aurora Serverless database cluster.
-   * The HTTP endpoint must be explicitly enabled to enable the Data API.
+   * Whether to enable the Data API.
    *
    * @see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html
     *
    * @default false
    */
-  readonly enableHttpEndpoint?: boolean;
+  readonly enableDataApi?: boolean;
 
   /**
    * The VPC that this Aurora Serverless cluster has been created in.
@@ -194,6 +202,13 @@ export interface ServerlessClusterAttributes {
    * @default - no reader address
    */
   readonly readerEndpointAddress?: string;
+
+  /**
+   * The secret attached to the database cluster
+   *
+   * @default - no secret
+   */
+  readonly secret?: secretsmanager.ISecret;
 }
 
 /**
@@ -288,6 +303,13 @@ abstract class ServerlessClusterBase extends Resource implements IServerlessClus
    */
   public abstract readonly connections: ec2.Connections;
 
+  /**
+   * The secret attached to this cluster
+   */
+  public abstract readonly secret?: secretsmanager.ISecret
+
+  protected abstract enableDataApi?: boolean;
+
   /**
    * The ARN of the cluster
    */
@@ -300,6 +322,27 @@ abstract class ServerlessClusterBase extends Resource implements IServerlessClus
     });
   }
 
+  /**
+   * Grant the given identity to access to the Data API, including read access to the secret attached to the cluster if present
+   *
+   * @param grantee The principal to grant access to
+   */
+  public grantDataApiAccess(grantee: iam.IGrantable): iam.Grant {
+    if (this.enableDataApi === false) {
+      throw new Error('Cannot grant Data API access when HTTP endpoint is disabled');
+    }
+
+    this.enableDataApi = true;
+    const ret = iam.Grant.addToPrincipal({
+      grantee,
+      actions: DATA_API_ACTIONS,
+      resourceArns: [this.clusterArn],
+      scope: this,
+    });
+    this.secret?.grantRead(grantee);
+    return ret;
+  }
+
   /**
    * Renders the secret attachment target specifications.
    */
@@ -334,11 +377,10 @@ export class ServerlessCluster extends ServerlessClusterBase {
   public readonly clusterReadEndpoint: Endpoint;
   public readonly connections: ec2.Connections;
 
-  /**
-   * The secret attached to this cluster
-   */
   public readonly secret?: secretsmanager.ISecret;
 
+  protected readonly enableDataApi?: boolean
+
   private readonly subnetGroup: ISubnetGroup;
   private readonly vpc: ec2.IVpc;
   private readonly vpcSubnets?: ec2.SubnetSelection;
@@ -355,6 +397,8 @@ export class ServerlessCluster extends ServerlessClusterBase {
     this.singleUserRotationApplication = props.engine.singleUserRotationApplication;
     this.multiUserRotationApplication = props.engine.multiUserRotationApplication;
 
+    this.enableDataApi = props.enableDataApi;
+
     const { subnetIds } = this.vpc.selectSubnets(this.vpcSubnets);
 
     // Cannot test whether the subnets are in different AZs, but at least we can test the amount.
@@ -410,7 +454,7 @@ export class ServerlessCluster extends ServerlessClusterBase {
       engine: props.engine.engineType,
       engineVersion: props.engine.engineVersion?.fullVersion,
       engineMode: 'serverless',
-      enableHttpEndpoint: props.enableHttpEndpoint,
+      enableHttpEndpoint: Lazy.anyValue({ produce: () => this.enableDataApi }),
       kmsKeyId: props.storageEncryptionKey?.keyArn,
       masterUsername: credentials.username,
       masterUserPassword: credentials.password?.toString(),
@@ -509,6 +553,10 @@ class ImportedServerlessCluster extends ServerlessClusterBase implements IServer
   public readonly clusterIdentifier: string;
   public readonly connections: ec2.Connections;
 
+  public readonly secret?: secretsmanager.ISecret;
+
+  protected readonly enableDataApi = true
+
   private readonly _clusterEndpoint?: Endpoint;
   private readonly _clusterReadEndpoint?: Endpoint;
 
@@ -523,6 +571,8 @@ class ImportedServerlessCluster extends ServerlessClusterBase implements IServer
       defaultPort,
     });
 
+    this.secret = attrs.secret;
+
     this._clusterEndpoint = (attrs.clusterEndpointAddress && attrs.port) ? new Endpoint(attrs.clusterEndpointAddress, attrs.port) : undefined;
     this._clusterReadEndpoint = (attrs.readerEndpointAddress && attrs.port) ? new Endpoint(attrs.readerEndpointAddress, attrs.port) : undefined;
   }