Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(rds): Kerberos authentication support in Aurora Database Clusters #28559

Merged
merged 22 commits into from
Jan 24, 2024

Conversation

badmintoncryer
Copy link
Contributor

@badmintoncryer badmintoncryer commented Jan 3, 2024

I have added the arguments domain and domainRole to support Kerberos authentication for the Aurora Database cluster. The specifications for these arguments are the same as the existing domain and domainRole in the Instance.

declare const vpc: ec2.Vpc
declare const iamRole: iam.IRole
new rds.DatabaseCluster(this, 'Database', {
  engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_05_1 }),
  writer: rds.ClusterInstance.provisioned('Instance', {
    instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.MEDIUM),
  }),
  vpc,
  domain: 'd-????????', // added
  domainRole: iamRole, // added
});

Closes #28050.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team January 3, 2024 13:46
@github-actions github-actions bot added valued-contributor [Pilot] contributed between 6-12 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 labels Jan 3, 2024
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@badmintoncryer badmintoncryer changed the title Support for kerberos authentication for Aurora Database Cluster feat(rds): Kerberos authentication support in Aurora Database Clusters. Jan 3, 2024
@badmintoncryer badmintoncryer changed the title feat(rds): Kerberos authentication support in Aurora Database Clusters. feat(rds): Kerberos authentication support in Aurora Database Clusters Jan 5, 2024
@badmintoncryer badmintoncryer marked this pull request as ready for review January 6, 2024 18:43
@aws-cdk-automation aws-cdk-automation dismissed their stale review January 6, 2024 18:44

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

this.domainRole = props.domainRole ?? new iam.Role(this, 'RDSClusterDirectoryServiceRole', {
assumedBy: new iam.CompositePrincipal(
new iam.ServicePrincipal('rds.amazonaws.com'),
new iam.ServicePrincipal('directoryservice.rds.amazonaws.com'),
Copy link
Contributor Author

@badmintoncryer badmintoncryer Jan 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the implementation of the instance, directoryservice.rds.amazonaws.com is not set as a principal, which is a bug and causes the deployment to fail.

I will address this in a separate issue(#28600).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch!

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 6, 2024
Copy link
Contributor

@go-to-k go-to-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution. I made some comments about README.

new iam.ServicePrincipal('directoryservice.rds.amazonaws.com'),
),
managedPolicies: [
iam.ManagedPolicy.fromManagedPolicyArn(this, 'RdsRole', 'arn:aws:iam::aws:policy/service-role/AmazonRDSDirectoryServiceAccess'),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use fromAwsManagedPolicyName?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was I using the fromManagerdPolicyArn? 😂

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's fix the same in an integ test and an unit test so that contributors who see these codes will not misunderstand!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was using it elsewhere too.. Thanks for pointing that out. I've made the correction!

packages/aws-cdk-lib/aws-rds/README.md Outdated Show resolved Hide resolved
packages/aws-cdk-lib/aws-rds/README.md Outdated Show resolved Hide resolved
@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 21, 2024
badmintoncryer and others added 3 commits January 21, 2024 23:19
Co-authored-by: k.goto <24818752+go-to-k@users.noreply.github.com>
Co-authored-by: k.goto <24818752+go-to-k@users.noreply.github.com>
@badmintoncryer
Copy link
Contributor Author

@go-to-k Thank you for your review! I've addressed your comments.

@go-to-k
Copy link
Contributor

go-to-k commented Jan 22, 2024

Could you update snapshots for the integ test?

@badmintoncryer
Copy link
Contributor Author

@go-to-k
Sorry, I added updated integ test files.

Copy link
Contributor

@go-to-k go-to-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 22, 2024
Copy link
Contributor

@paulhcsun paulhcsun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some comments

packages/aws-cdk-lib/aws-rds/README.md Outdated Show resolved Hide resolved
packages/aws-cdk-lib/aws-rds/lib/cluster.ts Outdated Show resolved Hide resolved
/**
* The Active Directory directory ID, required for setting up Kerberos authentication, to create the DB cluster in.
*
* @default - Do not join domain
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels a bit vague to me but it could just be that I'm missing some context. Is this saying that the cluster will be created but just not within a domain (or within the Active Directory)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand, you're right; the cluster will be created but not associated with any domain. I've revised the comment section for clarity. Could you please check it again?
(I have limited English skills, so I would appreciate it if you could appropriately adjust the text for me.)

Copy link
Contributor

@paulhcsun paulhcsun Jan 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new description is a lot clearer to me now! And no worries at all, I really appreciate that you do your best to address the description changes!

* The IAM role to be used when making API calls to the Directory Service. The role needs the AWS-managed policy
* AmazonRDSDirectoryServiceAccess or equivalent.
*
* @default - The role will be created for you if `DatabaseClusterBaseProps#domain` is specified
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be nice to know what permissions are granted with the default role. Also is DatabaseClusterBaseProps#domain supposed to be DatabaseClusterBaseProps.domain?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the sentence. Please confirm it.

packages/aws-cdk-lib/aws-rds/lib/cluster.ts Outdated Show resolved Hide resolved
this.domainRole = props.domainRole ?? new iam.Role(this, 'RDSClusterDirectoryServiceRole', {
assumedBy: new iam.CompositePrincipal(
new iam.ServicePrincipal('rds.amazonaws.com'),
new iam.ServicePrincipal('directoryservice.rds.amazonaws.com'),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch!

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 23, 2024
badmintoncryer and others added 2 commits January 23, 2024 14:46
Co-authored-by: paulhcsun <47882901+paulhcsun@users.noreply.github.com>
Co-authored-by: paulhcsun <47882901+paulhcsun@users.noreply.github.com>
@mergify mergify bot dismissed paulhcsun’s stale review January 23, 2024 05:46

Pull request has been modified.

Co-authored-by: paulhcsun <47882901+paulhcsun@users.noreply.github.com>
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 23, 2024
Copy link
Contributor

@paulhcsun paulhcsun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for updating the descriptions! They're a lot clearer to me now.

packages/aws-cdk-lib/aws-rds/lib/cluster.ts Outdated Show resolved Hide resolved
Copy link
Contributor

@paulhcsun paulhcsun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work on this @badmintoncryer!

And thank you for reviewing @go-to-k!

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 24, 2024
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: dbc4093
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

mergify bot commented Jan 24, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit bdf4285 into aws:main Jan 24, 2024
14 checks passed
@badmintoncryer badmintoncryer deleted the 28050-supportKerberos branch January 24, 2024 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 valued-contributor [Pilot] contributed between 6-12 PRs to the CDK
Projects
None yet
Development

Successfully merging this pull request may close these issues.

(rds): Support kerberos authentication on RDS clusters
4 participants