Extend database component with monitoring and multiAz

Author: ikovac

README.md

@@ -109,11 +109,13 @@ type DatabaseServiceOptions = {
   dbName: pulumi.Input<string>;
   username: pulumi.Input<string>;
   password?: pulumi.Input<string>;
+  multiAz?: pulumi.Input<boolean>;
   applyImmediately?: pulumi.Input<boolean>;
   skipFinalSnapshot?: pulumi.Input<boolean>;
   allocatedStorage?: pulumi.Input<number>;
   maxAllocatedStorage?: pulumi.Input<number>;
   instanceClass?: pulumi.Input<string>;
+  enableMonitoring?: pulumi.Input<boolean>;
   tags?: pulumi.Input<{
     [key: string]: pulumi.Input<string>;
   }>;
@@ -359,11 +361,13 @@ type DatabaseArgs = {
   isolatedSubnetIds: pulumi.Input<pulumi.Input<string>[]>;
   vpcCidrBlock: pulumi.Input<string>;
   password?: pulumi.Input<string>;
+  multiAz?: pulumi.Input<boolean>;
   applyImmediately?: pulumi.Input<boolean>;
   skipFinalSnapshot?: pulumi.Input<boolean>;
   allocatedStorage?: pulumi.Input<number>;
   maxAllocatedStorage?: pulumi.Input<number>;
   instanceClass?: pulumi.Input<string>;
+  enableMonitoring?: pulumi.Input<boolean>;
   tags?: pulumi.Input<{
     [key: string]: pulumi.Input<string>;
   }>;

src/components/database.ts

@@ -18,6 +18,10 @@ export type DatabaseArgs = {
    * The IPv4 CIDR block for the VPC.
    */
   vpcCidrBlock: pulumi.Input<string>;
+  /**
+   * Specifies if the RDS instance is multi-AZ. Defaults to false.
+   */
+  multiAz?: pulumi.Input<boolean>;
   /**
    * Password for the master DB user. If not specified it will be autogenerated.
    * The value will be stored as a secret in AWS Secret Manager.
@@ -46,6 +50,10 @@ export type DatabaseArgs = {
    * The instance type of the RDS instance. Defaults to 'db.t4g.micro'.
    */
   instanceClass?: pulumi.Input<string>;
+  /**
+   * Set this to true to enable database monitoring. Defaults to false.
+   */
+  enableMonitoring?: pulumi.Input<boolean>;
   /**
    * A map of tags to assign to the resource.
    */
@@ -55,11 +63,13 @@ export type DatabaseArgs = {
 };
 
 const defaults = {
+  multiAz: false,
   applyImmediately: false,
   skipFinalSnapshot: false,
   allocatedStorage: 20,
   maxAllocatedStorage: 100,
   instanceClass: 'db.t4g.micro',
+  enableMonitoring: false,
 };
 
 export class Database extends pulumi.ComponentResource {
@@ -69,6 +79,7 @@ export class Database extends pulumi.ComponentResource {
   dbSubnetGroup: aws.rds.SubnetGroup;
   dbSecurityGroup: aws.ec2.SecurityGroup;
   password: Password;
+  monitoringRole?: aws.iam.Role;
 
   constructor(
     name: string,
@@ -79,7 +90,9 @@ export class Database extends pulumi.ComponentResource {
 
     this.name = name;
 
-    const { vpcId, isolatedSubnetIds, vpcCidrBlock } = args;
+    const argsWithDefaults = Object.assign({}, defaults, args);
+    const { vpcId, isolatedSubnetIds, vpcCidrBlock, enableMonitoring } =
+      argsWithDefaults;
     this.dbSubnetGroup = this.createSubnetGroup({ isolatedSubnetIds });
     this.dbSecurityGroup = this.createSecurityGroup({ vpcId, vpcCidrBlock });
     this.kms = this.createEncryptionKey();
@@ -88,6 +101,9 @@ export class Database extends pulumi.ComponentResource {
       { value: args.password },
       { parent: this },
     );
+    if (enableMonitoring) {
+      this.monitoringRole = this.createMonitoringRole();
+    }
     this.instance = this.createDatabaseInstance(args);
 
     this.registerOutputs();
@@ -147,10 +163,48 @@ export class Database extends pulumi.ComponentResource {
     return kms;
   }
 
+  private createMonitoringRole() {
+    const monitoringRole = new aws.iam.Role(`${this.name}-rds-monitoring`, {
+      assumeRolePolicy: {
+        Version: '2012-10-17',
+        Statement: [
+          {
+            Action: 'sts:AssumeRole',
+            Effect: 'Allow',
+            Principal: {
+              Service: 'monitoring.rds.amazonaws.com',
+            },
+          },
+        ],
+      },
+    });
+
+    new aws.iam.RolePolicyAttachment(
+      `${this.name}-rds-monitoring-role-attachment`,
+      {
+        role: monitoringRole.name,
+        policyArn:
+          'arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole',
+      },
+    );
+
+    return monitoringRole;
+  }
+
   private createDatabaseInstance(args: DatabaseArgs) {
     const argsWithDefaults = Object.assign({}, defaults, args);
     const stack = pulumi.getStack();
 
+    const monitoringOptions =
+      argsWithDefaults.enableMonitoring && this.monitoringRole
+        ? {
+            monitoringInterval: 60,
+            monitoringRoleArn: this.monitoringRole.arn,
+            performanceInsightsEnabled: true,
+            performanceInsightsRetentionPeriod: 7,
+          }
+        : {};
+
     const instance = new aws.rds.Instance(
       `${this.name}-rds`,
       {
@@ -167,6 +221,7 @@ export class Database extends pulumi.ComponentResource {
         vpcSecurityGroupIds: [this.dbSecurityGroup.id],
         storageEncrypted: true,
         kmsKeyId: this.kms.arn,
+        multiAz: argsWithDefaults.multiAz,
         publiclyAccessible: false,
         skipFinalSnapshot: argsWithDefaults.skipFinalSnapshot,
         applyImmediately: argsWithDefaults.applyImmediately,
@@ -175,6 +230,7 @@ export class Database extends pulumi.ComponentResource {
         finalSnapshotIdentifier: `${this.name}-final-snapshot-${stack}`,
         backupWindow: '06:00-06:30',
         backupRetentionPeriod: 14,
+        ...monitoringOptions,
         tags: { ...commonTags, ...argsWithDefaults.tags },
       },
       { parent: this, dependsOn: [this.password] },