set up serverless Aurora CDK database (#73)

AnJuHyppolite · web-flow · commit 9c008107cc69 · 2025-08-07T16:07:22.000-04:00
### Description  This PR resolves [Configure Aurora Serverless v2 PostgreSQL](newjersey/innovation-platform-pm#464) by implementing Infrastructure as Code (IaC) for an AWS Aurora Serverless v2 PostgreSQL database. ### Approach  **Using AWS Cloud Development Kit (CDK) and TypeScript:** - Referenced the existing dev VPC (will update to prod VPC once PR is approved and production deployment schedule is set) - Created supporting resources: subnet group, security group, and Aurora cluster - Exported VPC and security group for use in API stack (lambdas) - Updated `FeedbackApiStack` to accept shared `vpc` and `securityGroup` from `FeedbackDbStack` - Wrote tests to validate mocked VPC, creation of resources, and configuration settings - Used `cdk synth` to generate and validate CloudFormation output #### AWS Resource Documentation - [Work with the AWS CDK in TypeScript](https://docs.aws.amazon.com/cdk/v2/guide/work-with-cdk-typescript.html#typescript-newproject) - [How to create a CDK app](https://docs.aws.amazon.com/cdk/v2/guide/apps.html) - [Define an AWS Virtual Private Cloud](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html) - [Create an RDS DB subnet group](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.SubnetGroup.html) - [Create an Amazon EC2 security group within a VPC](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html) - [Create a clustered database](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html) - [AWS CDK Test Assertions](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.assertions-readme.html) ### Steps to Test  1. Run `npm install` to install dependencies. 2. Run `npm run synth:dev` to synthesize the CDK app into a dev CloudFormation template. 3. 2. Run `npm run deploy-db:dev` to deploy the dev database AWS. 4. Verify synthesized template includes VPC, subnet group, security group, and Aurora cluster. #### **To check deployment (in AWS Console):** 1. Search for/Go to CloudFormation. 2. Choose your AWS region (e.g., us-east-1) at the top-right. 3. Look for a stack named `FeedbackDbStack`. 4. Confirm its status is ✅ CREATE_COMPLETE. ### Notes  - [x] Deployment requires AWS account authorization due to costs; awaiting leadership approval - [ ] Once PR is approved, we can: - [x] deploy to the dev account - [ ] merge PR into dev
diff --git a/infra/README.md b/infra/README.md
@@ -0,0 +1,23 @@
+# Feedback Widget Infrastructure (AWS CDK - TypeScript)
+
+This project defines the infrastructure for the **Feedback Widget** using [AWS CDK](https://docs.aws.amazon.com/cdk/latest/guide/home.html) with TypeScript. It provisions an **Aurora PostgreSQL Serverless v2** database (DB) along with its supporting resources.
+
+## Resources
+
+| Resource              | Logical ID           | Purpose |
+|-----------------------|----------------------|---------|
+| **VPC**               | `FeedbackVpc`          | Isolated network environment for the DB |
+| **Subnet Group**      | `FeedbackSubnetGroup`  | Specifies DB placement in private subnets |
+| **Aurora Cluster**    | `FeedbackDBCluster`      | Serverless v2 Aurora PostgreSQL DB |
+| **Outputs**           | `FeedbackDBClusterEndpoint` | Cluster endpoint for local development or reference |
+
+## CDK Setup & Commands
+
+To get started or continue working:
+
+```bash
+npm install               # Install dependencies
+npm run diff              # Preview infrastructure changes
+npm run deploy            # Deploy to AWS
+npm run deploy-db:dev     # Deploy the dev database to AWS
+npm run synth:dev         # Synthesizes the CDK app into a dev CloudFormation template
diff --git a/infra/bin/feedback-api.ts b/infra/bin/feedback-api.ts
diff --git a/infra/bin/feedback.ts b/infra/bin/feedback.ts
@@ -0,0 +1,16 @@
+import * as cdk from 'aws-cdk-lib';
+import { FeedbackApiStack } from '../lib/feedback-api-stack';
+import { FeedbackDbStack } from '../lib/feedback-db-stack';
+
+const app = new cdk.App();
+
+const env = {
+  account: '152320432929',
+  region: 'us-east-1'
+};
+
+new FeedbackDbStack(app, 'FeedbackDbStack', {
+  env
+});
+
+new FeedbackApiStack(app, 'FeedbackApiStack', {});
diff --git a/infra/cdk.context.json b/infra/cdk.context.json
@@ -0,0 +1,28 @@
+{
+  "vpc-provider:account=152320432929:filter.vpc-id=vpc-06ea0349e255c4c59:region=us-east-1:returnAsymmetricSubnets=true": {
+    "vpcId": "vpc-06ea0349e255c4c59",
+    "vpcCidrBlock": "10.43.78.0/24",
+    "ownerAccountId": "152320432929",
+    "availabilityZones": [],
+    "subnetGroups": [
+      {
+        "name": "Private",
+        "type": "Private",
+        "subnets": [
+          {
+            "subnetId": "subnet-0184fa96237d9873f",
+            "cidr": "10.43.78.0/26",
+            "availabilityZone": "us-east-1a",
+            "routeTableId": "rtb-07b4c8c744c04d403"
+          },
+          {
+            "subnetId": "subnet-02e553a6971550663",
+            "cidr": "10.43.78.64/26",
+            "availabilityZone": "us-east-1b",
+            "routeTableId": "rtb-07b4c8c744c04d403"
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/infra/cdk.json b/infra/cdk.json
@@ -1,5 +1,5 @@
 {
-  "app": "npx tsx bin/feedback-api.ts",
+  "app": "npx tsx bin/feedback.ts",
   "watch": {
     "include": ["**"],
     "exclude": [
@@ -17,7 +17,7 @@
   "context": {
     "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
     "@aws-cdk/core:checkSecretUsage": true,
-    "@aws-cdk/core:target-partitions": ["aws", "aws-cn"],
+    "@aws-cdk/core:target-partitions": ["aws"],
     "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
     "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
     "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
@@ -74,6 +74,20 @@
     "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true,
     "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true,
     "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true,
-    "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true
+    "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true,
+    "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true,
+    "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true,
+    "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": true,
+    "@aws-cdk/core:enableAdditionalMetadataCollection": true,
+    "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false,
+    "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true,
+    "@aws-cdk/aws-dynamodb:retainTableReplica": true,
+    "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": true,
+    "@aws-cdk/core:aspectPrioritiesMutating": true,
+    "@aws-cdk/aws-events:requireEventBusPolicySid": true,
+    "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": true,
+    "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": true,
+    "@aws-cdk/aws-s3:publicAccessBlockedByDefault": true,
+    "@aws-cdk/aws-lambda:useCdkManagedLogGroup": true
   }
 }
diff --git a/infra/jest.config.ts b/infra/jest.config.ts
@@ -0,0 +1,12 @@
+import type { Config } from 'jest';
+
+const config: Config = {
+  testEnvironment: 'node',
+  roots: ['<rootDir>/test'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.tsx?$': 'ts-jest'
+  }
+};
+
+export default config;
diff --git a/infra/lib/feedback-api-stack.ts b/infra/lib/feedback-api-stack.ts
@@ -6,7 +6,7 @@ import * as iam from 'aws-cdk-lib/aws-iam';
 import * as apigw from 'aws-cdk-lib/aws-apigateway';
 
 export class FeedbackApiStack extends cdk.Stack {
-  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+  constructor(scope: Construct, id: string, props: cdk.StackProps) {
     super(scope, id, props);
 
     const lambdaExecutionRole = new iam.Role(
diff --git a/infra/lib/feedback-db-stack.ts b/infra/lib/feedback-db-stack.ts
@@ -0,0 +1,58 @@
+import * as cdk from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_ec2 as ec2, aws_rds as rds } from 'aws-cdk-lib';
+
+interface FeedbackDbStackProps extends cdk.StackProps {
+  vpc?: ec2.IVpc; // allows for mocking in tests
+}
+
+export class FeedbackDbStack extends cdk.Stack {
+  vpc: ec2.IVpc;
+
+  constructor(scope: Construct, id: string, props: FeedbackDbStackProps) {
+    super(scope, id, props);
+
+    this.vpc =
+      props.vpc ??
+      ec2.Vpc.fromLookup(this, 'DevVpc', {
+        vpcId: 'vpc-06ea0349e255c4c59'
+      });
+
+    const subnetGroup = new rds.SubnetGroup(this, 'FeedbackSubnetGroup', {
+      description: 'Aurora DB private subnet group',
+      vpc: this.vpc,
+      subnetGroupName: 'feedback-subnet-group'
+    });
+
+    const cluster = new rds.DatabaseCluster(this, 'FeedbackDBCluster', {
+      engine: rds.DatabaseClusterEngine.auroraPostgres({
+        version: rds.AuroraPostgresEngineVersion.VER_17_4
+      }),
+      backup: {
+        retention: cdk.Duration.days(7)
+      },
+      credentials: rds.Credentials.fromGeneratedSecret('postgres'),
+      defaultDatabaseName: 'feedbackWidgetDb',
+      serverlessV2MaxCapacity: 2,
+      serverlessV2MinCapacity: 0.5,
+      storageEncrypted: true,
+      subnetGroup: subnetGroup,
+      vpc: this.vpc,
+      vpcSubnets: {
+        subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS
+      },
+      writer: rds.ClusterInstance.serverlessV2('writer')
+    });
+
+    const proxy = cluster.addProxy('FeedbackProxy', {
+      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+      secrets: [cluster.secret!],
+      vpc: this.vpc
+    });
+
+    new cdk.CfnOutput(this, 'FeedbackDBProxyEndpoint', {
+      value: proxy.endpoint,
+      description: 'Proxy endpoint to connect to'
+    });
+  }
+}
diff --git a/infra/test/feedback-db-stack.test.ts b/infra/test/feedback-db-stack.test.ts
@@ -0,0 +1,56 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as Cdk from '../lib/feedback-db-stack';
+import { Template } from 'aws-cdk-lib/assertions';
+
+describe('FeedbackDBStack', () => {
+  let app: cdk.App;
+  let stack: cdk.Stack;
+  let feedbackDbStack: Cdk.FeedbackDbStack;
+  let template: Template;
+
+  beforeEach(() => {
+    app = new cdk.App();
+
+    const fakeEnv = {
+      account: '123456789012',
+      region: 'us-east-1'
+    };
+
+    stack = new cdk.Stack(app, 'TestStack', {
+      env: fakeEnv
+    });
+
+    const mockedVpc = ec2.Vpc.fromVpcAttributes(stack, 'MockedVpc', {
+      vpcId: 'vpc-123456789',
+      availabilityZones: ['us-east-1a', 'us-east-1b'],
+      privateSubnetIds: ['subnet-1234', 'subnet-5678']
+    });
+
+    feedbackDbStack = new Cdk.FeedbackDbStack(app, 'FeedbackDbStack', {
+      vpc: mockedVpc,
+      env: fakeEnv
+    });
+
+    template = Template.fromStack(feedbackDbStack);
+  });
+
+  it('creates a subnet group', () => {
+    template.resourceCountIs('AWS::RDS::DBSubnetGroup', 1);
+    template.hasResourceProperties('AWS::RDS::DBSubnetGroup', {
+      DBSubnetGroupDescription: 'Aurora DB private subnet group'
+    });
+  });
+
+  it('creates an Aurora DB cluster', () => {
+    template.hasResourceProperties('AWS::RDS::DBCluster', {
+      Engine: 'aurora-postgresql',
+      DatabaseName: 'feedbackWidgetDb',
+      StorageEncrypted: true,
+      ServerlessV2ScalingConfiguration: {
+        MinCapacity: 0.5,
+        MaxCapacity: 2
+      }
+    });
+  });
+});
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
diff --git a/tsconfig.json b/tsconfig.json
