RdsDatabaseBuilder¶

Purpose¶

The RdsDatabaseBuilder class is a concrete implementation of the AbstractAWSResourceBuilder designed to create AWS RDS PostgreSQL database instances following organizational security and operational standards. This builder creates production-ready databases with automated encryption, credential management, monitoring, network security, custom parameter groups, and cross-account integration for enterprise environments.

Dependencies¶

This builder requires the following AWS resources and permissions:

Required AWS Permissions¶

RDS Management: Create, modify, and manage RDS database instances and parameter groups
KMS Operations: Encrypt/decrypt data and manage encryption keys for database storage
Secrets Manager: Create, read, update, and rotate database credentials securely
VPC Networking: Manage VPCs, subnets, and security groups for database network isolation
IAM Role Management: Create and manage service roles for database monitoring and operations
Parameter Store: Store and retrieve configuration parameters for cross-stack integration
Resource Tagging: Apply organizational tags to resources for governance and cost tracking
CloudFormation: Manage stack lifecycle and resource dependencies during deployment

Foundation Dependencies¶

VPC with Private Subnets: Named vpc-rds with private subnets across availability zones
KMS Key: Encryption key with alias pattern:
- alias/{domain}-foundation-{project}-{env}-rds-snc-key if use_foundation_key is true
- alias/{domain}-{project}-{env}-rds-snc-key if use_foundation_key is false
Security Group:
- own-main-rds-sg for primary database access
- own-devops-vpc-rds-sg for DevOps VPC access
Cross-Account Role: DevOps role for pipeline and operational access

Configuration¶

The builder uses the RdsDBConfig model for the validation of your configuration and becomes the authoritative source of all rds database settings.

CDK Configuration Structure¶

{
  "db_name": "db-name",
  "instance_class": "BURSTABLE3",
  "instance_size": "MICRO",
  "allocated_storage_gb": 100,
  "max_allocated_storage_gb": 1000,
  "monitoring_interval": 60,
  "multi_az": false,
  "use_foundation_key": true,
  "secret": {
    "base_name": "rds",
    "user_pwd_rotation_days": 30,
    "is_shared": false
  },
  "use_iam_authentication": false,
  "parameter_group": {
    "log_statement": "mod",
    "rds.log_retention_period": "10080",
    "log_min_duration_statement": "1000",
    "rds.logical_replication": "1"
  },
  "inbound_rules": [{
    "description": "additional inbound rule",
    "ipv4_cidr_block": "xx.xx.xx.xxx/xx"
  }],
  "tag_key": "ifdm-ops:backup",
  "tag_value": "bronze",

}

Configuration Parameters¶

Parameter	Mandatory	Type	Default	Description
db_name	Yes	str		Database name within RDS instance
instance_class	Yes	str		EC2 instance family for performance tier
instance_size	Yes	str		Size within instance family
allocated_storage_gb	Yes	int		Initial storage allocation in GB
max_allocated_storage_gb	Yes	int		Maximum storage in GB for autoscaling
monitoring_interval	Yes	int	60	Enhanced monitoring collection interval in seconds
secret	No	RdsSecretConfig	None	Secret configurations
use_iam_authentication	No	bool	False	Enable IAM database authentication mapping
parameter_group	No	Dict[str, str]	None	Parameter group configurations
inbound_rules	No	List[InboundRuleConfig]	[]	A list on additonal inbound rules
tag_key	Yes	str		Primary tag key for backup and operational policies
tag_value	Yes	str		Primary tag value for backup and operational policies
multi_az	No	bool	False	Enable Multi-AZ deployment for high availability. Creates a standby replica in a different AZ with automatic failover capability.
use_foundation_key	No	bool	True	Whether to use the organizational KMS key from the foundation

Please check the following models to have a detailed view on the configuration of the secretand inbound_rules:

Usage¶

Here’s an example of how to use the RdsDatabaseBuilder to build a RDS PostgreSQL DB in a CDK stack:

rds_config = app_helper.get_from_env("rds")

rds_builder = RdsDatabaseBuilder()
rds_builder = rds_builder.set_application_helper(app_helper) \
                         .set_builder_config(rds_config) \
                         .build(scope_from_stack)

Behavior and Features¶

Automatic Database Configuration¶

Security and Encryption:¶

KMS Encryption: Automatic encryption at rest using foundation organizational keys
VPC Isolation: Database deployed in private subnets with no public accessibility
Deletion Protection: Enabled to prevent accidental database deletion
Network Security: Automatic security group creation with minimal required access

Performance and Scaling:¶

*Storage Autoscaling*: Automatic storage scaling based on configured limits
*Enhanced Monitoring*: CloudWatch metrics collection at configurable intervals
*Custom Parameters*: PostgreSQL parameter group optimization for specific workloads
*Multi-AZ Deployment*: High availability across availability zones (configurable)

Credential Management:¶

Secrets Manager Integration: Automatic credential storage and rotation
Cross-Account Support: Shared secrets across AWS accounts for enterprise environments
Rotation Automation: AWS-managed password rotation with configurable frequency
Zero-Downtime Rotation: Multi-user rotation strategy prevents connection interruption

Naming Convention¶

Database instance names follow the pattern: {organization-prefix}-{app-name}-rds-db

The builder automatically:

Applies organizational naming standards
Converts names to lowercase with hyphens
Truncates names to respect RDS limits (63 characters)
Ensures name uniqueness within the account and region

Parameter Store Integration¶

Each database automatically creates Parameter Store entries for cross-stack references:

Database Endpoint: RDS_Endpoint containing the database connection endpoint
Secret ARN: secret_arn_{secret_name} for credential reference (when secrets are used)

IAM Database Authentication¶

When use_iam_authentication is enabled:

Database users can authenticate using IAM roles and policies instead of passwords
The database resource ID is automatically stored in Parameter Store as RDS_DB_RESOURCE_ID
Cross-account parameter sharing is configured for DevOps environments
IAM policies must be created separately to grant database access to specific users/roles

Network Security Configuration¶

Security Group Management:¶

Automatic VPC Access: Allows PostgreSQL traffic (port 5432) from VPC CIDR block
DevOps Integration: Automatic access from DevOps VPC in non-DevOps environments
Custom Rules: Additional inbound rules for specific network requirements
ECS Integration: Automatic integration with existing rds-from-ecs-sg security group

Network Isolation:¶

Private Subnets: Database placed in private subnets with egress-only internet access
No Public Access: Database endpoints not publicly accessible
VPC Peering Support: Access patterns for cross-VPC connectivity

Cross-Account Integration¶

Producer-Consumer Pattern: Secrets created in one account and shared with others
Parameter Store Integration: Cross-account secret ARN sharing through SSM parameters
IAM Role Integration: Automatic permissions for DevOps and pipeline access

Access Patterns:¶

DevOps Access: Automatic security group rules for operational access
Pipeline Integration: IAM roles and permissions for CI/CD deployments
Multi-Environment: Consistent configuration across development, testing, and production

Notes

The set_usage method from the abstract class should not be used in this builder.
PostgreSQL version 17.4 is automatically configured and cannot be overridden
Automated backups are disabled by default (backup_retention = 0 days) - use organizational backup strategies through tagging
The database uses pay-per-request model equivalent (no reserved capacity planning required)
All storage is automatically encrypted using foundation KMS keys
Parameter groups are only created when custom parameters are specified in configuration