UNPKG

cdk-rds-sql

Version:

A CDK construct that allows creating roles or users and databases an on Aurora Serverless Postgresql or Mysql/MariaDB cluster.

github.com/berenddeboer/cdk-rds-sql

berenddeboer/cdk-rds-sql

229 lines (189 loc) 7.75 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
import { MysqlEngine } from "./engine.mysql" describe("MySQL Engine", () => { let engine: MysqlEngine beforeEach(() => { engine = new MysqlEngine() }) describe("Database", () => { it("should generate correct SQL for creating a database", () => { const sql = engine.createDatabase("testdb", {}) expect(Array.isArray(sql)).toBe(true) expect(sql[0]).toContain("CREATE DATABASE IF NOT EXISTS") }) it("should generate correct SQL for creating a database with an owner", () => { const sql = engine.createDatabase("testdb", { Owner: "testuser" }) expect(Array.isArray(sql)).toBe(true) expect(sql[0]).toContain("CREATE DATABASE IF NOT EXISTS") expect(sql[1]).toContain("GRANT ALL PRIVILEGES") }) it("should generate correct SQL for deleting a database", () => { const sql = engine.deleteDatabase("testdb", "masteruser") expect(Array.isArray(sql)).toBe(true) expect(sql[0]).toContain("DROP DATABASE IF EXISTS") }) }) describe("Role", () => { it("should throw error when creating a role without password ARN", async () => { await expect(engine.createRole("testrole", {})).rejects.toThrow( "No PasswordArn provided" ) }) it("should generate correct SQL for renaming a role", async () => { // Mock getPassword implementation jest.spyOn(engine as any, "getPassword").mockResolvedValue("test-password") const sql = await engine.updateRole( "newrole", "oldrole", { PasswordArn: "arn:aws:secretsmanager:region:account:secret:name", }, {} ) expect(Array.isArray(sql)).toBe(true) expect(sql[0]).toContain("CREATE USER IF NOT EXISTS") expect(sql[1]).toContain("DROP USER IF EXISTS") expect(sql[2]).toContain("FLUSH PRIVILEGES") }) it("should generate correct SQL for deleting a role", () => { const sql = engine.deleteRole("testrole", { DatabaseName: "testdb" }) expect(Array.isArray(sql)).toBe(true) expect(sql[0]).toContain("REVOKE ALL PRIVILEGES") expect(sql[1]).toContain("DROP USER IF EXISTS") }) it("should generate SQL to revoke privileges on old database when database is changed", async () => { // Mock getPassword implementation jest.spyOn(engine as any, "getPassword").mockResolvedValue("test-password") const oldProps = { DatabaseName: "olddb", PasswordArn: "arn:aws:secretsmanager:region:account:secret:name", } const newProps = { DatabaseName: "newdb", PasswordArn: "arn:aws:secretsmanager:region:account:secret:name", } const sql = await engine.updateRole("testrole", "testrole", newProps, oldProps) expect(Array.isArray(sql)).toBe(true) // Check for revoke statement for the old database const revokeStatement = sql.find( (statement) => statement.includes("REVOKE ALL PRIVILEGES") && statement.includes("`olddb`") ) expect(revokeStatement).toBeDefined() // Check for grant statement for the new database const grantStatement = sql.find( (statement) => statement.includes("GRANT ALL PRIVILEGES") && statement.includes("`newdb`") ) expect(grantStatement).toBeDefined() }) describe("IAM Authentication", () => { it("should create user with IAM authentication", async () => { const props = { EnableIamAuth: true, DatabaseName: "testdb", } const sql = await engine.createRole("iamuser", props) expect(Array.isArray(sql)).toBe(true) expect(sql[0]).toContain( "CREATE USER IF NOT EXISTS 'iamuser'@'%' IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS'" ) expect(sql[1]).toContain("GRANT ALL PRIVILEGES ON `testdb`.* TO 'iamuser'@'%'") expect(sql[2]).toBe("FLUSH PRIVILEGES") }) it("should create user without IAM authentication", async () => { jest.spyOn(engine as any, "getPassword").mockResolvedValue("test-password") const props = { EnableIamAuth: false, PasswordArn: "arn:aws:secretsmanager:region:account:secret:name", DatabaseName: "testdb", } const sql = await engine.createRole("passworduser", props) expect(Array.isArray(sql)).toBe(true) expect(sql[0]).toContain( "CREATE USER IF NOT EXISTS 'passworduser'@'%' IDENTIFIED BY 'test-password'" ) expect(sql[1]).toContain( "GRANT ALL PRIVILEGES ON `testdb`.* TO 'passworduser'@'%'" ) expect(sql[2]).toBe("FLUSH PRIVILEGES") }) it("should switch from password to IAM authentication", async () => { const oldProps = { EnableIamAuth: false, PasswordArn: "arn:aws:secretsmanager:region:account:secret:name", } const newProps = { EnableIamAuth: true, DatabaseName: "testdb", } const sql = await engine.updateRole( "switchuser", "switchuser", newProps, oldProps ) expect(Array.isArray(sql)).toBe(true) expect(sql[0]).toContain("DROP USER IF EXISTS 'switchuser'@'%'") expect(sql[1]).toContain( "CREATE USER 'switchuser'@'%' IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS'" ) expect(sql[2]).toContain("GRANT ALL PRIVILEGES ON `testdb`.* TO 'switchuser'@'%'") expect(sql[3]).toBe("FLUSH PRIVILEGES") }) it("should switch from IAM to password authentication", async () => { jest.spyOn(engine as any, "getPassword").mockResolvedValue("new-password") const oldProps = { EnableIamAuth: true, } const newProps = { EnableIamAuth: false, PasswordArn: "arn:aws:secretsmanager:region:account:secret:name", DatabaseName: "testdb", } const sql = await engine.updateRole( "switchuser", "switchuser", newProps, oldProps ) expect(Array.isArray(sql)).toBe(true) expect(sql[0]).toContain("DROP USER IF EXISTS 'switchuser'@'%'") expect(sql[1]).toContain( "CREATE USER 'switchuser'@'%' IDENTIFIED BY 'new-password'" ) expect(sql[2]).toContain("GRANT ALL PRIVILEGES ON `testdb`.* TO 'switchuser'@'%'") expect(sql[3]).toBe("FLUSH PRIVILEGES") }) }) }) describe("Schema", () => { it("should throw an error when trying to create a schema", () => { expect(() => engine.createSchema("testschema", {})).toThrow("not supported") }) it("should throw an error when trying to update a schema", () => { expect(() => engine.updateSchema("newschema", "oldschema", {})).toThrow( "not supported" ) }) it("should throw an error when trying to delete a schema", () => { expect(() => engine.deleteSchema("testschema", {})).toThrow("not supported") }) }) describe("SQL", () => { it("should pass through SQL statements for create", () => { const statement = "SELECT * FROM users" const sql = engine.createSql("test", { Statement: statement }) expect(sql).toBe(statement) }) it("should pass through SQL statements for update", () => { const statement = "UPDATE users SET name = 'test'" const sql = engine.updateSql("test", "old", { Statement: statement }) expect(sql).toBe(statement) }) it("should pass through rollback SQL for delete", () => { const rollback = "DROP TABLE users" const sql = engine.deleteSql("test", { Rollback: rollback }) expect(sql).toBe(rollback) }) }) })