From b67946d7990af8ac98d4423a7c6ba8f8ae8bdf81 Mon Sep 17 00:00:00 2001
From: Berend de Boer <berend@pobox.com>
Date: Sat, 21 Sep 2024 13:11:33 +1200
Subject: [PATCH] feat!: enable ssl by default

Set the ssl option on the provider to false to revert to the previous
behaviour. This addresses #34 and #35.

BREAKING CHANGE: ssl connections are now enabled by default.
---
 README.md                  | 20 ++++++++++++++++++--
 src/handler.ts             |  2 ++
 src/provider.ts            | 14 ++++++++++++++
 test/handler.test.ts       |  1 +
 test/serverlessv2-stack.ts | 23 +++++++++--------------
 test/stack.test.ts         | 32 +++++++++++++++++++++++++++++++-
 6 files changed, 75 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index 3a650a5..6b69735 100644
--- a/README.md
+++ b/README.md
@@ -68,6 +68,7 @@ const provider = new Provider(this, "Provider", {
 ```
 
 For an instance:
+
 ```ts
 import { Provider } from "cdk-rds-sql"
 
@@ -107,6 +108,22 @@ const provider = new Provider(this, "Provider", {
 })
 ```
 
+### Disabling SSL
+
+The default connection to RDS is ssl enabled (this used to be disabled
+in versions below 4).
+
+You can disable ssl by setting the `ssl` option to `false`:
+
+```ts
+const provider = new Provider(this, "Provider", {
+  vpc: vpc,
+  instance: instance,
+  secret: cluster.secret!,
+  ssl: false, // default is true
+})
+```
+
 ## Roles
 
 Create a postgres role (user) for a cluster as follows:
@@ -240,11 +257,10 @@ DO $$BEGIN
     drop table t;
   END IF;
 END$$;
-`
+`,
 })
 ```
 
-
 Note that there is no synchronisation between various `Sql`
 constructs, in particular the order in your code does not determine
 the order in which your SQL is executed. This happens in parallel,
diff --git a/src/handler.ts b/src/handler.ts
index c66b3a1..10ee1ce 100644
--- a/src/handler.ts
+++ b/src/handler.ts
@@ -310,6 +310,7 @@ export const handler = async (
     } else {
       database = databaseName ?? secretValues.dbname // connect to given database if possible, else to database mentioned in secret
     }
+    const ssl = process.env.SSL ? JSON.parse(process.env.SSL) : true
     const params = {
       host: secretValues.host,
       port: secretValues.port,
@@ -317,6 +318,7 @@ export const handler = async (
       password: secretValues.password,
       database: database,
       connectionTimeoutMillis: 30000, // return an error if a connection could not be established within 30 seconds
+      ssl: ssl,
     }
     log(
       `Connecting to host ${params.host}: ${params.port}, database ${params.database} as ${params.user}`
diff --git a/src/provider.ts b/src/provider.ts
index 44ebf4d..3ccd43e 100644
--- a/src/provider.ts
+++ b/src/provider.ts
@@ -67,6 +67,13 @@ export interface RdsSqlProps {
    * @default - empty
    */
   readonly functionProps?: NodejsFunctionProps
+
+  /**
+   * Use SSL?
+   *
+   * @default - true
+   */
+  readonly ssl?: boolean
 }
 
 export class Provider extends Construct {
@@ -124,6 +131,12 @@ export class Provider extends Construct {
         "node_modules/cdk-rds-sql/lib/handler.js"
       )
     }
+    let ssl_options: Record<string, string> | undefined
+    if (props.ssl !== undefined && !props.ssl) {
+      ssl_options = {
+        SSL: JSON.stringify(props.ssl),
+      }
+    }
     const logger = props.logger ?? false
     const fn = new lambda.NodejsFunction(scope, id, {
       ...props.functionProps,
@@ -142,6 +155,7 @@ export class Provider extends Construct {
       environment: {
         LOGGER: logger.toString(),
         NODE_OPTIONS: "--enable-source-maps",
+        ...ssl_options,
       },
     })
     return fn
diff --git a/test/handler.test.ts b/test/handler.test.ts
index 9514684..459cd2d 100644
--- a/test/handler.test.ts
+++ b/test/handler.test.ts
@@ -29,6 +29,7 @@ let pgHost: string
 let pgPort: number
 
 beforeEach(async () => {
+  process.env.SSL = "false"
   pgContainer = await new GenericContainer("postgres")
     .withExposedPorts(DB_PORT)
     .withEnv("POSTGRES_USER", DB_MASTER_USERNAME)
diff --git a/test/serverlessv2-stack.ts b/test/serverlessv2-stack.ts
index a153c29..a14428c 100644
--- a/test/serverlessv2-stack.ts
+++ b/test/serverlessv2-stack.ts
@@ -1,4 +1,4 @@
-import { Aspects, Fn, RemovalPolicy, Stack, StackProps } from "aws-cdk-lib"
+import { Fn, RemovalPolicy, Stack, StackProps } from "aws-cdk-lib"
 import * as ec2 from "aws-cdk-lib/aws-ec2"
 import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs"
 import * as rds from "aws-cdk-lib/aws-rds"
@@ -7,8 +7,12 @@ import { Construct } from "constructs"
 import { Provider, Database, Role, Schema, Sql } from "./../src/index"
 import { Vpc } from "./vpc"
 
+export interface TestStackProps extends StackProps {
+  ssl?: boolean
+}
+
 export class TestStack extends Stack {
-  constructor(scope: Construct, id: string, props: StackProps) {
+  constructor(scope: Construct, id: string, props: TestStackProps) {
     super(scope, id, props)
 
     const vpc = new Vpc(this, "Vpc")
@@ -24,24 +28,14 @@ export class TestStack extends Stack {
         publiclyAccessible: false,
         enablePerformanceInsights: false,
       }),
+      serverlessV2MinCapacity: 0.5,
+      serverlessV2MaxCapacity: 1,
       vpc: vpc.vpc,
       vpcSubnets: {
         subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
       },
     })
 
-    Aspects.of(cluster).add({
-      // <-- cluster is an instance of DatabaseCluster
-      visit(node) {
-        if (node instanceof rds.CfnDBCluster) {
-          node.serverlessV2ScalingConfiguration = {
-            minCapacity: 0.5,
-            maxCapacity: 1,
-          }
-        }
-      },
-    })
-
     const provider = new Provider(this, "Provider", {
       vpc: vpc.vpc,
       cluster: cluster,
@@ -52,6 +46,7 @@ export class TestStack extends Stack {
           logGroupName: "/aws/lambda/provider",
         }),
       },
+      ssl: props.ssl,
     })
     Database.fromDatabaseName(this, "DefaultDatabase", "example")
 
diff --git a/test/stack.test.ts b/test/stack.test.ts
index 70a9015..01bef97 100644
--- a/test/stack.test.ts
+++ b/test/stack.test.ts
@@ -1,5 +1,5 @@
 import * as cdk from "aws-cdk-lib"
-import { Template } from "aws-cdk-lib/assertions"
+import { Match, Template } from "aws-cdk-lib/assertions"
 import * as ec2 from "aws-cdk-lib/aws-ec2"
 import * as rds from "aws-cdk-lib/aws-rds"
 import * as serverlessv1 from "./serverlessv1-stack"
@@ -103,6 +103,15 @@ test("serverless v2", () => {
       ],
     },
   })
+  template.hasResourceProperties("AWS::Lambda::Function", {
+    Runtime: "nodejs20.x",
+    Environment: {
+      Variables: {
+        LOGGER: "false",
+        SSL: Match.absent(),
+      },
+    },
+  })
 })
 
 test("absence of security group is detected", () => {
@@ -178,3 +187,24 @@ test("vpcSubnet selection can be specified", () => {
     })
   }).toThrowError()
 })
+
+test("ssl can be disabled", () => {
+  const app = new cdk.App()
+  const stack = new serverlessv2.TestStack(app, "TestStack", {
+    env: {
+      account: "123456789",
+      region: "us-east-1",
+    },
+    ssl: false,
+  })
+  const template = Template.fromStack(stack)
+  template.hasResourceProperties("AWS::Lambda::Function", {
+    Runtime: "nodejs20.x",
+    Environment: {
+      Variables: {
+        LOGGER: "false",
+        SSL: "false",
+      },
+    },
+  })
+})