search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.65k stars 3.91k forks source link

Add users to DocumentDB via constructor [@aws-cdk/aws-docdb] #11600

Open IlyaEremin opened 3 years ago

IlyaEremin commented 3 years ago

Feature description

Ability to create DocumentDB users via DatabaseCluster constructor

Use Case

The main reason is separation of concerns. Master user has root access, it could be too dangerous for clients to use root user. We would like to have user with read/write rights only for database clients.

Proposed Solution

Add additional parameter users to DatabaseCluster constructor. Example of usage:

import { DatabaseCluster } from '@aws-cdk/aws-docdb';

new DatabaseCluster(this, 'Cluster Name', {
  masterUser: {
    username: 'super-power'
  },
  users: [{
    username: 'api', 
    pwd: 'maga2020',
    db: 'admin', 
    roles: [{ db: 'db-name', role: 'readWrite' }] 
  }]
);

Parameters name and structure of object inspired by mongo shell documentation, I don't have strong preference related to naming or structure.

This is a :rocket: Feature Request

gkech commented 1 year ago

any news on this feature? Is it on the roadmap?

hauntingEcho commented 1 year ago

Creating users independently of the constructor could also be more useful, since consuming stacks could spin up their own service users. One way to do this currently is to write your own custom resource to manage users, but having direct support would be helpful.

Currently, setting up the alternating-user password rotation strategy becomes a bit of a mess since we have to maintain our own custom resources to manage the service users