feat: support custom SSL certificates in SQL data sources (#1696)

aws-amplify · Jul 3, 2024 · f5eeb67 · f5eeb67
1 parent 90ac407
commit f5eeb67
Show file tree

Hide file tree

Showing 7 changed files with 384 additions and 245 deletions.
diff --git a/.changeset/perfect-coins-tease.md b/.changeset/perfect-coins-tease.md
@@ -0,0 +1,6 @@
+---
+'@aws-amplify/backend-data': minor
+'@aws-amplify/schema-generator': minor
+---
+
+support custom SSL certificates in SQL data sources
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -4,7 +4,7 @@
   "description": "",
   "type": "module",
   "scripts": {
-    "build": "tsc --build packages/* && tsc --build scripts",
+    "build": "tsc --build packages/* scripts",
     "check:api": "npm run update:api && tsx scripts/check_api_extract.ts",
     "check:dependencies": "tsx scripts/check_dependencies.ts",
     "check:package-lock": "tsx scripts/check_package_lock.ts",

diff --git a/packages/backend-data/package.json b/packages/backend-data/package.json
@@ -29,8 +29,8 @@
   "dependencies": {
     "@aws-amplify/backend-output-storage": "^1.0.2",
     "@aws-amplify/backend-output-schemas": "^1.1.0",
-    "@aws-amplify/data-construct": "^1.8.0",
+    "@aws-amplify/data-construct": "^1.9.1",
     "@aws-amplify/plugin-types": "^1.0.1",
-    "@aws-amplify/data-schema-types": "^1.0.0"
+    "@aws-amplify/data-schema-types": "^1.1.1"
   }
 }
diff --git a/packages/backend-data/src/convert_schema.test.ts b/packages/backend-data/src/convert_schema.test.ts
@@ -394,4 +394,124 @@ void describe('convertSchemaToCDK', () => {
       }
     );
   });
+
+  void it('produces expected definition for MySQL schema with custom SSL cert', () => {
+    const schema = configure({
+      database: {
+        engine: 'mysql',
+        connectionUri: new TestBackendSecret('SQL_CONNECTION_STRING'),
+        sslCert: new TestBackendSecret('CUSTOM_SSL_CERT'),
+      },
+    }).schema({
+      post: a
+        .model({
+          id: a.integer().required(),
+          title: a.string(),
+        })
+        .identifier(['id'])
+        .authorization((allow) => allow.publicApiKey()),
+    });
+
+    const modified = schema.addQueries({
+      oddList: a
+        .query()
+        .handler(a.handler.inlineSql('SELECT * from post where id % 2 = 1;'))
+        .returns(a.ref('post'))
+        .authorization((allow) => allow.publicApiKey()),
+    });
+
+    const convertedDefinition = convertSchemaToCDK(
+      modified,
+      secretResolver,
+      stableBackendIdentifiers
+    );
+
+    assert.equal(
+      Object.values(convertedDefinition.dataSourceStrategies).length,
+      1
+    );
+    assert.deepEqual(
+      Object.values(convertedDefinition.dataSourceStrategies)[0],
+      {
+        customSqlStatements: {},
+        /* eslint-disable spellcheck/spell-checker */
+        dbConnectionConfig: {
+          connectionUriSsmPath: [
+            '/amplify/testBackendId/testBranchName-branch-e482a1c36f/SQL_CONNECTION_STRING',
+            '/amplify/shared/testBackendId/SQL_CONNECTION_STRING',
+          ],
+          sslCertConfig: {
+            ssmPath: [
+              '/amplify/testBackendId/testBranchName-branch-e482a1c36f/CUSTOM_SSL_CERT',
+              '/amplify/shared/testBackendId/CUSTOM_SSL_CERT',
+            ],
+          },
+        },
+        dbType: 'MYSQL',
+        name: '00034dcf3444861c3ca5mysql',
+        vpcConfiguration: undefined,
+        /* eslint-enable spellcheck/spell-checker */
+      }
+    );
+  });
+
+  void it('produces expected definition for Postgresql schema with custom SSL cert', () => {
+    const schema = configure({
+      database: {
+        engine: 'postgresql',
+        connectionUri: new TestBackendSecret('SQL_CONNECTION_STRING'),
+        sslCert: new TestBackendSecret('CUSTOM_SSL_CERT'),
+      },
+    }).schema({
+      post: a
+        .model({
+          id: a.integer().required(),
+          title: a.string(),
+        })
+        .identifier(['id'])
+        .authorization((allow) => allow.publicApiKey()),
+    });
+
+    const modified = schema.addQueries({
+      oddList: a
+        .query()
+        .handler(a.handler.inlineSql('SELECT * from post where id % 2 = 1;'))
+        .returns(a.ref('post'))
+        .authorization((allow) => allow.publicApiKey()),
+    });
+
+    const convertedDefinition = convertSchemaToCDK(
+      modified,
+      secretResolver,
+      stableBackendIdentifiers
+    );
+
+    assert.equal(
+      Object.values(convertedDefinition.dataSourceStrategies).length,
+      1
+    );
+    assert.deepEqual(
+      Object.values(convertedDefinition.dataSourceStrategies)[0],
+      {
+        customSqlStatements: {},
+        /* eslint-disable spellcheck/spell-checker */
+        dbConnectionConfig: {
+          connectionUriSsmPath: [
+            '/amplify/testBackendId/testBranchName-branch-e482a1c36f/SQL_CONNECTION_STRING',
+            '/amplify/shared/testBackendId/SQL_CONNECTION_STRING',
+          ],
+          sslCertConfig: {
+            ssmPath: [
+              '/amplify/testBackendId/testBranchName-branch-e482a1c36f/CUSTOM_SSL_CERT',
+              '/amplify/shared/testBackendId/CUSTOM_SSL_CERT',
+            ],
+          },
+        },
+        dbType: 'POSTGRES',
+        name: '00034dcf3444861c3ca5postgresql',
+        vpcConfiguration: undefined,
+        /* eslint-enable spellcheck/spell-checker */
+      }
+    );
+  });
 });
diff --git a/packages/backend-data/src/convert_schema.ts b/packages/backend-data/src/convert_schema.ts
@@ -8,6 +8,7 @@ import {
   AmplifyDataDefinition,
   type IAmplifyDataDefinition,
   type ModelDataSourceStrategy,
+  type SslCertSsmPathConfig,
   type VpcConfig,
 } from '@aws-amplify/data-construct';
 import type { DataSchema, DataSchemaInput } from './types.js';
@@ -174,17 +175,29 @@ const convertDatabaseConfigurationToDataSourceStrategy = (
 
   const { branchSecretPath, sharedSecretPath } =
     backendSecretResolver.resolvePath(configuration.connectionUri);
-  return {
+
+  let sslCertConfig: SslCertSsmPathConfig | undefined;
+  if (configuration.sslCert) {
+    const { branchSecretPath, sharedSecretPath } =
+      backendSecretResolver.resolvePath(configuration.sslCert);
+    sslCertConfig = {
+      ssmPath: [branchSecretPath, sharedSecretPath],
+    };
+  }
+  const strategy: ModelDataSourceStrategy = {
     dbType,
     name:
       provisionStrategyName +
       (configuration.identifier ?? configuration.engine),
     dbConnectionConfig: {
       connectionUriSsmPath: [branchSecretPath, sharedSecretPath],
+      ...(sslCertConfig ? { sslCertConfig } : undefined),
     },
     vpcConfiguration,
     customSqlStatements,
   };
+
+  return strategy;
 };
 
 /**

diff --git a/packages/schema-generator/package.json b/packages/schema-generator/package.json
@@ -17,7 +17,7 @@
     "update:api": "api-extractor run --local"
   },
   "dependencies": {
-    "@aws-amplify/graphql-schema-generator": "^0.9.0",
+    "@aws-amplify/graphql-schema-generator": "^0.9.2",
     "@aws-amplify/platform-core": "^1.0.0"
   },
   "license": "Apache-2.0"