@dga-itc/aws-cdk-constructs 1.0.0

package/dist/aws-cdk/constructs/nlb.js

@@ -0,0 +1,276 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NlbConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
+const elbv2 = __importStar(require("aws-cdk-lib/aws-elasticloadbalancingv2"));
+const elbv2Targets = __importStar(require("aws-cdk-lib/aws-elasticloadbalancingv2-targets"));
+const acm = __importStar(require("aws-cdk-lib/aws-certificatemanager"));
+/**
+ * NLB Construct - สร้าง NLB (internet-facing) + Security Group + Listeners
+ *
+ * Pattern: NLB (internet-facing) → ALB (internal)
+ * - NLB SG: allow inbound from internet
+ * - ALB SG: auto-add ingress from NLB SG (via CfnSecurityGroupIngress เพื่อหลีกเลี่ยง circular dependency)
+ * - Target Group: type ALB, forward traffic ไปที่ internal ALB
+ */
+class NlbConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { config, vpcConstruct, albConstruct } = props;
+        this.removalPolicy = config.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        // A. Resolve VPC & Subnets
+        const { vpc, subnets } = this.resolveVpc(config, vpcConstruct);
+        // B. Create NLB Security Group
+        this.securityGroup = this.createSecurityGroup(vpc, config);
+        // C. Create NLB
+        this.nlb = this.createNlb(config, vpc, subnets);
+        // D. Create Listeners + Target Groups (ALB as target)
+        this.createListeners(config, albConstruct);
+        // E. Add ingress rule to ALB SG from NLB SG
+        this.addAlbSgIngress(config, albConstruct);
+        // F. Apply Removal Policy
+        this.nlb.applyRemovalPolicy(this.removalPolicy);
+        this.securityGroup.applyRemovalPolicy(this.removalPolicy);
+        // G. Outputs
+        this.createOutputs(config);
+    }
+    // ==========================================
+    // Resolve VPC
+    // ==========================================
+    resolveVpc(config, vpcConstruct) {
+        const subnetName = config.source.subnetName ?? 'public';
+        const cfnSubnets = vpcConstruct.subnetsByName.get(subnetName);
+        if (!cfnSubnets || cfnSubnets.length === 0) {
+            throw new Error(`No subnets found with name "${subnetName}" in VPC construct. ` +
+                `Available: ${Array.from(vpcConstruct.subnetsByName.keys()).join(', ')}`);
+        }
+        // Build subnets with routeTableId from VpcConstruct
+        const subnetIds = [];
+        const subnets = [];
+        const azs = [];
+        const routeTableIds = [];
+        vpcConstruct.subnets.forEach((cfnSubnet, subnetKey) => {
+            if (subnetKey.startsWith(`${subnetName}-`)) {
+                const az = subnetKey.replace(`${subnetName}-`, '');
+                const routeTableId = vpcConstruct.subnetRouteTableMap.get(subnetKey);
+                subnetIds.push(cfnSubnet.ref);
+                azs.push(cfnSubnet.availabilityZone);
+                if (routeTableId)
+                    routeTableIds.push(routeTableId);
+                subnets.push(ec2.Subnet.fromSubnetAttributes(this, `Subnet-${az}`, {
+                    subnetId: cfnSubnet.ref,
+                    availabilityZone: cfnSubnet.availabilityZone,
+                    routeTableId,
+                }));
+            }
+        });
+        const hasRtIds = routeTableIds.length === subnetIds.length;
+        const vpc = ec2.Vpc.fromVpcAttributes(this, 'Vpc', {
+            vpcId: vpcConstruct.vpc.ref,
+            availabilityZones: azs,
+            publicSubnetIds: subnetIds,
+            publicSubnetRouteTableIds: hasRtIds ? routeTableIds : undefined,
+        });
+        return { vpc, subnets };
+    }
+    // ==========================================
+    // Security Group
+    // ==========================================
+    createSecurityGroup(vpc, config) {
+        const security = config.security ?? {};
+        const sg = new ec2.SecurityGroup(this, 'NlbSecurityGroup', {
+            vpc,
+            securityGroupName: config.securityGroupName,
+            description: `Security group for ${config.nlbName} NLB (internet-facing)`,
+            allowAllOutbound: true,
+        });
+        // Allow from anywhere on listener ports (default: true)
+        const allowFromAnywhere = security.allowFromAnywhere ?? true;
+        if (allowFromAnywhere) {
+            config.listeners.forEach((listener) => {
+                sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(listener.port), `Allow inbound on port ${listener.port}`);
+            });
+        }
+        // Additional CIDRs
+        if (security.allowFromCidrs) {
+            security.allowFromCidrs.forEach((cidr, index) => {
+                sg.addIngressRule(ec2.Peer.ipv4(cidr), ec2.Port.allTraffic(), `Allow from CIDR ${index + 1}: ${cidr}`);
+            });
+        }
+        return sg;
+    }
+    // ==========================================
+    // Create NLB
+    // ==========================================
+    createNlb(config, vpc, subnets) {
+        return new elbv2.NetworkLoadBalancer(this, 'NetworkLoadBalancer', {
+            vpc,
+            vpcSubnets: { subnets },
+            loadBalancerName: config.nlbName,
+            internetFacing: true,
+            securityGroups: [this.securityGroup],
+            crossZoneEnabled: config.crossZoneEnabled ?? true,
+            deletionProtection: config.deletionProtection ?? false,
+        });
+    }
+    // ==========================================
+    // Create Listeners + ALB Target Groups
+    // ==========================================
+    createListeners(config, albConstruct) {
+        const healthCheckConfig = config.healthCheck ?? {};
+        // Determine health check protocol
+        // Target type ALB รองรับเฉพาะ HTTP/HTTPS (ไม่รองรับ TCP)
+        let hcProtocol;
+        if (healthCheckConfig.protocol === 'HTTPS') {
+            hcProtocol = elbv2.Protocol.HTTPS;
+        }
+        else {
+            hcProtocol = elbv2.Protocol.HTTP; // default HTTP สำหรับ ALB target
+        }
+        config.listeners.forEach((listenerConfig, index) => {
+            const targetPort = listenerConfig.targetPort ?? listenerConfig.port;
+            // Listener protocol
+            const protocol = listenerConfig.protocol === 'TLS'
+                ? elbv2.Protocol.TLS
+                : elbv2.Protocol.TCP;
+            // Certificates for TLS
+            const certificates = listenerConfig.protocol === 'TLS' && listenerConfig.certificateArn
+                ? [acm.Certificate.fromCertificateArn(this, `Certificate-${index}`, listenerConfig.certificateArn)]
+                : undefined;
+            // Create listener
+            const listener = this.nlb.addListener(`Listener-${index}`, {
+                port: listenerConfig.port,
+                protocol,
+                certificates,
+            });
+            // เลือก ALB listener ที่ตรงกับ targetPort
+            // AlbListenerTarget สร้าง dependency ระหว่าง NLB target group → ALB listener อัตโนมัติ
+            const httpsPort = config.listeners.find(l => (l.targetPort ?? l.port) === 443) ? 443 : undefined;
+            const albListener = targetPort === 443 && albConstruct.httpsListener
+                ? albConstruct.httpsListener
+                : targetPort === 80 && albConstruct.httpListener
+                    ? albConstruct.httpListener
+                    : albConstruct.httpsListener ?? albConstruct.httpListener;
+            if (!albListener) {
+                throw new Error(`No ALB listener found for target port ${targetPort}. Ensure ALB has HTTP or HTTPS listener enabled.`);
+            }
+            // Target group ต้องใช้ TCP เสมอสำหรับ target type ALB
+            // (AWS ไม่รองรับ TLS protocol กับ ALB target type)
+            // Health check protocol ต้องตรงกับ ALB listener (HTTP/HTTPS)
+            const hcProto = targetPort === 443 ? elbv2.Protocol.HTTPS : hcProtocol;
+            listener.addTargets(`AlbTarget-${index}`, {
+                targets: [new elbv2Targets.AlbListenerTarget(albListener)],
+                port: targetPort,
+                protocol: elbv2.Protocol.TCP,
+                targetGroupName: listenerConfig.targetGroupName,
+                healthCheck: {
+                    enabled: true,
+                    protocol: hcProto,
+                    path: healthCheckConfig.path ?? '/',
+                    port: targetPort.toString(),
+                    interval: healthCheckConfig.interval
+                        ? cdk.Duration.seconds(healthCheckConfig.interval)
+                        : undefined,
+                    healthyThresholdCount: healthCheckConfig.healthyThresholdCount,
+                    unhealthyThresholdCount: healthCheckConfig.unhealthyThresholdCount,
+                    healthyHttpCodes: healthCheckConfig.healthyHttpCodes,
+                },
+            });
+        });
+    }
+    // ==========================================
+    // ALB SG Ingress from NLB SG
+    // ==========================================
+    /**
+     * เพิ่ม ingress rule ใน ALB SG ให้รับ traffic จาก NLB SG
+     * ใช้ CfnSecurityGroupIngress (L1) แทน sg.addIngressRule (L2)
+     * เพื่อหลีกเลี่ยง circular cross-stack dependency
+     *
+     * Resource นี้จะอยู่ใน NlbStack → reference AlbStack's SG ID ผ่าน Fn::ImportValue (one-way)
+     */
+    addAlbSgIngress(config, albConstruct) {
+        // Collect unique target ports
+        const targetPorts = new Set();
+        config.listeners.forEach((listener) => {
+            targetPorts.add(listener.targetPort ?? listener.port);
+        });
+        let index = 0;
+        targetPorts.forEach((port) => {
+            new ec2.CfnSecurityGroupIngress(this, `AlbSgIngress-${index}`, {
+                groupId: albConstruct.securityGroup.securityGroupId,
+                sourceSecurityGroupId: this.securityGroup.securityGroupId,
+                ipProtocol: 'tcp',
+                fromPort: port,
+                toPort: port,
+                description: `Allow from NLB ${config.nlbName} on port ${port}`,
+            });
+            index++;
+        });
+    }
+    // ==========================================
+    // Outputs
+    // ==========================================
+    createOutputs(config) {
+        const stack = cdk.Stack.of(this);
+        const prefix = config.stackName;
+        new cdk.CfnOutput(stack, 'NlbArn', {
+            value: this.nlb.loadBalancerArn,
+            description: 'Network Load Balancer ARN',
+            exportName: `${prefix}-NLB-Arn`,
+        });
+        new cdk.CfnOutput(stack, 'NlbDnsName', {
+            value: this.nlb.loadBalancerDnsName,
+            description: 'NLB DNS Name',
+            exportName: `${prefix}-NLB-DnsName`,
+        });
+        new cdk.CfnOutput(stack, 'NlbSecurityGroupId', {
+            value: this.securityGroup.securityGroupId,
+            description: 'NLB Security Group ID',
+            exportName: `${prefix}-NLB-SecurityGroup-Id`,
+        });
+        new cdk.CfnOutput(stack, 'NlbFullName', {
+            value: this.nlb.loadBalancerFullName,
+            description: 'NLB Full Name (for CloudWatch metrics)',
+            exportName: `${prefix}-NLB-FullName`,
+        });
+    }
+}
+exports.NlbConstruct = NlbConstruct;

package/dist/aws-cdk/constructs/rds.d.ts

@@ -0,0 +1,40 @@
+import { Construct } from 'constructs';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as rds from 'aws-cdk-lib/aws-rds';
+import { RdsConfig } from '../interfaces/rds-config';
+import { VpcConstruct } from './vpc';
+export interface RdsConstructProps {
+    config: RdsConfig;
+    /** VpcConstruct from NetworkStack */
+    vpcConstruct: VpcConstruct;
+}
+/**
+ * RDS Construct - สร้าง RDS Database Instance
+ *
+ * Features:
+ * - Multi-AZ for high availability
+ * - Encryption at rest
+ * - Performance Insights & Enhanced Monitoring
+ * - Automated backups
+ */
+export declare class RdsConstruct extends Construct {
+    readonly instance: rds.DatabaseInstance;
+    readonly securityGroup: ec2.SecurityGroup;
+    readonly subnetGroup: rds.SubnetGroup;
+    private readonly removalPolicy;
+    constructor(scope: Construct, id: string, props: RdsConstructProps);
+    private getRemovalPolicy;
+    private resolveVpc;
+    private createSecurityGroup;
+    private createSubnetGroup;
+    private createParameterGroup;
+    private getDefaultParameterGroupFamily;
+    private getDatabaseEngine;
+    private createInstance;
+    private getStorageType;
+    private createOutputs;
+    /**
+     * Allow database access from a security group
+     */
+    allowDbFrom(sg: ec2.ISecurityGroup, port?: number, description?: string): void;
+}

package/dist/aws-cdk/constructs/rds.js

@@ -0,0 +1,320 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RdsConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
+const rds = __importStar(require("aws-cdk-lib/aws-rds"));
+const secretsmanager = __importStar(require("aws-cdk-lib/aws-secretsmanager"));
+const iam = __importStar(require("aws-cdk-lib/aws-iam"));
+/**
+ * RDS Construct - สร้าง RDS Database Instance
+ *
+ * Features:
+ * - Multi-AZ for high availability
+ * - Encryption at rest
+ * - Performance Insights & Enhanced Monitoring
+ * - Automated backups
+ */
+class RdsConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { config, vpcConstruct } = props;
+        this.removalPolicy = this.getRemovalPolicy(config.removalPolicy);
+        // A. Resolve VPC & Subnets
+        const { vpc, subnets } = this.resolveVpc(config, vpcConstruct);
+        // B. Create Security Group
+        this.securityGroup = this.createSecurityGroup(vpc, config);
+        // C. Create Subnet Group
+        this.subnetGroup = this.createSubnetGroup(config, subnets);
+        // D. Create Parameter Group (optional)
+        const parameterGroup = this.createParameterGroup(config);
+        // E. Create RDS Instance
+        this.instance = this.createInstance(config, vpc, parameterGroup);
+        // F. Apply Removal Policy
+        this.instance.applyRemovalPolicy(this.removalPolicy);
+        this.securityGroup.applyRemovalPolicy(this.removalPolicy);
+        // G. Outputs
+        this.createOutputs(config);
+    }
+    getRemovalPolicy(policy) {
+        switch (policy) {
+            case 'destroy':
+                return aws_cdk_lib_1.RemovalPolicy.DESTROY;
+            case 'snapshot':
+                return aws_cdk_lib_1.RemovalPolicy.SNAPSHOT;
+            default:
+                return aws_cdk_lib_1.RemovalPolicy.RETAIN;
+        }
+    }
+    // ==========================================
+    // Resolve VPC
+    // ==========================================
+    resolveVpc(config, vpcConstruct) {
+        const subnetName = config.source.subnetName ?? 'db';
+        const cfnSubnets = vpcConstruct.subnetsByName.get(subnetName);
+        if (!cfnSubnets || cfnSubnets.length === 0) {
+            throw new Error(`No subnets found with name "${subnetName}" in VPC construct. ` +
+                `Available: ${Array.from(vpcConstruct.subnetsByName.keys()).join(', ')}`);
+        }
+        // Build subnets with routeTableId from VpcConstruct
+        const subnetIds = [];
+        const subnets = [];
+        const azs = [];
+        const routeTableIds = [];
+        vpcConstruct.subnets.forEach((cfnSubnet, subnetKey) => {
+            if (subnetKey.startsWith(`${subnetName}-`)) {
+                const az = subnetKey.replace(`${subnetName}-`, '');
+                const routeTableId = vpcConstruct.subnetRouteTableMap.get(subnetKey);
+                subnetIds.push(cfnSubnet.ref);
+                azs.push(cfnSubnet.availabilityZone);
+                if (routeTableId)
+                    routeTableIds.push(routeTableId);
+                subnets.push(ec2.Subnet.fromSubnetAttributes(this, `Subnet-${az}`, {
+                    subnetId: cfnSubnet.ref,
+                    availabilityZone: cfnSubnet.availabilityZone,
+                    routeTableId,
+                }));
+            }
+        });
+        const hasRtIds = routeTableIds.length === subnetIds.length;
+        const vpc = ec2.Vpc.fromVpcAttributes(this, 'Vpc', {
+            vpcId: vpcConstruct.vpc.ref,
+            availabilityZones: azs,
+            isolatedSubnetIds: subnetIds,
+            isolatedSubnetRouteTableIds: hasRtIds ? routeTableIds : undefined,
+        });
+        return { vpc, subnets };
+    }
+    // ==========================================
+    // Security Group
+    // ==========================================
+    createSecurityGroup(vpc, config) {
+        const sg = new ec2.SecurityGroup(this, 'RdsSecurityGroup', {
+            vpc,
+            securityGroupName: config.securityGroupName,
+            description: `Security group for ${config.instanceIdentifier} RDS`,
+            allowAllOutbound: true, // Allow response traffic back to clients (ECS, Bastion)
+        });
+        // Ingress rules will be added by ECS service construct
+        return sg;
+    }
+    // ==========================================
+    // Subnet Group
+    // ==========================================
+    createSubnetGroup(config, subnets) {
+        return new rds.SubnetGroup(this, 'SubnetGroup', {
+            description: `Subnet group for ${config.instanceIdentifier} RDS`,
+            vpc: ec2.Vpc.fromVpcAttributes(this, 'SubnetGroupVpc', {
+                vpcId: cdk.Fn.importValue(`${config.source.vpcStackName}-VpcId`),
+                availabilityZones: cdk.Stack.of(this).availabilityZones,
+            }),
+            vpcSubnets: { subnets },
+            subnetGroupName: `${config.instanceIdentifier}-subnet-group`,
+        });
+    }
+    // ==========================================
+    // Parameter Group
+    // ==========================================
+    createParameterGroup(config) {
+        if (!config.parameters || Object.keys(config.parameters).length === 0) {
+            return undefined;
+        }
+        const family = config.parameterGroupFamily ?? this.getDefaultParameterGroupFamily(config);
+        return new rds.ParameterGroup(this, 'ParameterGroup', {
+            engine: this.getDatabaseEngine(config),
+            description: `Parameter group for ${config.instanceIdentifier}`,
+            parameters: config.parameters,
+        });
+    }
+    getDefaultParameterGroupFamily(config) {
+        const version = config.engineVersion.split('.')[0];
+        switch (config.engine) {
+            case 'mariadb':
+                return `mariadb${config.engineVersion}`;
+            case 'mysql':
+                return `mysql${version}.0`;
+            case 'postgres':
+                return `postgres${version}`;
+            default:
+                return `mariadb${config.engineVersion}`;
+        }
+    }
+    getDatabaseEngine(config) {
+        switch (config.engine) {
+            case 'mysql':
+                return rds.DatabaseInstanceEngine.mysql({
+                    version: rds.MysqlEngineVersion.of(config.engineVersion, config.engineVersion),
+                });
+            case 'postgres':
+                return rds.DatabaseInstanceEngine.postgres({
+                    version: rds.PostgresEngineVersion.of(config.engineVersion, config.engineVersion),
+                });
+            case 'mariadb':
+            default:
+                return rds.DatabaseInstanceEngine.mariaDb({
+                    version: rds.MariaDbEngineVersion.of(config.engineVersion, config.engineVersion),
+                });
+        }
+    }
+    // ==========================================
+    // RDS Instance
+    // ==========================================
+    createInstance(config, vpc, parameterGroup) {
+        const port = config.port ?? (config.engine === 'postgres' ? 5432 : 3306);
+        // Get credentials
+        let credentials;
+        if (config.masterPasswordSecretArn) {
+            const secret = secretsmanager.Secret.fromSecretCompleteArn(this, 'MasterPasswordSecret', config.masterPasswordSecretArn);
+            credentials = rds.Credentials.fromSecret(secret, config.masterUsername);
+        }
+        else if (config.masterPassword) {
+            credentials = rds.Credentials.fromPassword(config.masterUsername, cdk.SecretValue.unsafePlainText(config.masterPassword));
+        }
+        else {
+            // Generate new secret
+            credentials = rds.Credentials.fromGeneratedSecret(config.masterUsername, {
+                secretName: `${config.instanceIdentifier}/master-credentials`,
+            });
+        }
+        // Determine instance class
+        const instanceClass = config.instanceClass ?? 'db.t3.medium';
+        const [instanceFamily, instanceSize] = instanceClass.replace('db.', '').split('.');
+        const instanceType = ec2.InstanceType.of(instanceFamily, instanceSize);
+        // Monitoring role for Enhanced Monitoring
+        let monitoringRole;
+        if (config.enhancedMonitoringEnabled ?? true) {
+            monitoringRole = new iam.Role(this, 'MonitoringRole', {
+                assumedBy: new iam.ServicePrincipal('monitoring.rds.amazonaws.com'),
+                managedPolicies: [
+                    iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonRDSEnhancedMonitoringRole'),
+                ],
+            });
+        }
+        const instance = new rds.DatabaseInstance(this, 'Instance', {
+            engine: this.getDatabaseEngine(config),
+            instanceType,
+            vpc,
+            vpcSubnets: { subnets: this.subnetGroup.node.tryFindChild('SubnetGroup') },
+            subnetGroup: this.subnetGroup,
+            securityGroups: [this.securityGroup],
+            credentials,
+            databaseName: config.databaseName,
+            instanceIdentifier: config.instanceIdentifier,
+            port,
+            allocatedStorage: config.allocatedStorage ?? 20,
+            maxAllocatedStorage: config.maxAllocatedStorage,
+            storageType: this.getStorageType(config.storageType),
+            iops: config.iops,
+            storageThroughput: config.storageThroughput,
+            storageEncrypted: config.storageEncrypted ?? true,
+            multiAz: config.multiAz ?? true,
+            publiclyAccessible: config.publiclyAccessible ?? false,
+            deletionProtection: config.deletionProtection ?? true,
+            backupRetention: cdk.Duration.days(config.backupRetentionPeriod ?? 7),
+            preferredBackupWindow: config.preferredBackupWindow ?? '03:00-04:00',
+            preferredMaintenanceWindow: config.preferredMaintenanceWindow ?? 'sun:04:00-sun:05:00',
+            enablePerformanceInsights: config.performanceInsightsEnabled ?? true,
+            performanceInsightRetention: (config.performanceInsightsEnabled ?? true)
+                ? rds.PerformanceInsightRetention.DEFAULT
+                : undefined,
+            monitoringInterval: (config.enhancedMonitoringEnabled ?? true)
+                ? cdk.Duration.seconds(config.monitoringInterval ?? 60)
+                : undefined,
+            monitoringRole: (config.enhancedMonitoringEnabled ?? true) ? monitoringRole : undefined,
+            autoMinorVersionUpgrade: config.autoMinorVersionUpgrade ?? true,
+            parameterGroup,
+        });
+        return instance;
+    }
+    getStorageType(type) {
+        switch (type) {
+            case 'gp2':
+                return rds.StorageType.GP2;
+            case 'io1':
+                return rds.StorageType.IO1;
+            case 'io2':
+                return rds.StorageType.IO2;
+            case 'gp3':
+            default:
+                return rds.StorageType.GP3;
+        }
+    }
+    // ==========================================
+    // Outputs
+    // ==========================================
+    createOutputs(config) {
+        new cdk.CfnOutput(this, 'InstanceIdentifier', {
+            value: this.instance.instanceIdentifier,
+            description: 'RDS Instance Identifier',
+            exportName: `${config.stackName}-InstanceIdentifier`,
+        });
+        new cdk.CfnOutput(this, 'Endpoint', {
+            value: this.instance.dbInstanceEndpointAddress,
+            description: 'RDS Endpoint Address',
+            exportName: `${config.stackName}-Endpoint`,
+        });
+        new cdk.CfnOutput(this, 'Port', {
+            value: this.instance.dbInstanceEndpointPort,
+            description: 'RDS Port',
+            exportName: `${config.stackName}-Port`,
+        });
+        new cdk.CfnOutput(this, 'SecurityGroupId', {
+            value: this.securityGroup.securityGroupId,
+            description: 'RDS Security Group ID',
+            exportName: `${config.stackName}-RdsSecurityGroupId`,
+        });
+        if (this.instance.secret) {
+            new cdk.CfnOutput(this, 'SecretArn', {
+                value: this.instance.secret.secretArn,
+                description: 'RDS Credentials Secret ARN',
+                exportName: `${config.stackName}-SecretArn`,
+            });
+        }
+    }
+    // ==========================================
+    // Public Methods
+    // ==========================================
+    /**
+     * Allow database access from a security group
+     */
+    allowDbFrom(sg, port, description) {
+        const dbPort = port ?? this.instance.dbInstanceEndpointPort ?? 3306;
+        this.securityGroup.addIngressRule(ec2.Peer.securityGroupId(sg.securityGroupId), ec2.Port.tcp(dbPort), description ?? 'Allow database access from specified security group');
+    }
+}
+exports.RdsConstruct = RdsConstruct;