@digitraffic/common 2025.9.22-1 → 2025.9.24-2

package/dist/aws/infra/stacks/db-stack.d.ts

@@ -1,11 +1,13 @@
 import { type InstanceType, type ISecurityGroup, type IVpc } from "aws-cdk-lib/aws-ec2";
 import { type AuroraPostgresEngineVersion, DatabaseCluster, type DatabaseClusterProps, type IParameterGroup } from "aws-cdk-lib/aws-rds";
+import { Key } from "aws-cdk-lib/aws-kms";
 import { Stack } from "aws-cdk-lib/core";
 import type { Construct } from "constructs/lib/construct.js";
 import type { InfraStackConfiguration } from "./intra-stack-configuration.js";
 export interface DbConfiguration {
     readonly cluster?: ClusterConfiguration;
     readonly clusterImport?: ClusterImportConfiguration;
+    readonly storageEncrypted?: boolean;
     readonly customParameterGroups: AuroraPostgresEngineVersion[];
     readonly workmem?: number;
     /** superuser username and password are fetched from this secret, using keys
@@ -23,7 +25,6 @@ export interface ClusterConfiguration {
     readonly securityGroupId: string;
     readonly snapshotIdentifier?: string;
     readonly dbVersion: AuroraPostgresEngineVersion;
-    readonly storageEncrypted?: boolean;
     readonly writer: ClusterDbInstanceConfiguration;
     readonly readers: ClusterDbInstanceConfiguration[];
 }
@@ -57,6 +58,7 @@ export declare class DbStack extends Stack {
     clusterIdentifier: string;
     constructor(scope: Construct, id: string, isc: InfraStackConfiguration, configuration: DbConfiguration);
     createParameterGroups(customVersions: AuroraPostgresEngineVersion[], workmem: number): IParameterGroup[];
-    createClusterParameters(secretArn: string, clusterConfiguration: ClusterConfiguration, instanceName: string, vpc: IVpc, securityGroup: ISecurityGroup, parameterGroup: IParameterGroup): DatabaseClusterProps;
-    createAuroraCluster(isc: InfraStackConfiguration, configuration: DbConfiguration, clusterConfiguration: ClusterConfiguration, parameterGroups: IParameterGroup[]): DatabaseCluster;
+    createClusterParameters(secretArn: string, clusterConfiguration: ClusterConfiguration, instanceName: string, vpc: IVpc, securityGroup: ISecurityGroup, parameterGroup: IParameterGroup, storageEncrypted: boolean | undefined, rdsKey: Key | undefined): DatabaseClusterProps;
+    createRDSKey(instanceName: string, environmentName: string): Key;
+    createAuroraCluster(isc: InfraStackConfiguration, configuration: DbConfiguration, clusterConfiguration: ClusterConfiguration, parameterGroups: IParameterGroup[], instanceName: string, rdsKey: Key | undefined): DatabaseCluster;
 }

package/dist/aws/infra/stacks/db-stack.js

@@ -1,6 +1,7 @@
 import { SecurityGroup, SubnetType, } from "aws-cdk-lib/aws-ec2";
 import { CfnDBInstance, ClusterInstance, Credentials, DatabaseCluster, DatabaseClusterEngine, DatabaseClusterFromSnapshot, InstanceUpdateBehaviour, ParameterGroup, } from "aws-cdk-lib/aws-rds";
 import { Secret } from "aws-cdk-lib/aws-secretsmanager";
+import { Key } from "aws-cdk-lib/aws-kms";
 import { Duration, RemovalPolicy, Stack } from "aws-cdk-lib/core";
 import { exportValue, importVpc } from "../import-util.js";
 import { createParameter } from "../stack/parameters.js";
@@ -50,9 +51,13 @@ export class DbStack extends Stack {
             (!configuration.cluster && !configuration.clusterImport)) {
             throw new Error("Configure either cluster or clusterImport");
         }
+        const instanceName = isc.environmentName + "-db";
+        const rdsKey = configuration?.storageEncrypted
+            ? this.createRDSKey(instanceName, isc.environmentName)
+            : undefined;
         // create cluster if this is wanted, should do it only once
         if (configuration.cluster) {
-            const cluster = this.createAuroraCluster(isc, configuration, configuration.cluster, parameterGroups);
+            const cluster = this.createAuroraCluster(isc, configuration, configuration.cluster, parameterGroups, instanceName, rdsKey);
             exportValue(this, isc.environmentName, DbStack.CLUSTER_IDENTIFIER_EXPORT_NAME, cluster.clusterIdentifier);
             exportValue(this, isc.environmentName, DbStack.CLUSTER_WRITE_ENDPOINT_EXPORT_NAME, cluster.clusterEndpoint.hostname);
             exportValue(this, isc.environmentName, DbStack.CLUSTER_READ_ENDPOINT_EXPORT_NAME, cluster.clusterReadEndpoint.hostname);
@@ -86,7 +91,7 @@ export class DbStack extends Stack {
             return pg;
         });
     }
-    createClusterParameters(secretArn, clusterConfiguration, instanceName, vpc, securityGroup, parameterGroup) {
+    createClusterParameters(secretArn, clusterConfiguration, instanceName, vpc, securityGroup, parameterGroup, storageEncrypted, rdsKey) {
         const secret = Secret.fromSecretCompleteArn(this, "DBSecret", secretArn);
         const defaultDbInstanceProps = {
             autoMinorVersionUpgrade: true,
@@ -133,11 +138,20 @@ export class DbStack extends Stack {
             credentials: Credentials.fromPassword(secret.secretValueFromJson("db.superuser").unsafeUnwrap(), secret.secretValueFromJson("db.superuser.password")),
             parameterGroup,
             monitoringInterval: Duration.seconds(30),
-            storageEncrypted: clusterConfiguration.storageEncrypted ?? true,
+            storageEncrypted: storageEncrypted ?? true,
+            ...(rdsKey ? { storageEncryptionKey: rdsKey } : {}),
         };
     }
-    createAuroraCluster(isc, configuration, clusterConfiguration, parameterGroups) {
-        const instanceName = isc.environmentName + "-db";
+    createRDSKey(instanceName, environmentName) {
+        return new Key(this, "RDSKey", {
+            alias: `${environmentName}/db`,
+            enableKeyRotation: true,
+            description: `KMS key for RDS cluster ${instanceName}`,
+            removalPolicy: RemovalPolicy.RETAIN,
+            pendingWindow: Duration.days(30),
+        });
+    }
+    createAuroraCluster(isc, configuration, clusterConfiguration, parameterGroups, instanceName, rdsKey) {
         const securityGroup = SecurityGroup.fromSecurityGroupId(this, "securitygroup", clusterConfiguration.securityGroupId);
         const vpc = configuration.vpc
             ? configuration.vpc
@@ -145,16 +159,19 @@ export class DbStack extends Stack {
         if (parameterGroups[0] === undefined) {
             throw Error("ParameterGroups should not be empty");
         }
-        const parameters = this.createClusterParameters(configuration.secretArn, clusterConfiguration, instanceName, vpc, securityGroup, parameterGroups[0]);
-        // create cluster from the snapshot or from the scratch
-        const cluster = clusterConfiguration.snapshotIdentifier
-            ? new DatabaseClusterFromSnapshot(this, instanceName, {
+        const parameters = this.createClusterParameters(configuration.secretArn, clusterConfiguration, instanceName, vpc, securityGroup, parameterGroups[0], configuration.storageEncrypted, rdsKey);
+        let cluster;
+        if (clusterConfiguration.snapshotIdentifier) {
+            cluster = new DatabaseClusterFromSnapshot(this, instanceName, {
                 ...parameters,
                 ...{
                     snapshotIdentifier: clusterConfiguration.snapshotIdentifier,
                 },
-            })
-            : new DatabaseCluster(this, instanceName, parameters);
+            });
+        }
+        else {
+            cluster = new DatabaseCluster(this, instanceName, parameters);
+        }
         // this workaround should prevent stack failing on version upgrade
         // https://github.com/aws/aws-cdk/issues/21758
         // https://github.com/aws/aws-cdk/pull/22185

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@digitraffic/common",
-  "version": "2025.9.22-1",
+  "version": "2025.9.24-2",
   "description": "",
   "type": "module",
   "repository": {
@@ -127,19 +127,19 @@
     "zod": "^3.25.76"
   },
   "devDependencies": {
-    "@aws-sdk/client-api-gateway": "^3.887.0",
-    "@aws-sdk/client-s3": "^3.887.0",
-    "@aws-sdk/client-secrets-manager": "^3.887.0",
-    "@aws-sdk/client-sns": "^3.887.0",
-    "@aws-sdk/lib-storage": "^3.887.0",
+    "@aws-sdk/client-api-gateway": "^3.895.0",
+    "@aws-sdk/client-s3": "^3.895.0",
+    "@aws-sdk/client-secrets-manager": "^3.895.0",
+    "@aws-sdk/client-sns": "^3.895.0",
+    "@aws-sdk/lib-storage": "^3.895.0",
     "@date-fns/tz": "^1.4.1",
     "@digitraffic/eslint-config": "^3.2.5",
     "@jest/globals": "^30.1.2",
     "@rushstack/eslint-config": "^4.4.0",
-    "@rushstack/heft": "^0.74.4",
-    "@rushstack/heft-jest-plugin": "^0.16.13",
-    "@rushstack/heft-lint-plugin": "^0.7.5",
-    "@rushstack/heft-typescript-plugin": "^0.9.13",
+    "@rushstack/heft": "^0.74.5",
+    "@rushstack/heft-jest-plugin": "^0.16.14",
+    "@rushstack/heft-lint-plugin": "^0.7.6",
+    "@rushstack/heft-typescript-plugin": "^0.9.14",
     "@smithy/fetch-http-handler": "^5.2.1",
     "@smithy/types": "^4.5.0",
     "@types/aws-lambda": "8.10.152",
@@ -150,9 +150,9 @@
     "@types/lodash-es": "4.17.12",
     "@types/madge": "5.0.3",
     "@types/node": "22.18.1",
-    "@typescript-eslint/eslint-plugin": "^8.43.0",
-    "@typescript-eslint/parser": "^8.43.0",
-    "aws-cdk-lib": "^2.214.0",
+    "@typescript-eslint/eslint-plugin": "^8.44.1",
+    "@typescript-eslint/parser": "^8.44.1",
+    "aws-cdk-lib": "^2.216.0",
     "aws-sdk": "^2.1692.0",
     "change-case": "^5.4.4",
     "constructs": "^10.4.2",
@@ -165,7 +165,7 @@
     "jest": "^30.1.3",
     "jest-junit": "^16.0.0",
     "ky": "^1.10.0",
-    "lefthook": "^1.13.0",
+    "lefthook": "^1.13.4",
     "lodash": "^4.17.21",
     "lodash-es": "^4.17.21",
     "madge": "^8.0.0",
@@ -173,10 +173,10 @@
     "pg-promise": "^12.1.3",
     "pg-query-stream": "^4.10.3",
     "rimraf": "^6.0.1",
-    "ts-jest": "^29.4.1",
+    "ts-jest": "^29.4.4",
     "typescript": "^5.9.2",
     "velocityjs": "^2.1.5",
-    "zod": "^4.1.8"
+    "zod": "^4.1.11"
   },
   "scripts": {
     "build": "heft build --clean",