@fjall/components-infrastructure 0.96.0 → 0.99.1

package/dist/lib/resources/aws/database/rdsAurora.js

@@ -19,10 +19,12 @@ export class RdsAurora extends Construct {
     databaseProxy;
     databaseCredentials;
     cfnCluster;
+    databaseNameValue;
     constructor(scope, id, props) {
         super(scope, id);
         this.constructId = id;
         this.port = props.port ?? RDS_DEFAULTS.DEFAULT_PORT;
+        this.databaseNameValue = props.databaseName ?? id;
         // PostgreSQL fallback for direct usage - ensure engine and engineConfig match
         this.engineConfig = props.engineConfig ?? DEFAULT_POSTGRES_ENGINE_CONFIG;
         const { piEnabled, piConfig } = resolveDatabaseInsights(props.databaseInsights);
@@ -32,13 +34,13 @@ export class RdsAurora extends Construct {
             : (props.credentials?.username ?? this.engineConfig.defaultUsername);
         // Global secondary clusters import replicated secret instead of creating new
         if (props.isGlobalSecondary) {
-            this.databaseCredentials = new Secret(this, `${props.databaseName}Credentials`, {
+            this.databaseCredentials = new Secret(this, `${this.databaseNameValue}Credentials`, {
                 secretName: ResourceNaming.credentialsSecretName(id),
                 importExisting: true
             });
         }
         else {
-            this.databaseCredentials = new Secret(this, `${props.databaseName}Credentials`, {
+            this.databaseCredentials = new Secret(this, `${this.databaseNameValue}Credentials`, {
                 secretName: ResourceNaming.credentialsSecretName(id),
                 generateSecretString: {
                     secretStringTemplate: JSON.stringify({ username }),
@@ -49,11 +51,11 @@ export class RdsAurora extends Construct {
                 replicaRegions: props.secretReplicaRegions
             });
         }
-        const storageEncryptionKey = resolveStorageEncryptionKey(this, props.databaseName, props.encryption?.storageKey);
-        const performanceInsightsKey = resolvePerformanceInsightsKey(this, props.databaseName, piEnabled, piConfig?.encryptionKey);
+        const storageEncryptionKey = resolveStorageEncryptionKey(this, this.databaseNameValue, props.encryption?.storageKey);
+        const performanceInsightsKey = resolvePerformanceInsightsKey(this, this.databaseNameValue, piEnabled, piConfig?.encryptionKey);
         const clusterSecurityGroup = new SecurityGroup(this, `${id}SecurityGroup`, {
             vpc: props.vpc,
-            description: `Security group for Aurora cluster ${props.databaseName}`
+            description: `Security group for Aurora cluster ${this.databaseNameValue}`
         });
         clusterSecurityGroup.addIngressRule(clusterSecurityGroup, Port.tcp(this.port));
         // Allow VPC-wide access when enabled (avoids cross-stack cyclic dependencies)
@@ -73,8 +75,7 @@ export class RdsAurora extends Construct {
         const writerSuffix = writerConfig.identifierSuffix;
         const diMode = piConfig?.mode ?? "standard";
         const performanceInsightsRetention = getDatabaseInsightsRetention(diMode);
-        const databaseName = props.databaseName || id;
-        const writer = ClusterInstance.serverlessV2(`${databaseName}Writer`, {
+        const writer = ClusterInstance.serverlessV2(`${this.databaseNameValue}Writer`, {
             enablePerformanceInsights: writerPI,
             performanceInsightEncryptionKey: writerPI
                 ? performanceInsightsKey
@@ -94,9 +95,9 @@ export class RdsAurora extends Construct {
             DatabaseClusterEngine.auroraPostgres({
                 version: AuroraPostgresEngineVersion.of("16.6", "16")
             });
-        const parameterGroup = new ParameterGroup(this, `${props.databaseName}ParameterGroup`, {
+        const parameterGroup = new ParameterGroup(this, `${this.databaseNameValue}ParameterGroup`, {
             engine,
-            description: `Parameter group for ${props.databaseName} with security defaults`,
+            description: `Parameter group for ${this.databaseNameValue} with security defaults`,
             parameters: this.engineConfig.sslParameters
         });
         // Use public subnets when publicly accessible, otherwise private
@@ -110,12 +111,14 @@ export class RdsAurora extends Construct {
             securityGroups: [clusterSecurityGroup],
             engine,
             parameterGroup,
-            backup: { retention: Duration.days(props.backupRetention ?? 14) },
+            backup: {
+                retention: Duration.days(props.backupRetention ?? RDS_DEFAULTS.BACKUP_RETENTION_DEFAULT_DAYS)
+            },
             storageEncrypted: true,
             ...(storageEncryptionKey && { storageEncryptionKey }),
             clusterIdentifier: props.clusterIdentifier?.toLowerCase() || ResourceNaming.clusterId(id),
-            monitoringInterval: props.monitoringInterval || RDS_DEFAULTS.MONITORING_INTERVAL,
-            preferredMaintenanceWindow: props.preferredMaintenanceWindow ||
+            monitoringInterval: props.monitoringInterval ?? RDS_DEFAULTS.MONITORING_INTERVAL,
+            preferredMaintenanceWindow: props.preferredMaintenanceWindow ??
                 RDS_DEFAULTS.PREFERRED_MAINTENANCE_WINDOW,
             port: this.port,
             removalPolicy: RemovalPolicy.SNAPSHOT,
@@ -132,26 +135,21 @@ export class RdsAurora extends Construct {
                 defaultDatabaseName: (props.databaseName || id.replace("Rds", "")).replace(/[^a-zA-Z0-9_]/g, "")
             };
         if (props.snapshotIdentifier) {
-            // Create from snapshot - credentials need SnapshotCredentials type
-            const snapshotCredentials = props.isGlobalSecondary
-                ? {}
-                : {
-                    credentials: SnapshotCredentials.fromSecret(this.databaseCredentials.secret)
-                };
-            this.databaseCluster = new DatabaseClusterFromSnapshot(this, `${id}Database`, 
-            // Type assertion: CDK's SnapshotCredentials.username is string | undefined
-            // but DatabaseClusterFromSnapshotProps expects string. Works at runtime.
-            {
+            const snapshotProps = {
                 ...baseClusterProps,
-                ...snapshotCredentials,
+                snapshotCredentials: props.isGlobalSecondary
+                    ? undefined
+                    : SnapshotCredentials.fromSecret(this.databaseCredentials.secret),
                 snapshotIdentifier: props.snapshotIdentifier
-            });
+            };
+            this.databaseCluster = new DatabaseClusterFromSnapshot(this, `${id}Database`, snapshotProps);
         }
         else {
-            // Create new cluster
-            this.databaseCluster = new DatabaseCluster(this, `${id}Database`, 
-            // Type assertion: spread types don't preserve required property narrowing
-            { ...baseClusterProps, ...primaryClusterProps });
+            const clusterProps = {
+                ...baseClusterProps,
+                ...primaryClusterProps
+            };
+            this.databaseCluster = new DatabaseCluster(this, `${id}Database`, clusterProps);
         }
         this.cfnCluster = this.databaseCluster.node.defaultChild;
         // Global secondary clusters can't specify these properties
@@ -202,7 +200,7 @@ export class RdsAurora extends Construct {
             : defaultPIEnabled;
         return readerConfigs.map((config, index) => {
             const enablePI = config.enableDatabaseInsights ?? defaultPI;
-            return ClusterInstance.serverlessV2(`${props.databaseName}Reader${index + 1}`, {
+            return ClusterInstance.serverlessV2(`${this.databaseNameValue}Reader${index + 1}`, {
                 scaleWithWriter: config.scaleWithWriter ?? index === 0,
                 enablePerformanceInsights: enablePI,
                 performanceInsightEncryptionKey: enablePI ? piKey : undefined,
@@ -223,7 +221,7 @@ export class RdsAurora extends Construct {
         const vpcSubnets = proxyConfig.vpcSubnets ?? {
             subnetType: SubnetType.PRIVATE_WITH_EGRESS
         };
-        this.databaseProxy = new DatabaseProxy(this, `${props.databaseName}DatabaseProxy`, {
+        this.databaseProxy = new DatabaseProxy(this, `${this.databaseNameValue}DatabaseProxy`, {
             dbProxyName: ResourceNaming.proxyName(this.constructId),
             proxyTarget: ProxyTarget.fromCluster(this.databaseCluster),
             secrets: [this.databaseCredentials.secret],
@@ -237,12 +235,12 @@ export class RdsAurora extends Construct {
             maxConnectionsPercent: proxyConfig.maxConnections,
             maxIdleConnectionsPercent: proxyConfig.maxIdleConnections
         });
-        addProxyCfnOutput(this, this.constructId, props.databaseName, this.databaseProxy);
+        addProxyCfnOutput(this, this.constructId, this.databaseNameValue, this.databaseProxy);
     }
     addSecretRotation(props) {
         addMultiUserSecretRotation({
             scope: this,
-            databaseName: props.databaseName,
+            databaseName: this.databaseNameValue,
             constructId: this.constructId,
             engineConfig: this.engineConfig,
             credentialsConfig: props.credentials,
@@ -264,6 +262,18 @@ export class RdsAurora extends Construct {
     getCredentials() {
         return this.databaseCredentials;
     }
+    getClusterIdentifier() {
+        return this.databaseCluster.clusterIdentifier;
+    }
+    getSnapshotTarget() {
+        return { kind: "cluster", arn: this.databaseCluster.clusterArn };
+    }
+    getDatabaseName() {
+        return this.databaseNameValue;
+    }
+    getConnectionString() {
+        return `${this.engineConfig.family}://${this.getHostEndpoint()}:${this.getHostPort()}/${this.getDatabaseName()}`;
+    }
     getCfnCluster() {
         return this.cfnCluster;
     }

package/dist/lib/resources/aws/database/rdsAuroraGlobal.d.ts

@@ -2,8 +2,10 @@ import { type Duration } from "aws-cdk-lib";
 import { Construct } from "constructs";
 import { type IVpc, type Connections, type IConnectable } from "aws-cdk-lib/aws-ec2";
 import { type IClusterEngine } from "aws-cdk-lib/aws-rds";
+import { type ITopic } from "aws-cdk-lib/aws-sns";
 import { type Secret } from "../secrets/index.js";
-import { type EngineConfig, type ProxyConfig, type CredentialsConfig, type AuroraEncryptionConfig, type AuroraWriterConfig, type AuroraReadersConfig, type DatabaseInsightsConfig } from "../../../utils/databaseTypes.js";
+import { type RdsAlarmThresholds } from "../monitoring/index.js";
+import { type EngineConfig, type ProxyConfig, type CredentialsConfig, type AuroraEncryptionConfig, type AuroraWriterConfig, type AuroraReadersConfig, type DatabaseInsightsConfig, type SnapshotTarget } from "../../../utils/databaseTypes.js";
 interface RdsAuroraGlobalProps {
     vpc: IVpc;
     databaseName: string;
@@ -49,6 +51,12 @@ interface RdsAuroraGlobalProps {
     snapshotIdentifier?: string;
     /** Username from the snapshot (required when restoring from snapshot to reset password) */
     snapshotUsername?: string;
+    /** SNS topic for alarm notifications. Required for alarm creation. */
+    alertsTopic?: ITopic;
+    /** Alarm thresholds. false to disable, undefined for defaults, object to override. */
+    alarms?: RdsAlarmThresholds | false;
+    /** Application ID for alarm tagging. */
+    applicationId?: string;
 }
 export declare class RdsAuroraGlobal extends Construct implements IConnectable {
     connections: Connections;
@@ -62,12 +70,17 @@ export declare class RdsAuroraGlobal extends Construct implements IConnectable {
     constructor(scope: Construct, id: string, props: RdsAuroraGlobalProps);
     getGlobalClusterIdentifier(): string;
     getPrimaryClusterIdentifier(): string;
-    private getGlobalClusterEngineString;
     private addGlobalCluster;
     private addAuroraCluster;
     private addOutputs;
     getCredentials(): Secret;
     getHostEndpoint(): string;
     getHostPort(): string;
+    getClusterIdentifier(): string;
+    getSnapshotTarget(): Extract<SnapshotTarget, {
+        kind: "cluster";
+    }>;
+    getDatabaseName(): string;
+    getConnectionString(): string;
 }
 export {};

package/dist/lib/resources/aws/database/rdsAuroraGlobal.js

@@ -1,4 +1,4 @@
-import { CfnOutput, Stack } from "aws-cdk-lib";
+import { ArnFormat, CfnOutput, Stack } from "aws-cdk-lib";
 import { CfnGlobalCluster } from "aws-cdk-lib/aws-rds";
 import { Construct } from "constructs";
 import { RdsAurora } from "./rdsAurora.js";
@@ -32,41 +32,6 @@ export class RdsAuroraGlobal extends Construct {
     getPrimaryClusterIdentifier() {
         return ResourceNaming.primaryClusterId(this.constructId);
     }
-    getGlobalClusterEngineString() {
-        // Default to aurora-postgresql if no engine specified (matches existing behaviour)
-        if (!this.props.engine)
-            return "aurora-postgresql";
-        // Handle different engine formats safely using unknown and type guards
-        const engine = this.props.engine;
-        // CDK's IClusterEngine interface does not expose engineType/engine/name
-        // properties directly, but the concrete implementations (e.g. AuroraMysqlEngineVersion)
-        // do have them at runtime. Cast through unknown to probe these internal fields.
-        // CDK engine internals — may break on CDK upgrades. See rdsAuroraGlobal unit test.
-        const engineRecord = engine;
-        let engineType = engineRecord.engineType ?? engineRecord.engine ?? engineRecord.name;
-        // If the engine was provided as a raw string (unlikely but support it)
-        if (typeof engine === "string") {
-            engineType = engine;
-        }
-        // Fallback to toString() for Token-like objects
-        if (!engineType && typeof engineRecord.toString === "function") {
-            try {
-                engineType = engineRecord.toString();
-            }
-            catch (_e) {
-                // toString() may throw on CDK Token objects — fall back to undefined
-                engineType = undefined;
-            }
-        }
-        if (typeof engineType !== "string")
-            return "aurora-postgresql";
-        // Normalise common forms: AURORA_POSTGRESQL -> aurora-postgresql, aurora_postgresql -> aurora-postgresql
-        const normalised = engineType.toLowerCase().replace(/_/g, "-");
-        // If the normalised value is just 'aurora', prefer the more specific postgres default
-        if (normalised === "aurora")
-            return "aurora-postgresql";
-        return normalised;
-    }
     // create the CfnGlobalCluster only in the primary region
     addGlobalCluster() {
         if (this.props.primaryRegion !== this.currentRegion)
@@ -79,9 +44,7 @@ export class RdsAuroraGlobal extends Construct {
         if (this.primaryCluster) {
             // Use the helper on RdsAurora to get the underlying L1 DBCluster (more reliable
             // than relying on node.defaultChild which can vary depending on construct ordering)
-            primaryL1 =
-                this.primaryCluster.getCfnCluster &&
-                    this.primaryCluster.getCfnCluster();
+            primaryL1 = this.primaryCluster.getCfnCluster();
             if (primaryL1) {
                 sourceIdentifier = primaryL1.ref;
             }
@@ -93,7 +56,7 @@ export class RdsAuroraGlobal extends Construct {
         // ensure the underlying primary DBCluster L1 has the globalClusterIdentifier set
         if (primaryL1) {
             // Make the CFN dependency explicit so the DBCluster is created before the GlobalCluster
-            this.globalCluster.addDependsOn(primaryL1);
+            this.globalCluster.addDependency(primaryL1);
             // IMPORTANT: do NOT set the primary DBCluster's `globalClusterIdentifier` here.
             // If we set the primary DBCluster to reference the global cluster, CloudFormation
             // will attempt to validate that the global cluster exists when creating the
@@ -125,7 +88,10 @@ export class RdsAuroraGlobal extends Construct {
             databaseInsights: this.props.databaseInsights,
             deletionProtection: this.props.deletionProtection,
             snapshotIdentifier: this.props.snapshotIdentifier,
-            snapshotUsername: this.props.snapshotUsername
+            snapshotUsername: this.props.snapshotUsername,
+            alertsTopic: this.props.alertsTopic,
+            alarms: this.props.alarms,
+            applicationId: this.props.applicationId
         };
         if (this.props.primaryRegion === this.currentRegion) {
             // primary
@@ -153,8 +119,7 @@ export class RdsAuroraGlobal extends Construct {
             ...commonConfig
         });
         // set the L1 DBCluster property so CloudFormation will join it to the global cluster
-        const regionalL1 = this.regionalCluster.getCfnCluster &&
-            this.regionalCluster.getCfnCluster();
+        const regionalL1 = this.regionalCluster.getCfnCluster();
         if (regionalL1) {
             regionalL1.globalClusterIdentifier = this.globalId;
             // Enable write forwarding if requested
@@ -192,4 +157,35 @@ export class RdsAuroraGlobal extends Construct {
             return this.regionalCluster.getHostPort();
         throw new Error("No Aurora cluster available to return port from");
     }
+    getClusterIdentifier() {
+        return this.getPrimaryClusterIdentifier();
+    }
+    getSnapshotTarget() {
+        // The primary cluster lives in `primaryRegion`; pin region explicitly so
+        // a secondary-region stack still emits the correct ARN.
+        return {
+            kind: "cluster",
+            arn: Stack.of(this).formatArn({
+                service: "rds",
+                resource: "cluster",
+                resourceName: this.getPrimaryClusterIdentifier(),
+                region: this.props.primaryRegion,
+                arnFormat: ArnFormat.COLON_RESOURCE_NAME
+            })
+        };
+    }
+    getDatabaseName() {
+        if (this.primaryCluster)
+            return this.primaryCluster.getDatabaseName();
+        if (this.regionalCluster)
+            return this.regionalCluster.getDatabaseName();
+        throw new Error("No Aurora cluster available to return database name from");
+    }
+    getConnectionString() {
+        if (this.primaryCluster)
+            return this.primaryCluster.getConnectionString();
+        if (this.regionalCluster)
+            return this.regionalCluster.getConnectionString();
+        throw new Error("No Aurora cluster available to return connection string from");
+    }
 }

package/dist/lib/resources/aws/database/rdsDefaults.d.ts

@@ -8,4 +8,10 @@ export declare const RDS_DEFAULTS: Readonly<{
     readonly MONITORING_INTERVAL: Duration;
     /** SecretsManager rotation application version for multi-user rotation */
     readonly ROTATION_APP_VERSION: "1.1.367";
+    /** Default backup retention in days — applied uniformly across Aurora and RDS Instance */
+    readonly BACKUP_RETENTION_DEFAULT_DAYS: 14;
+    /** Default instance type — primary and read-replica must stay in lockstep */
+    readonly DEFAULT_INSTANCE_TYPE: "t4g.large";
+    /** Default storage autoscaling ceiling (GiB) — applied to primary and replica */
+    readonly DEFAULT_MAX_ALLOCATED_STORAGE_GIB: 500;
 }>;

package/dist/lib/resources/aws/database/rdsDefaults.js

@@ -7,5 +7,11 @@ export const RDS_DEFAULTS = Object.freeze({
     /** 1 minute — balances monitoring granularity against CloudWatch costs */
     MONITORING_INTERVAL: Duration.minutes(1),
     /** SecretsManager rotation application version for multi-user rotation */
-    ROTATION_APP_VERSION: "1.1.367"
+    ROTATION_APP_VERSION: "1.1.367",
+    /** Default backup retention in days — applied uniformly across Aurora and RDS Instance */
+    BACKUP_RETENTION_DEFAULT_DAYS: 14,
+    /** Default instance type — primary and read-replica must stay in lockstep */
+    DEFAULT_INSTANCE_TYPE: "t4g.large",
+    /** Default storage autoscaling ceiling (GiB) — applied to primary and replica */
+    DEFAULT_MAX_ALLOCATED_STORAGE_GIB: 500
 });

package/dist/lib/resources/aws/database/rdsHelpers.d.ts

@@ -12,12 +12,12 @@ export declare const DEFAULT_POSTGRES_ENGINE_CONFIG: EngineConfig;
  * - AWS managed / undefined → returns undefined (CDK default)
  * - IKey → returns the key as-is
  */
-export declare function resolveStorageEncryptionKey(scope: Construct, databaseName: string | undefined, storageKey: EncryptionKeySpec | undefined): IKey | undefined;
+export declare function resolveStorageEncryptionKey(scope: Construct, databaseName: string, storageKey: EncryptionKeySpec | undefined): IKey | undefined;
 /**
  * Resolve a Performance Insights encryption key spec into an IKey or undefined.
  * Only creates a CMK when PI is enabled and CMK is requested.
  */
-export declare function resolvePerformanceInsightsKey(scope: Construct, databaseName: string | undefined, piEnabled: boolean, encryptionKey: EncryptionKeySpec | undefined): IKey | undefined;
+export declare function resolvePerformanceInsightsKey(scope: Construct, databaseName: string, piEnabled: boolean, encryptionKey: EncryptionKeySpec | undefined): IKey | undefined;
 /** Resolve the databaseInsights prop into an enabled flag and optional config object. */
 export declare function resolveDatabaseInsights(databaseInsights: DatabaseInsightsConfig | false | undefined): {
     piEnabled: boolean;
@@ -29,7 +29,7 @@ export declare function resolveDatabaseInsights(databaseInsights: DatabaseInsigh
  */
 export declare function addMultiUserSecretRotation(params: {
     scope: Construct;
-    databaseName: string | undefined;
+    databaseName: string;
     constructId: string;
     engineConfig: EngineConfig;
     credentialsConfig: CredentialsConfig | undefined;

package/dist/lib/resources/aws/database/rdsHelpers.js

@@ -6,6 +6,7 @@ import { RDS_DEFAULTS } from "./rdsDefaults.js";
 import { isAwsManagedKey, isCMKRequested } from "../../../utils/databaseTypes.js";
 /** Default PostgreSQL engine configuration used by both Aurora and Instance constructs. */
 export const DEFAULT_POSTGRES_ENGINE_CONFIG = {
+    family: "postgresql",
     defaultUsername: "postgres",
     sslParameters: { "rds.force_ssl": "1" },
     rotationAppName: "SecretsManagerRDSPostgreSQLRotationMultiUser"

package/dist/lib/resources/aws/database/rdsInstance.d.ts

@@ -5,7 +5,7 @@ import { Construct } from "constructs";
 import { SecurityGroup } from "../networking/securityGroup.js";
 import { Secret } from "../secrets/index.js";
 import { type StackBuilder } from "../base/awsStack.js";
-import { type EngineConfig, type ProxyConfig, type ReadReplicaConfig, type CredentialsConfig, type EncryptionConfig, type DatabaseInsightsConfig } from "../../../utils/databaseTypes.js";
+import { type EngineConfig, type ProxyConfig, type ReadReplicaConfig, type CredentialsConfig, type EncryptionConfig, type DatabaseInsightsConfig, type SnapshotTarget } from "../../../utils/databaseTypes.js";
 import type { ITopic } from "aws-cdk-lib/aws-sns";
 import { type RdsAlarmThresholds } from "../monitoring/index.js";
 interface RdsProps {
@@ -54,6 +54,7 @@ export declare class RdsInstance extends Construct implements IConnectable {
     private databaseProxy?;
     private databaseProxySecurityGroup?;
     private readReplicaSecurityGroup?;
+    private databaseNameValue;
     private readonly constructId;
     constructor(scope: Construct, id: string, props: RdsProps);
     private addDatabase;
@@ -63,6 +64,12 @@ export declare class RdsInstance extends Construct implements IConnectable {
     getHostEndpoint(): string;
     getHostPort(): string;
     getCredentials(): Secret;
+    getInstanceIdentifier(): string;
+    getSnapshotTarget(): Extract<SnapshotTarget, {
+        kind: "instance";
+    }>;
+    getDatabaseName(): string;
+    getConnectionString(): string;
     static build(id: string, props: RdsProps): (sb: StackBuilder) => Construct;
 }
 export {};

package/dist/lib/resources/aws/database/rdsInstance.js

@@ -26,12 +26,14 @@ export class RdsInstance extends Construct {
     databaseProxy;
     databaseProxySecurityGroup;
     readReplicaSecurityGroup;
+    databaseNameValue;
     constructId;
     constructor(scope, id, props) {
         super(scope, id);
         this.constructId = id;
-        this.port = props.port || RDS_DEFAULTS.DEFAULT_PORT;
+        this.port = props.port ?? RDS_DEFAULTS.DEFAULT_PORT;
         this.vpc = props.vpc;
+        this.databaseNameValue = props.databaseName ?? id.replace("Rds", "");
         // PostgreSQL fallback for direct usage - ensure engine and engineConfig match
         this.engineConfig = props.engineConfig ?? DEFAULT_POSTGRES_ENGINE_CONFIG;
         this.addDatabase(props);
@@ -62,7 +64,7 @@ export class RdsInstance extends Construct {
         const username = props.snapshotIdentifier && props.snapshotUsername
             ? props.snapshotUsername
             : (props.credentials?.username ?? this.engineConfig.defaultUsername);
-        this.databaseCredentials = new Secret(this, `${props.databaseName}Credentials`, {
+        this.databaseCredentials = new Secret(this, `${this.databaseNameValue}Credentials`, {
             secretName: ResourceNaming.credentialsSecretName(this.constructId),
             generateSecretString: {
                 secretStringTemplate: JSON.stringify({
@@ -73,9 +75,9 @@ export class RdsInstance extends Construct {
                 generateStringKey: "password"
             }
         });
-        this.databaseSecurityGroup = new SecurityGroup(this, `${props.databaseName}SecurityGroup`, {
+        this.databaseSecurityGroup = new SecurityGroup(this, `${this.databaseNameValue}SecurityGroup`, {
             vpc: this.vpc,
-            description: `Security group for RDS database instance ${props.databaseName}`
+            description: `Security group for RDS database instance ${this.databaseNameValue}`
         });
         // Self-referencing rule for multi-AZ communication
         this.databaseSecurityGroup.addIngressRule(this.databaseSecurityGroup, Port.tcp(this.port));
@@ -83,9 +85,9 @@ export class RdsInstance extends Construct {
             securityGroups: [this.databaseSecurityGroup],
             defaultPort: Port.tcp(this.port)
         });
-        const storageEncryptionKey = resolveStorageEncryptionKey(this, props.databaseName, props.encryption?.storageKey);
+        const storageEncryptionKey = resolveStorageEncryptionKey(this, this.databaseNameValue, props.encryption?.storageKey);
         const { piEnabled, piConfig } = resolveDatabaseInsights(props.databaseInsights);
-        const performanceInsightsEncryptionKey = resolvePerformanceInsightsKey(this, props.databaseName, piEnabled, piConfig?.encryptionKey);
+        const performanceInsightsEncryptionKey = resolvePerformanceInsightsKey(this, this.databaseNameValue, piEnabled, piConfig?.encryptionKey);
         const diMode = piConfig?.mode ?? "standard";
         const performanceInsightsRetention = piEnabled
             ? getDatabaseInsightsRetention(diMode)
@@ -94,9 +96,9 @@ export class RdsInstance extends Construct {
             DatabaseInstanceEngine.postgres({
                 version: PostgresEngineVersion.VER_17_5
             });
-        const parameterGroup = new ParameterGroup(this, `${props.databaseName}ParameterGroup`, {
+        const parameterGroup = new ParameterGroup(this, `${this.databaseNameValue}ParameterGroup`, {
             engine,
-            description: `Parameter group for ${props.databaseName} with security defaults`,
+            description: `Parameter group for ${this.databaseNameValue} with security defaults`,
             parameters: this.engineConfig.sslParameters
         });
         // Use PUBLIC subnet for publiclyAccessible databases (e.g., tinkerer tier without NAT)
@@ -112,8 +114,9 @@ export class RdsInstance extends Construct {
             engine,
             parameterGroup,
             allocatedStorage: props.allocatedStorage,
-            backupRetention: props.backupRetention || Duration.days(14),
-            preferredBackupWindow: props.preferredBackupWindow || "02:00-03:00",
+            backupRetention: props.backupRetention ??
+                Duration.days(RDS_DEFAULTS.BACKUP_RETENTION_DEFAULT_DAYS),
+            preferredBackupWindow: props.preferredBackupWindow ?? "02:00-03:00",
             storageEncrypted: true,
             storageEncryptionKey,
             storageType: StorageType.GP3,
@@ -124,21 +127,20 @@ export class RdsInstance extends Construct {
             performanceInsightEncryptionKey: performanceInsightsEncryptionKey,
             performanceInsightRetention: performanceInsightsRetention,
             instanceIdentifier: ResourceNaming.dbInstanceId(this.constructId),
-            instanceType: props.instanceType
-                ? new InstanceType(props.instanceType)
-                : new InstanceType("t4g.large"),
-            maxAllocatedStorage: props.maxAllocatedStorage || 500,
-            monitoringInterval: props.monitoringInterval || RDS_DEFAULTS.MONITORING_INTERVAL,
+            instanceType: new InstanceType(props.instanceType ?? RDS_DEFAULTS.DEFAULT_INSTANCE_TYPE),
+            maxAllocatedStorage: props.maxAllocatedStorage ??
+                RDS_DEFAULTS.DEFAULT_MAX_ALLOCATED_STORAGE_GIB,
+            monitoringInterval: props.monitoringInterval ?? RDS_DEFAULTS.MONITORING_INTERVAL,
             multiAz: props.multiAz !== false,
             port: this.port,
             deletionProtection: props.deletionProtection ?? true,
-            preferredMaintenanceWindow: props.preferredMaintenanceWindow ||
+            preferredMaintenanceWindow: props.preferredMaintenanceWindow ??
                 RDS_DEFAULTS.PREFERRED_MAINTENANCE_WINDOW,
             publiclyAccessible: props.publiclyAccessible ?? false
         };
         if (props.snapshotIdentifier) {
             // Create from snapshot
-            this.database = new DatabaseInstanceFromSnapshot(this, `${props.databaseName}Database`, {
+            this.database = new DatabaseInstanceFromSnapshot(this, `${this.databaseNameValue}Database`, {
                 ...commonInstanceProps,
                 snapshotIdentifier: props.snapshotIdentifier,
                 // For snapshots, credentials are used to reset the password
@@ -147,7 +149,7 @@ export class RdsInstance extends Construct {
         }
         else {
             // Create new instance
-            this.database = new DatabaseInstance(this, `${props.databaseName}Database`, {
+            this.database = new DatabaseInstance(this, `${this.databaseNameValue}Database`, {
                 ...commonInstanceProps,
                 databaseName: props.databaseName,
                 credentials: Credentials.fromSecret(this.databaseCredentials.secret)
@@ -157,7 +159,7 @@ export class RdsInstance extends Construct {
     rotateSecret(props) {
         this.masterSecret = addMultiUserSecretRotation({
             scope: this,
-            databaseName: props.databaseName,
+            databaseName: this.databaseNameValue,
             constructId: this.constructId,
             engineConfig: this.engineConfig,
             credentialsConfig: props.credentials,
@@ -173,13 +175,13 @@ export class RdsInstance extends Construct {
         const vpcSubnets = proxyConfig.vpcSubnets ?? {
             subnetType: SubnetType.PRIVATE_WITH_EGRESS
         };
-        this.databaseProxySecurityGroup = new SecurityGroup(this, `${props.databaseName}ProxySecurityGroup`, {
+        this.databaseProxySecurityGroup = new SecurityGroup(this, `${this.databaseNameValue}ProxySecurityGroup`, {
             vpc: this.vpc,
-            description: `Security group for RDS Proxy for ${props.databaseName}`
+            description: `Security group for RDS Proxy for ${this.databaseNameValue}`
         });
         // Allow proxy to connect to database
         this.databaseSecurityGroup.addIngressRule(this.databaseProxySecurityGroup, Port.tcp(this.port), "Allow RDS Proxy to connect to database");
-        this.databaseProxy = new DatabaseProxy(this, `${props.databaseName}DatabaseProxy`, {
+        this.databaseProxy = new DatabaseProxy(this, `${this.databaseNameValue}DatabaseProxy`, {
             dbProxyName: ResourceNaming.proxyName(this.constructId),
             proxyTarget: ProxyTarget.fromInstance(this.database),
             secrets: [this.databaseCredentials.secret],
@@ -193,22 +195,24 @@ export class RdsInstance extends Construct {
             maxConnectionsPercent: proxyConfig.maxConnections,
             maxIdleConnectionsPercent: proxyConfig.maxIdleConnections
         });
-        addProxyCfnOutput(this, this.constructId, props.databaseName, this.databaseProxy);
+        addProxyCfnOutput(this, this.constructId, this.databaseNameValue, this.databaseProxy);
     }
     addReadReplica(props) {
         if (!props.readReplica)
             return;
         const replicaConfig = props.readReplica;
-        const replicaInstanceType = replicaConfig.instanceType ?? props.instanceType ?? "t4g.large";
+        const replicaInstanceType = replicaConfig.instanceType ??
+            props.instanceType ??
+            RDS_DEFAULTS.DEFAULT_INSTANCE_TYPE;
         const { piEnabled, piConfig } = resolveDatabaseInsights(props.databaseInsights);
         const readReplicaPerformanceInsightsKey = piEnabled && isCMKRequested(piConfig?.encryptionKey)
-            ? new CustomerManagedKey(this, `${props.databaseName}ReadReplicaReaderInsightsKey`, {
-                aliasName: `cmk/rds/${props.databaseName}/ReadReplicaInsightsKey`
+            ? new CustomerManagedKey(this, `${this.databaseNameValue}ReadReplicaReaderInsightsKey`, {
+                aliasName: `cmk/rds/${this.databaseNameValue}/ReadReplicaInsightsKey`
             }).key
             : undefined;
-        this.readReplicaSecurityGroup = new SecurityGroup(this, `${props.databaseName}ReadReplicaSecurityGroup`, {
+        this.readReplicaSecurityGroup = new SecurityGroup(this, `${this.databaseNameValue}ReadReplicaSecurityGroup`, {
             vpc: this.vpc,
-            description: `Security group for RDS read replica of ${props.databaseName}`
+            description: `Security group for RDS read replica of ${this.databaseNameValue}`
         });
         // Allow primary database to replicate to read replica
         this.readReplicaSecurityGroup.addIngressRule(this.databaseSecurityGroup, Port.tcp(this.port), "Allow primary database to replicate to read replica");
@@ -217,10 +221,10 @@ export class RdsInstance extends Construct {
         // Without this waiter, the final snapshot creation fails.
         const instanceId = ResourceNaming.dbInstanceId(this.constructId);
         const waiterTimeout = Duration.minutes(10);
-        const deletionWaiter = new CustomResource(this, `${props.databaseName}DeletionWaiter`, {
+        const deletionWaiter = new CustomResource(this, `${this.databaseNameValue}DeletionWaiter`, {
             runtime: Runtime.NODEJS_22_X,
             timeout: waiterTimeout.plus(Duration.seconds(30)),
-            lambdaDescription: `${props.databaseName} deletion waiter`,
+            lambdaDescription: `${this.databaseNameValue} deletion waiter`,
             inlineCode: `
 const { RDSClient } = require('@aws-sdk/client-rds');
 const { waitUntilDBInstanceAvailable } = require('@aws-sdk/client-rds');
@@ -266,7 +270,7 @@ exports.handler = async (event) => {
             }
         });
         deletionWaiter.resource.node.addDependency(this.database);
-        const readReplica = new DatabaseInstanceReadReplica(this, `${props.databaseName}ReadReplica`, {
+        const readReplica = new DatabaseInstanceReadReplica(this, `${this.databaseNameValue}ReadReplica`, {
             sourceDatabaseInstance: this.database,
             vpc: this.vpc,
             vpcSubnets: {
@@ -287,12 +291,13 @@ exports.handler = async (event) => {
             instanceIdentifier: ResourceNaming.readReplicaId(this.constructId),
             instanceType: new InstanceType(replicaInstanceType),
             availabilityZone: replicaConfig.availabilityZone,
-            maxAllocatedStorage: props.maxAllocatedStorage || 500,
-            monitoringInterval: props.monitoringInterval || RDS_DEFAULTS.MONITORING_INTERVAL,
+            maxAllocatedStorage: props.maxAllocatedStorage ??
+                RDS_DEFAULTS.DEFAULT_MAX_ALLOCATED_STORAGE_GIB,
+            monitoringInterval: props.monitoringInterval ?? RDS_DEFAULTS.MONITORING_INTERVAL,
             multiAz: props.multiAz !== false,
             port: this.port,
             deletionProtection: props.deletionProtection ?? true,
-            preferredMaintenanceWindow: props.preferredMaintenanceWindow ||
+            preferredMaintenanceWindow: props.preferredMaintenanceWindow ??
                 RDS_DEFAULTS.PREFERRED_MAINTENANCE_WINDOW
         });
         readReplica.node.addDependency(deletionWaiter.resource);
@@ -311,6 +316,18 @@ exports.handler = async (event) => {
     getCredentials() {
         return this.databaseCredentials;
     }
+    getInstanceIdentifier() {
+        return this.database.instanceIdentifier;
+    }
+    getSnapshotTarget() {
+        return { kind: "instance", arn: this.database.instanceArn };
+    }
+    getDatabaseName() {
+        return this.databaseNameValue;
+    }
+    getConnectionString() {
+        return `${this.engineConfig.family}://${this.getHostEndpoint()}:${this.getHostPort()}/${this.getDatabaseName()}`;
+    }
     static build(id, props) {
         return (sb) => {
             const newProps = {