Support for opinionated Postgres RDS

[akash1810]

Note This list isn't exhaustive, please add to it!

We don't have any (meaningful) RDS constructs yet. Some of the RDS defaults aren't very helpful, for example StorageEncrypted:

A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.
Update requires: Replacement

That is, making an RDS database encrypted after the fact, and retaining data, is not trivial.

We should provide an opinionated RDS construct that includes:

• Encryption
• Frequent backups
• IAM Auth (where supported)
• Placement in the private subnets, and not publicly available
• Multi AZ
• Monitoring
• RDS Proxy for spiky workloads (e.g. as used by Pinboard)
• Secrets manager for root password (already a default of AWS CDK)
• A serverless/non-serverless variant?
• Bastian host? via https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.BastionHostLinux.html?
• Use the rds-ca-rsa2048-g1 certificate authority over the default rds-ca-2019. rds-ca-rsa2048-g1 offers automatic rotation, whereas rds-ca-2019 is manual.¹

Footnotes

1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.RegionCertificateAuthorities ↩

[akash1810]

https://github.com/aws-samples/aws-cdk-examples/tree/master/typescript/rds might offer some inspiration.

[jacobwinch]

• Multi AZ

AWS offers multi-AZ instances and multi-AZ clusters, which are slightly different. It would be great to encode a recommendation of when to make use of each type.