Created
April 2, 2025 23:49
-
-
Save revmischa/14f0cf9758bc50091ff8cc485aae1cd1 to your computer and use it in GitHub Desktop.
Allow Aurora DB to export to S3 (CDK TypeScript)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import { AwsCustomResource, AwsCustomResourcePolicy } from 'aws-cdk-lib/custom-resources' | |
| function setUpS3Exports(stack: Stack, db: IServerlessCluster , reportsBucket: Bucket) { | |
| // see: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/postgresql-s3-export-access-bucket.html | |
| const role = new Role(db, 'S3ExportRole', { | |
| assumedBy: new ServicePrincipal('rds.amazonaws.com', { | |
| conditions: { | |
| StringEquals: { | |
| 'aws:SourceAccount': stack.account, | |
| 'aws:SourceArn': db.clusterArn, | |
| }, | |
| }, | |
| }), | |
| }) | |
| role.addToPolicy( | |
| new PolicyStatement({ | |
| effect: Effect.ALLOW, | |
| actions: [ | |
| 's3:PutObject*', | |
| 's3:ListBucket', | |
| 's3:GetObject*', | |
| 's3:DeleteObject*', | |
| 's3:GetBucketLocation', | |
| 's3:AbortMultipartUpload', | |
| ], | |
| resources: [`${reportsBucket.bucketArn}/*`], | |
| }), | |
| ) | |
| // attach the role to the DB cluster | |
| new AwsCustomResource(stack, 'AttachS3ExportRole', { | |
| onCreate: { | |
| service: 'RDS', | |
| action: 'addRoleToDBCluster', | |
| parameters: { | |
| DBClusterIdentifier: db.clusterIdentifier, | |
| FeatureName: 's3Export', | |
| RoleArn: role.roleArn, | |
| }, | |
| physicalResourceId: { id: db.clusterIdentifier }, | |
| }, | |
| policy: AwsCustomResourcePolicy.fromStatements([ | |
| new PolicyStatement({ | |
| actions: ['rds:AddRoleToDBCluster', 'iam:PassRole'], | |
| resources: ['*'], | |
| }), | |
| ]), | |
| }) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment