fix(aurora): aurora security group CDK native syntax (#1045)

* fix(aurora): aurora security group CDK native syntax

Signed-off-by: Rafael Mosca <rafams@amazon.com>

---------

Signed-off-by: Rafael Mosca <rafams@amazon.com>
Co-authored-by: Rafael Mosca <rafams@amazon.es>
Co-authored-by: Alain Krok <alkrok@amazon.com>

Author: 3 people

apidocs/@cdklabs/namespaces/amazonaurora/classes/AmazonAuroraVectorStore.md

@@ -182,11 +182,11 @@ The VPC of your Amazon Aurora DB cluster.
 
 ##### lambdaSecurityGroup
 
-`SecurityGroup`
+`ISecurityGroup`
 
 ##### auroraSecurityGroup
 
-`SecurityGroup`
+`ISecurityGroup`
 
 #### Returns
 
@@ -288,7 +288,7 @@ The VPC of your Amazon Aurora DB cluster.
 
 ### setupDatabaseClusterResources()
 
-> `protected` **setupDatabaseClusterResources**(`vpc`, `secret`, `clusterIdentifier`, `auroraSecurityGroupId`): [`DatabaseClusterResources`](../interfaces/DatabaseClusterResources.md)
+> `protected` **setupDatabaseClusterResources**(`vpc`, `secret`, `clusterIdentifier`, `auroraSecurityGroup`): [`DatabaseClusterResources`](../interfaces/DatabaseClusterResources.md)
 
 #### Parameters
 
@@ -304,9 +304,9 @@ The VPC of your Amazon Aurora DB cluster.
 
 `string`
 
-##### auroraSecurityGroupId
+##### auroraSecurityGroup
 
-`string`
+`ISecurityGroup`
 
 #### Returns
 
@@ -342,8 +342,7 @@ Creates an instance of AmazonAuroraVectorStore using existing Aurora Vector Stor
 You need to provide your existing Aurora Vector Store properties
 such as `databaseName`, `clusterIdentifier`, `vpc` where database is deployed,
 `secret` containing username and password for authentication to database,
-and `auroraSecurityGroupId` with the value of a security group id that was
-used for the database.
+and `auroraSecurityGroup` with the ecurity group that was used for the database.
 
 #### Parameters
 

apidocs/@cdklabs/namespaces/amazonaurora/classes/ExistingAmazonAuroraVectorStore.md

@@ -182,11 +182,11 @@ The VPC of your Amazon Aurora DB cluster.
 
 ##### lambdaSecurityGroup
 
-`SecurityGroup`
+`ISecurityGroup`
 
 ##### auroraSecurityGroup
 
-`SecurityGroup`
+`ISecurityGroup`
 
 #### Returns
 
@@ -288,7 +288,7 @@ The VPC of your Amazon Aurora DB cluster.
 
 ### setupDatabaseClusterResources()
 
-> `protected` **setupDatabaseClusterResources**(`vpc`, `secret`, `clusterIdentifier`, `auroraSecurityGroupId`): [`DatabaseClusterResources`](../interfaces/DatabaseClusterResources.md)
+> `protected` **setupDatabaseClusterResources**(`vpc`, `secret`, `clusterIdentifier`, `auroraSecurityGroup`): [`DatabaseClusterResources`](../interfaces/DatabaseClusterResources.md)
 
 #### Parameters
 
@@ -304,9 +304,9 @@ The VPC of your Amazon Aurora DB cluster.
 
 `string`
 
-##### auroraSecurityGroupId
+##### auroraSecurityGroup
 
-`string`
+`ISecurityGroup`
 
 #### Returns
 

apidocs/@cdklabs/namespaces/amazonaurora/interfaces/DatabaseClusterResources.md

@@ -20,7 +20,7 @@ The Amazon Aurora RDS cluster.
 
 ### auroraSecurityGroup
 
-> `readonly` **auroraSecurityGroup**: `SecurityGroup`
+> `readonly` **auroraSecurityGroup**: `ISecurityGroup`
 
 The security group associated with the Aurora cluster.
 

apidocs/@cdklabs/namespaces/amazonaurora/interfaces/ExistingAmazonAuroraVectorStoreProps.md

@@ -17,11 +17,11 @@ set up for `5432`.
 
 ## Properties
 
-### auroraSecurityGroupId
+### auroraSecurityGroup
 
-> `readonly` **auroraSecurityGroupId**: `string`
+> `readonly` **auroraSecurityGroup**: `ISecurityGroup`
 
-The id of the security group associated with the RDS Aurora instance.
+The Security group associated with the RDS Aurora instance.
 This security group allows access to the Aurora Vector Store from Lambda's
 custom resource running pgVector SQL commands.
 

apidocs/@cdklabs/namespaces/bedrock/classes/BedrockFoundationModel.md

@@ -287,9 +287,9 @@ The ARN of the Bedrock invokable abstraction.
 
 ***
 
-### META\_LLAMA\_4\_MAVERICK\_70B\_INSTRUCT\_V1
+### META\_LLAMA\_4\_MAVERICK\_17B\_INSTRUCT\_V1
 
-> `readonly` `static` **META\_LLAMA\_4\_MAVERICK\_70B\_INSTRUCT\_V1**: `BedrockFoundationModel`
+> `readonly` `static` **META\_LLAMA\_4\_MAVERICK\_17B\_INSTRUCT\_V1**: `BedrockFoundationModel`
 
 ***
 

src/cdk-lib/amazonaurora/README.md

@@ -76,11 +76,15 @@ const auroraDb = amazonaurora.AmazonAuroraVectorStore.fromExistingAuroraVectorSt
   textField: 'chunks',
   metadataField: 'metadata',
   primaryKeyField: 'id',
-  embeddingsModel: foundation_models.BedrockFoundationModel.COHERE_EMBED_ENGLISH_V3,
+  embeddingsModelVectorDimension: bedrock.BedrockFoundationModel.COHERE_EMBED_ENGLISH_V3.vectorDimensions!,
   vpc: cdk.aws_ec2.Vpc.fromLookup(stack, 'VPC', {
     vpcId: 'vpc-0c1a234567ee8bc90',
   }),
-  auroraSecurityGroupId: 'sg-012ef345678c98a76',
+  auroraSecurityGroup: cdk.aws_ec2.SecurityGroup.fromSecurityGroupId(
+    stack,
+    'AuroraSecurityGroup',
+    'sg-012456789'
+  ),
   secret: cdk.aws_rds.DatabaseSecret.fromSecretCompleteArn(
     stack,
     'Secret',
@@ -141,9 +145,13 @@ aurora_db = amazonaurora.AmazonAuroraVectorStore.from_existing_aurora_vector_sto
     text_field='chunks',
     metadata_field='metadata',
     primary_key_field='id',
-    embeddings_model=foundation_models.BedrockFoundationModel.COHERE_EMBED_ENGLISH_V3,
+    embeddings_model_vector_dimension=bedrock.BedrockFoundationModel.COHERE_EMBED_ENGLISH_V3.vectorDimensions!,
     vpc=ec2.Vpc.from_lookup(self, 'VPC', vpc_id='vpc-0c1a234567ee8bc90'),
-    aurora_security_group_id='sg-012ef345678c98a76',,
+    aurora_security_group=ec2.SecurityGroup.from_security_group_id(
+        self,
+        'AuroraSecurityGroup',
+        'sg-01245678'
+    ),
     secret=rds.DatabaseSecret.from_secret_complete_arn(
         self,
         'Secret',

src/cdk-lib/amazonaurora/aurora-vector-store.ts

@@ -21,8 +21,15 @@ import { NagSuppressions } from 'cdk-nag';
 import { Construct } from 'constructs';
 import { buildCustomResourceProvider } from '../../common/helpers/custom-resource-provider-helper';
 import { generatePhysicalNameV2 } from '../../common/helpers/utils';
-import { AddAwsServiceEndpoint, buildVpc, ServiceEndpointTypeEnum } from '../../common/helpers/vpc-helper';
-
+import {
+  AddAwsServiceEndpoint,
+  buildVpc,
+  ServiceEndpointTypeEnum,
+} from '../../common/helpers/vpc-helper';
+
+/******************************************************************************
+ *                              ENUMS
+ *****************************************************************************/
 /**
  * List of supported versions of PostgreSQL for Aurora cluster.
  */
@@ -43,6 +50,9 @@ export const SupportedPostgreSQLVersions = {
 export type SupportedPostgreSQLVersions =
   (typeof SupportedPostgreSQLVersions)[keyof typeof SupportedPostgreSQLVersions];
 
+/******************************************************************************
+ *                              COMMON
+ *****************************************************************************/
 /**
  * Base properties for an Aurora Vector Store.
  */
@@ -141,11 +151,11 @@ export interface ExistingAmazonAuroraVectorStoreProps extends BaseAuroraVectorSt
   readonly secret: secretsmanager.ISecret;
 
   /**
-   * The id of the security group associated with the RDS Aurora instance.
+   * The Security group associated with the RDS Aurora instance.
    * This security group allows access to the Aurora Vector Store from Lambda's
    * custom resource running pgVector SQL commands.
    */
-  readonly auroraSecurityGroupId: string;
+  readonly auroraSecurityGroup: ec2.ISecurityGroup;
 }
 
 /**
@@ -181,7 +191,7 @@ export interface DatabaseClusterResources {
   /**
    * The security group associated with the Aurora cluster.
    */
-  readonly auroraSecurityGroup: ec2.SecurityGroup;
+  readonly auroraSecurityGroup: ec2.ISecurityGroup;
 }
 
 /**
@@ -242,7 +252,8 @@ abstract class BaseAmazonAuroraVectorStore extends Construct {
      * Setup databaseName based on if it is provided in the props or not
      * and based on whether it is an existing Aurora Vector Store or not.
      */
-    this.databaseName = 'clusterIdentifier' in props ? props.databaseName : props.databaseName ?? 'bedrock_vector_db';
+    this.databaseName =
+      'clusterIdentifier' in props ? props.databaseName : props.databaseName ?? 'bedrock_vector_db';
 
     this.schemaName = props.schemaName ?? 'bedrock_integration';
     this.vectorField = props.vectorField ?? 'embedding';
@@ -324,14 +335,9 @@ abstract class BaseAmazonAuroraVectorStore extends Construct {
     vpc: ec2.IVpc,
     secret: secretsmanager.ISecret,
     clusterIdentifier: string,
-    auroraSecurityGroupId: string,
+    auroraSecurityGroup: ec2.ISecurityGroup,
   ): DatabaseClusterResources {
     const resourceArn = this.generateResourceArn(clusterIdentifier);
-    const auroraSecurityGroup = ec2.SecurityGroup.fromLookupById(
-      this,
-      'ExistingSG',
-      auroraSecurityGroupId,
-    ) as ec2.SecurityGroup;
 
     return {
       vpc,
@@ -351,8 +357,8 @@ abstract class BaseAmazonAuroraVectorStore extends Construct {
   }
 
   protected addIngressRuleToAuroraSecurityGroup(
-    lambdaSecurityGroup: ec2.SecurityGroup,
-    auroraSecurityGroup: ec2.SecurityGroup,
+    lambdaSecurityGroup: ec2.ISecurityGroup,
+    auroraSecurityGroup: ec2.ISecurityGroup,
   ) {
     auroraSecurityGroup.addIngressRule(
       lambdaSecurityGroup,
@@ -424,12 +430,17 @@ export class ExistingAmazonAuroraVectorStore extends BaseAmazonAuroraVectorStore
       props.vpc,
       props.secret,
       props.clusterIdentifier,
-      props.auroraSecurityGroupId,
+      props.auroraSecurityGroup,
     );
 
-    const auroraPgCRPolicy = this.createAuroraPgCRPolicy(databaseClusterResources.clusterIdentifier);
+    const auroraPgCRPolicy = this.createAuroraPgCRPolicy(
+      databaseClusterResources.clusterIdentifier,
+    );
     const lambdaSecurityGroup = this.createLambdaSecurityGroup(databaseClusterResources.vpc);
-    this.addIngressRuleToAuroraSecurityGroup(lambdaSecurityGroup, databaseClusterResources.auroraSecurityGroup);
+    this.addIngressRuleToAuroraSecurityGroup(
+      lambdaSecurityGroup,
+      databaseClusterResources.auroraSecurityGroup,
+    );
 
     this.resourceArn = this.generateResourceArn(databaseClusterResources.clusterIdentifier);
     this.credentialsSecretArn = databaseClusterResources.secret.secretArn;
@@ -450,8 +461,7 @@ export class AmazonAuroraVectorStore extends BaseAmazonAuroraVectorStore {
    * You need to provide your existing Aurora Vector Store properties
    * such as `databaseName`, `clusterIdentifier`, `vpc` where database is deployed,
    * `secret` containing username and password for authentication to database,
-   * and `auroraSecurityGroupId` with the value of a security group id that was
-   * used for the database.
+   * and `auroraSecurityGroup` with the ecurity group that was used for the database.
    *
    * @param scope - The scope in which to define the construct.
    * @param id - The ID of the construct.
@@ -489,9 +499,14 @@ export class AmazonAuroraVectorStore extends BaseAmazonAuroraVectorStore {
       props.vpc,
       props.clusterId,
     );
-    const auroraPgCRPolicy = this.createAuroraPgCRPolicy(databaseClusterResources.clusterIdentifier);
+    const auroraPgCRPolicy = this.createAuroraPgCRPolicy(
+      databaseClusterResources.clusterIdentifier,
+    );
     const lambdaSecurityGroup = this.createLambdaSecurityGroup(databaseClusterResources.vpc);
-    this.addIngressRuleToAuroraSecurityGroup(lambdaSecurityGroup, databaseClusterResources.auroraSecurityGroup);
+    this.addIngressRuleToAuroraSecurityGroup(
+      lambdaSecurityGroup,
+      databaseClusterResources.auroraSecurityGroup,
+    );
 
     this.resourceArn = databaseClusterResources.resourceArn;
     this.credentialsSecretArn = databaseClusterResources.secret.secretArn;
@@ -502,7 +517,11 @@ export class AmazonAuroraVectorStore extends BaseAmazonAuroraVectorStore {
       ServiceEndpointTypeEnum.BEDROCK_RUNTIME,
     ]);
 
-    const auroraPgVector = this.setupCustomResource(databaseClusterResources, lambdaSecurityGroup, auroraPgCRPolicy);
+    const auroraPgVector = this.setupCustomResource(
+      databaseClusterResources,
+      lambdaSecurityGroup,
+      auroraPgCRPolicy,
+    );
 
     auroraPgVector.node.addDependency(databaseClusterResources.auroraCluster!);
   }
@@ -531,7 +550,13 @@ export class AmazonAuroraVectorStore extends BaseAmazonAuroraVectorStore {
         version: postgreSQLVersion,
       }),
       credentials: rds.Credentials.fromGeneratedSecret('postgres'),
-      clusterIdentifier: clusterIdentifier ?? generatePhysicalNameV2(this, 'aurora-serverless', { maxLength: 63, lower: true, separator: '-' }),
+      clusterIdentifier:
+        clusterIdentifier ??
+        generatePhysicalNameV2(this, 'aurora-serverless', {
+          maxLength: 63,
+          lower: true,
+          separator: '-',
+        }),
       defaultDatabaseName: this.databaseName,
       vpc,
       vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
@@ -541,7 +566,9 @@ export class AmazonAuroraVectorStore extends BaseAmazonAuroraVectorStore {
       serverlessV2MinCapacity: 0.5,
       serverlessV2MaxCapacity: 4,
       writer: rds.ClusterInstance.serverlessV2('AuroraServerlessWriter'),
-      readers: [rds.ClusterInstance.serverlessV2('AuroraServerlessReader', { scaleWithWriter: true })],
+      readers: [
+        rds.ClusterInstance.serverlessV2('AuroraServerlessReader', { scaleWithWriter: true }),
+      ],
       removalPolicy: cdk.RemovalPolicy.DESTROY,
     });
     const resourceArn = cdk.Stack.of(this).formatArn({

src/cdk-lib/bedrock/models.ts

@@ -343,8 +343,8 @@ export class BedrockFoundationModel implements IInvokable {
     },
   );
 
-  public static readonly META_LLAMA_4_MAVERICK_70B_INSTRUCT_V1 = new BedrockFoundationModel(
-    'meta.llama4-maverick-70b-instruct-v1:0',
+  public static readonly META_LLAMA_4_MAVERICK_17B_INSTRUCT_V1 = new BedrockFoundationModel(
+    'meta.llama4-maverick-17b-instruct-v1:0',
     {
       supportsAgents: true,
       supportsCrossRegion: true,

test/cdk-lib/amazonaurora/aurora-vector-store.test.ts

@@ -13,7 +13,7 @@
 
 import * as cdk from 'aws-cdk-lib';
 import { Annotations, Match, Template } from 'aws-cdk-lib/assertions';
-import { SubnetType, Vpc } from 'aws-cdk-lib/aws-ec2';
+import { SubnetType, Vpc, SecurityGroup } from 'aws-cdk-lib/aws-ec2';
 import { AwsSolutionsChecks, NagSuppressions } from 'cdk-nag';
 import { AmazonAuroraVectorStore, ExistingAmazonAuroraVectorStore } from '../../../src/cdk-lib/amazonaurora';
 
@@ -144,7 +144,11 @@ describe('Amazon Aurora Vector Store', () => {
           embeddingsModelVectorDimension: modelVectorDimension,
           vpc: vpc,
           secret: secret,
-          auroraSecurityGroupId: 'sg-12345678',
+          auroraSecurityGroup: new SecurityGroup(stack, 'AuroraSecurityGroup', {
+            vpc,
+            securityGroupName: 'aurora-security-group',
+            description: 'Security group for access to Aurora from Lambda',
+          }),
         });
     });