constructor()

in packages/constructs/L3/ai/gaia-l3-construct/lib/rag-engines/aurora-pgvector/index.ts [31:177]

• 139 lines of code
• 5 McCabe index (conditional complexity)

  constructor(scope: Construct, id: string, props: AuroraPgVectorProps) {
    super(scope, id, props);

    const monitoringRole = new MdaaRole(this, `aurora-postgres-enhanced-monitoring-role`, {
      naming: props.naming,
      roleName: `test-cluster-enhanced-monitoring-role`,
      assumedBy: new ServicePrincipal('monitoring.rds.amazonaws.com'),
      managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonRDSEnhancedMonitoringRole')],
    });

    MdaaNagSuppressions.addCodeResourceSuppressions(
      monitoringRole,
      [
        {
          id: 'AwsSolutions-IAM4',
          reason: 'Managed policy used by RDS for monitoring.',
          appliesTo: ['Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole'],
        },
      ],
      true,
    );

    const dbSecurityGroup = props.config?.rag?.engines?.aurora?.createSeparateSecurityGroup
      ? new MdaaSecurityGroup(this, 'auroraPgVectorSecurityGroup', {
          securityGroupName: 'aurora-pgvector-sg',
          naming: props.naming,
          vpc: props.shared.vpc,
          allowAllOutbound: false,
        })
      : props.shared.dataSecurityGroup;

    const databaseProps: MdaaRdsServerlessClusterProps = {
      naming: props.naming,
      createParams: false,
      createOutputs: false,
      engine: 'aurora-postgresql',
      engineVersion: rds.AuroraPostgresEngineVersion.VER_15_3,
      backupRetention: 20,
      clusterIdentifier: 'test-cluster',
      masterUsername: 'postgres',
      encryptionKey: props.encryptionKey,
      monitoringRole,
      vpc: props.shared.vpc,
      vpcSubnets: { subnets: props.shared.dataSubnets },
      port: 15530,
      adminPasswordRotationDays: 60,
      securityGroups: [dbSecurityGroup],
      scaling: {
        minCapacity: props.config.rag?.engines.aurora?.minCapacity || rds.AuroraCapacityUnit.ACU_1,
        maxCapacity: props.config.rag?.engines.aurora?.maxCapacity || rds.AuroraCapacityUnit.ACU_2,
      },
    };

    const dbCluster = new MdaaRdsServerlessCluster(this, 'aurora-postgres-pgvector', databaseProps);

    const dbSetupResourceCodePath =
      props.config?.codeOverwrites?.pgVectorDbSetupCodePath !== undefined
        ? props.config.codeOverwrites.pgVectorDbSetupCodePath
        : path.join(__dirname, './functions/pgvector-setup');
    const dbSetupResource = new MdaaCustomResource(this, 'DatabaseSetupCustomResource', {
      code: lambda.Code.fromAsset(dbSetupResourceCodePath),
      handler: 'index.lambda_handler',
      handlerProps: {
        AURORA_DB_SECRET_ID: dbCluster.secret?.secretArn as string,
      },
      handlerLayers: [props.shared.powerToolsLayer, props.shared.commonLayer],
      handlerRolePolicyStatements: [
        new iam.PolicyStatement({
          actions: [
            'secretsmanager:GetResourcePolicy',
            'secretsmanager:GetSecretValue',
            'secretsmanager:DescribeSecret',
            'secretsmanager:ListSecretVersionIds',
          ],
          resources: [dbCluster.secret?.secretArn as string],
        }),
        new iam.PolicyStatement({
          actions: ['kms:Decrypt'],
          resources: [props.encryptionKey.keyArn],
        }),
        new iam.PolicyStatement({
          effect: Effect.ALLOW,
          actions: ['ec2:CreateNetworkInterface', 'ec2:DescribeNetworkInterfaces', 'ec2:DeleteNetworkInterface'],
          resources: ['*'],
        }),
      ],
      vpc: props.shared.vpc,
      subnet: { subnets: props.shared.dataSubnets },
      securityGroup: dbSecurityGroup,
      naming: props.naming,
      createParams: false,
      createOutputs: false,
      resourceType: 'DatabaseSetupFunction',
      runtime: props.shared.pythonRuntime,
    });
    MdaaNagSuppressions.addCodeResourceSuppressions(
      dbSetupResource,
      [
        { id: 'AwsSolutions-L1', reason: 'Only run during deployment.' },
        {
          id: 'NIST.800.53.R5-LambdaConcurrency',
          reason: 'Only run during deployment, concurrency does not fit the scenario.',
        },
        {
          id: 'HIPAA.Security-LambdaConcurrency',
          reason: 'Only run during deployment, concurrency does not fit the scenario.',
        },
        {
          id: 'PCI.DSS.321-LambdaConcurrency',
          reason: 'Only run during deployment, concurrency does not fit the scenario.',
        },
        {
          id: 'NIST.800.53.R5-LambdaDLQ',
          reason: 'Used in a custom resource, error handling is managed by Cloudformation.',
        },
        {
          id: 'HIPAA.Security-LambdaDLQ',
          reason: 'Used in a custom resource, error handling is managed by Cloudformation.',
        },
        {
          id: 'PCI.DSS.321-LambdaDLQ',
          reason: 'Used in a custom resource, error handling is managed by Cloudformation.',
        },
        { id: 'NIST.800.53.R5-LambdaInsideVPC', reason: 'Used in a custom resource only during deployment.' },
        { id: 'HIPAA.Security-LambdaInsideVPC', reason: 'Used in a custom resource only during deployment.' },
        { id: 'PCI.DSS.321-LambdaInsideVPC', reason: 'Used in a custom resource only during deployment.' },
        {
          id: 'AwsSolutions-IAM5',
          reason: 'Event handler lambda resources unknown at deployment, used for deployment only',
        },
      ],
      true,
    );
    dbSetupResource.node.addDependency(dbCluster);
    dbCluster.grantConnect(dbSetupResource.handlerFunction, 'postgres');

    const createWorkflow = new CreateAuroraWorkspace(this, 'CreateAuroraWorkspace', {
      ...props,
      config: props.config,
      shared: props.shared,
      dbCluster,
      ragDynamoDBTables: props.ragDynamoDBTables,
    });

    this.database = dbCluster;
    this.createAuroraWorkspaceWorkflow = createWorkflow.stateMachine;
  }