Add aurora encryption option (aws-samples#222)

* fix

* fix

README.md

@@ -253,6 +253,13 @@ const userPool = new UserPool(this, "UserPool", {
 
 This sample supports external identity provider. Currently we only support Google. To set up, See [SETUP_IDP.md](./docs/SETUP_IDP.md).
 
+### Encrypt Aurora Serverless storage
+
+Open `cdk.json` and set `dbEncryption` to `true`. Default value is `false`.
+
+> [!Warning]
+> If already deployed with `false`, setting to `true` and re-deployment will replace existing cluster, which deletes all of vector items.
+
 ### Local Development
 
 See [LOCAL DEVELOPMENT](./docs/LOCAL_DEVELOPMENT.md).

cdk/bin/bedrock-chat.ts

@@ -26,6 +26,7 @@ const PUBLISHED_API_ALLOWED_IP_V6_ADDRESS_RANGES: string[] =
 const ENABLE_USAGE_ANALYSIS: boolean = app.node.tryGetContext(
   "enableUsageAnalysis"
 );
+const DB_ENCRYPTION: boolean = app.node.tryGetContext("dbEncryption");
 const IDENTITY_PROVIDERS: TIdentityProvider[] =
   app.node.tryGetContext("identityProviders");
 const USER_POOL_DOMAIN_PREFIX: string = app.node.tryGetContext(
@@ -53,6 +54,7 @@ const chat = new BedrockChatStack(app, `BedrockChatStack`, {
   bedrockRegion: BEDROCK_REGION,
   webAclId: waf.webAclArn.value,
   enableUsageAnalysis: ENABLE_USAGE_ANALYSIS,
+  dbEncryption: DB_ENCRYPTION,
   identityProviders: IDENTITY_PROVIDERS,
   userPoolDomainPrefix: USER_POOL_DOMAIN_PREFIX,
   publishedApiAllowedIpV4AddressRanges:

cdk/cdk.json

@@ -61,6 +61,7 @@
       "0000:0000:0000:0000:0000:0000:0000:0000/1",
       "8000:0000:0000:0000:0000:0000:0000:0000/1"
     ],
+    "dbEncryption": false,
     "enableUsageAnalysis": true
   }
 }

cdk/lib/bedrock-chat-stack.ts

@@ -28,6 +28,7 @@ export interface BedrockChatStackProps extends StackProps {
   readonly enableUsageAnalysis: boolean;
   readonly identityProviders: TIdentityProvider[];
   readonly userPoolDomainPrefix: string;
+  readonly dbEncryption: boolean;
   readonly publishedApiAllowedIpV4AddressRanges: string[];
   readonly publishedApiAllowedIpV6AddressRanges: string[];
 }
@@ -42,6 +43,7 @@ export class BedrockChatStack extends cdk.Stack {
     const vpc = new ec2.Vpc(this, "VPC", {});
     const vectorStore = new VectorStore(this, "VectorStore", {
       vpc: vpc,
+      dbEncryption: props.dbEncryption,
     });
     const idp = identityProvider(props.identityProviders);
     // CodeBuild is used for api publication

cdk/lib/constructs/database.ts

@@ -3,7 +3,7 @@ import {
   AttributeType,
   BillingMode,
   Table,
-  ProjectionType,
+  TableEncryption,
   StreamViewType,
 } from "aws-cdk-lib/aws-dynamodb";
 import { AccountPrincipal, Role } from "aws-cdk-lib/aws-iam";
@@ -30,6 +30,7 @@ export class Database extends Construct {
       removalPolicy: RemovalPolicy.DESTROY,
       stream: StreamViewType.NEW_IMAGE,
       pointInTimeRecovery: props?.pointInTimeRecovery,
+      encryption: TableEncryption.AWS_MANAGED,
     });
     table.addGlobalSecondaryIndex({
       // Used to fetch conversation or bot by id

cdk/lib/constructs/vectorstore.ts

@@ -11,6 +11,7 @@ const DB_NAME = "postgres";
 
 export interface VectorStoreProps {
   readonly vpc: ec2.IVpc;
+  readonly dbEncryption: boolean;
 }
 
 export class VectorStore extends Construct {
@@ -35,6 +36,7 @@ export class VectorStore extends Construct {
       securityGroups: [sg],
       defaultDatabaseName: DB_NAME,
       enableDataApi: true,
+      storageEncrypted: props.dbEncryption,
       serverlessV2MinCapacity: 0.5,
       serverlessV2MaxCapacity: 5.0,
       writer: rds.ClusterInstance.serverlessV2("writer", {

cdk/test/cdk.test.ts

@@ -22,6 +22,7 @@ describe("Fine-grained Assertions Test", () => {
           },
         ],
         userPoolDomainPrefix: domainPrefix,
+        dbEncryption: false,
         publishedApiAllowedIpV4AddressRanges: [""],
         publishedApiAllowedIpV6AddressRanges: [""],
       }
@@ -61,6 +62,7 @@ describe("Fine-grained Assertions Test", () => {
       enableUsageAnalysis: true,
       identityProviders: [],
       userPoolDomainPrefix: "",
+      dbEncryption: false,
       publishedApiAllowedIpV4AddressRanges: [""],
       publishedApiAllowedIpV6AddressRanges: [""],
     });