aws-amplify · edwardfoyle · Jul 3, 2024 · Jun 20, 2024 · Jun 28, 2024 · Jul 1, 2024
@@ -0,0 +1,5 @@
+---
+'@aws-amplify/backend-data': minor
+---
+
+support custom SSL certificates in SQL data sources
@@ -4,7 +4,7 @@
   "description": "",
   "type": "module",
   "scripts": {
-    "build": "tsc --build packages/* && tsc --build scripts",
+    "build": "tsc --build packages/* scripts",
     "check:api": "npm run update:api && tsx scripts/check_api_extract.ts",
     "check:dependencies": "tsx scripts/check_dependencies.ts",
     "check:package-lock": "tsx scripts/check_package_lock.ts",

@@ -29,8 +29,8 @@
   "dependencies": {
     "@aws-amplify/backend-output-storage": "^1.0.2",
     "@aws-amplify/backend-output-schemas": "^1.1.0",
-    "@aws-amplify/data-construct": "^1.8.0",
+    "@aws-amplify/data-construct": "^1.9.0",
     "@aws-amplify/plugin-types": "^1.0.1",
-    "@aws-amplify/data-schema-types": "^1.0.0"
+    "@aws-amplify/data-schema-types": "^1.1.1"
   }
 }
@@ -394,4 +394,124 @@ void describe('convertSchemaToCDK', () => {
       }
     );
   });
+
+  void it('produces expected definition for MySQL schema with custom SSL cert', () => {
+    const schema = configure({
+      database: {
+        engine: 'mysql',
+        connectionUri: new TestBackendSecret('SQL_CONNECTION_STRING'),
+        sslCert: new TestBackendSecret('CUSTOM_SSL_CERT'),
+      },
+    }).schema({
+      post: a
+        .model({
+          id: a.integer().required(),
+          title: a.string(),
+        })
+        .identifier(['id'])
+        .authorization((allow) => allow.publicApiKey()),
+    });
+
+    const modified = schema.addQueries({
+      oddList: a
+        .query()
+        .handler(a.handler.inlineSql('SELECT * from post where id % 2 = 1;'))
+        .returns(a.ref('post'))
+        .authorization((allow) => allow.publicApiKey()),
+    });
+
+    const convertedDefinition = convertSchemaToCDK(
+      modified,
+      secretResolver,
+      stableBackendIdentifiers
+    );
+
+    assert.equal(
+      Object.values(convertedDefinition.dataSourceStrategies).length,
+      1
+    );
+    assert.deepEqual(
+      Object.values(convertedDefinition.dataSourceStrategies)[0],
+      {
+        customSqlStatements: {},
+        /* eslint-disable spellcheck/spell-checker */
+        dbConnectionConfig: {
+          connectionUriSsmPath: [
+            '/amplify/testBackendId/testBranchName-branch-e482a1c36f/SQL_CONNECTION_STRING',
+            '/amplify/shared/testBackendId/SQL_CONNECTION_STRING',
+          ],
+          sslCertConfig: {
+            ssmPath: [
+              '/amplify/testBackendId/testBranchName-branch-e482a1c36f/CUSTOM_SSL_CERT',
+              '/amplify/shared/testBackendId/CUSTOM_SSL_CERT',
+            ],
+          },
+        },
+        dbType: 'MYSQL',
+        name: '00034dcf3444861c3ca5mysql',
+        vpcConfiguration: undefined,
+        /* eslint-enable spellcheck/spell-checker */
+      }
+    );
+  });
+
+  void it('produces expected definition for Postgresql schema with custom SSL cert', () => {
+    const schema = configure({
+      database: {
+        engine: 'postgresql',
+        connectionUri: new TestBackendSecret('SQL_CONNECTION_STRING'),
+        sslCert: new TestBackendSecret('CUSTOM_SSL_CERT'),
+      },
+    }).schema({
+      post: a
+        .model({
+          id: a.integer().required(),
+          title: a.string(),
+        })
+        .identifier(['id'])
+        .authorization((allow) => allow.publicApiKey()),
+    });
+
+    const modified = schema.addQueries({
+      oddList: a
+        .query()
+        .handler(a.handler.inlineSql('SELECT * from post where id % 2 = 1;'))
+        .returns(a.ref('post'))
+        .authorization((allow) => allow.publicApiKey()),
+    });
+
+    const convertedDefinition = convertSchemaToCDK(
+      modified,
+      secretResolver,
+      stableBackendIdentifiers
+    );
+
+    assert.equal(
+      Object.values(convertedDefinition.dataSourceStrategies).length,
+      1
+    );
+    assert.deepEqual(
+      Object.values(convertedDefinition.dataSourceStrategies)[0],
+      {
+        customSqlStatements: {},
+        /* eslint-disable spellcheck/spell-checker */
+        dbConnectionConfig: {
+          connectionUriSsmPath: [
+            '/amplify/testBackendId/testBranchName-branch-e482a1c36f/SQL_CONNECTION_STRING',
+            '/amplify/shared/testBackendId/SQL_CONNECTION_STRING',
+          ],
+          sslCertConfig: {
+            ssmPath: [
+              '/amplify/testBackendId/testBranchName-branch-e482a1c36f/CUSTOM_SSL_CERT',
+              '/amplify/shared/testBackendId/CUSTOM_SSL_CERT',
+            ],
+          },
+        },
+        dbType: 'POSTGRES',
+        name: '00034dcf3444861c3ca5postgresql',
+        vpcConfiguration: undefined,
+        /* eslint-enable spellcheck/spell-checker */
+      }
+    );
+  });
 });
@@ -8,6 +8,7 @@ import {
   AmplifyDataDefinition,
   type IAmplifyDataDefinition,
   type ModelDataSourceStrategy,
+  type SslCertSsmPathConfig,
   type VpcConfig,
 } from '@aws-amplify/data-construct';
 import type { DataSchema, DataSchemaInput } from './types.js';
@@ -174,17 +175,29 @@ const convertDatabaseConfigurationToDataSourceStrategy = (
 
   const { branchSecretPath, sharedSecretPath } =
     backendSecretResolver.resolvePath(configuration.connectionUri);
-  return {
+
+  let sslCertConfig: SslCertSsmPathConfig | undefined;
+  if (configuration.sslCert) {
+    const { branchSecretPath, sharedSecretPath } =
+      backendSecretResolver.resolvePath(configuration.sslCert);
+    sslCertConfig = {
+      ssmPath: [branchSecretPath, sharedSecretPath],
+    };
+  }
+  const strategy: ModelDataSourceStrategy = {
     dbType,
     name:
       provisionStrategyName +
       (configuration.identifier ?? configuration.engine),
     dbConnectionConfig: {
       connectionUriSsmPath: [branchSecretPath, sharedSecretPath],
+      ...(sslCertConfig ? { sslCertConfig } : undefined),
     },
     vpcConfiguration,
     customSqlStatements,
   };
+
+  return strategy;
 };
 
 /**