feat: add patching infrastructure for pgbouncer instance (#230)

Author: jjfrench

lib/database/PatchManager.ts

@@ -0,0 +1,97 @@
+import * as ssm from 'aws-cdk-lib/aws-ssm';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import { Construct } from 'constructs';
+
+export interface PatchManagerProps {
+  /**
+   * The EC2 instance ID to apply patches
+   */
+  instanceId: string;
+
+  /**
+   * Custom maintenance window
+   *
+   * @default - New maintenance window
+   * schedule: Sundays at 07:00 UTC, duration: 3 hours, cutoff: 1 hour
+   */
+  maintenanceWindow?: ssm.CfnMaintenanceWindow;
+}
+
+export class PatchManager extends Construct {
+  constructor(scope: Construct, id: string, props?: PatchManagerProps) {
+    super(scope, id);
+
+    // IAM role used by the maintenance window
+    const maintenanceRole = new iam.Role(this, 'MaintenanceWindowRole', {
+      assumedBy: new iam.ServicePrincipal('ssm.amazonaws.com'),
+    });
+
+    maintenanceRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: [
+          'ssm:SendCommand',
+          'ssm:ListCommands',
+          'ssm:ListCommandInvocations',
+        ],
+        resources: ['*'],
+      }),
+    );
+
+    // Maintenance Window
+    const maintenanceWindow = props?.maintenanceWindow ?? new ssm.CfnMaintenanceWindow(
+      this,
+      'PatchMaintenanceWindow',
+      {
+        name: 'patch-maintenance-window',
+        description: 'Weekly patching using AWS default patch baseline',
+        schedule: 'cron(0 7 ? * SUN *)', // Sundays 07:00 UTC
+        duration: 3,
+        cutoff: 1,
+        allowUnassociatedTargets: false,
+      },
+    );
+
+    // Target EC2 instance by Instance ID
+    if (!props?.instanceId) {
+      throw new Error('instanceId is required to create PatchManagerStack');
+    }
+    const target = new ssm.CfnMaintenanceWindowTarget(
+      this,
+      'PatchTarget',
+      {
+        windowId: maintenanceWindow.ref,
+        resourceType: 'INSTANCE',
+        targets: [
+          {
+            key: 'InstanceIds',
+            values: [props.instanceId],
+          },
+        ],
+      },
+    );
+
+    // Patch task (Install)
+    new ssm.CfnMaintenanceWindowTask(this, 'PatchInstallTask', {
+      windowId: maintenanceWindow.ref,
+      taskArn: 'AWS-RunPatchBaseline',
+      taskType: 'RUN_COMMAND',
+      priority: 1,
+      maxConcurrency: '1',
+      maxErrors: '1',
+      serviceRoleArn: maintenanceRole.roleArn,
+      targets: [
+        {
+          key: 'WindowTargetIds',
+          values: [target.ref],
+        },
+      ],
+      taskInvocationParameters: {
+        maintenanceWindowRunCommandParameters: {
+          parameters: {
+            Operation: ['Install'],
+          },
+        },
+      },
+    });
+  }
+}

lib/database/index.ts

@@ -8,6 +8,7 @@ import {
   aws_ec2 as ec2,
   aws_rds as rds,
   aws_secretsmanager as secretsmanager,
+  aws_ssm as ssm,
 } from "aws-cdk-lib";
 import { Construct } from "constructs";
 import {
@@ -16,6 +17,7 @@ import {
   resolveLambdaCode,
 } from "../utils";
 import { PgBouncer } from "./PgBouncer";
+import { PatchManager } from "./PatchManager";
 import * as crypto from "crypto";
 import * as fs from "fs";
 import * as path from "path";
@@ -124,6 +126,7 @@ export class PgStacDatabase extends Construct {
   public readonly securityGroup?: ec2.SecurityGroup;
   public readonly secretBootstrapper?: CustomResource;
   public readonly pgbouncerHealthCheck?: CustomResource;
+  public readonly pgbouncerInstanceId?: string;
 
   constructor(scope: Construct, id: string, props: PgStacDatabaseProps) {
     super(scope, id);
@@ -281,11 +284,21 @@ export class PgStacDatabase extends Construct {
 
       this._pgBouncerServer.node.addDependency(bootstrapper);
 
+      // Patching infrastructure for PgBouncer instance
+      const addPatchManager = props.addPatchManager ?? true;
+      if (addPatchManager) {
+        new PatchManager(this, "PatchManager", {
+          instanceId: this._pgBouncerServer.instance.instanceId,
+          maintenanceWindow: props.maintenanceWindow,
+        });
+      }
+
       this.pgstacSecret = this._pgBouncerServer.pgbouncerSecret;
       this.connectionTarget = this._pgBouncerServer.instance;
       this.securityGroup = this._pgBouncerServer.securityGroup;
       this.secretBootstrapper = this._pgBouncerServer.secretUpdateComplete;
       this.pgbouncerHealthCheck = this._pgBouncerServer.healthCheck;
+      this.pgbouncerInstanceId = this._pgBouncerServer.instance.instanceId;
     } else {
       this.connectionTarget = this.db;
     }
@@ -374,6 +387,21 @@ export interface PgStacDatabaseProps extends rds.DatabaseInstanceProps {
    */
   readonly pgbouncerInstanceProps?: ec2.InstanceProps | any;
 
+  /**
+   * Add patching system using AWS SSM for pgbouncer instance maintenance
+   * `addPgbouncer` must be true for this to have an effect
+   *
+   * @default true
+   */
+  readonly addPatchManager?: boolean;
+
+  /**
+   * Custom maintenance window for patching
+   *
+   * @default - A new maintenance window will be created, defined in construct
+   */
+  readonly maintenanceWindow?: ssm.CfnMaintenanceWindow;
+
   /**
    * Lambda function Custom Resource properties. A custom resource property is going to be created
    * to trigger the boostrapping lambda function. This parameter allows the user to specify additional properties

package-lock.json

@@ -43,7 +43,7 @@
     "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/git": "^10.0.1",
     "@types/node": "^24.9.1",
-    "aws-cdk-lib": "^2.220.0",
+    "aws-cdk-lib": "2.220.0",
     "constructs": "10.4.2",
     "jsii": "5.9.10",
     "jsii-docgen": "10.11.0",