add DBSecurityGroup resource

[jaypipes]

Adds basic create and delete operations for DBSecurityGroup resource in
the RDS API. This resource has more attributes than name and
description, such as EC2 security group and IPRange fields, however
there are separate Allow and Revoke Operation API calls for these fields
and will need to be handled in custom code.

aws-controllers-k8s/community#237

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license.

[a-hilaly]

👍

[a-hilaly]

one tiny nit: we can re-generate using the code-generator latest commit.

Also i'm thinking that maybe we should leave a "footprint" in the generated code representing the used ack-generate version/commit. I believe that it will make reviewing similar PRs easier. WDYT @jaypipes ?

[jaypipes]

one tiny nit: we can re-generate using the code-generator latest commit.

Also i'm thinking that maybe we should leave a "footprint" in the generated code representing the used ack-generate version/commit. I believe that it will make reviewing similar PRs easier. WDYT @jaypipes ?

I re-gen'd the RDS controller with ACK code-generator v0.0.6 (includes the docstring generation). I then rebased this commit onto that. Please re-review and merge if OK (you are now an RDS controller maintainer, btw)

[scandeezy]

I've been looking at this because I'm intending to setup a security group for accessing the RDS instance. Without this code, I see it sets to the default VPC security Group.

I can manually/cloudformation/terraform the security group and declare this as part of the dbinstance, but I'm hoping to control access to each db separately, and I was hoping to declare this with a CRD rather than outside of the cluster. Is there a new pattern I should be made aware of?

[jaypipes]

I've been looking at this because I'm intending to setup a security group for accessing the RDS instance. Without this code, I see it sets to the default VPC security Group.

I can manually/cloudformation/terraform the security group and declare this as part of the dbinstance, but I'm hoping to control access to each db separately, and I was hoping to declare this with a CRD rather than outside of the cluster. Is there a new pattern I should be made aware of?

@scandeezy apologies for the super-late response on this. Your comment got lost in my inbox. :(

DBSecurityGroup turned out to be only useful for Classic EC2 (non-VPC) and upon the advice of the RDS team, we have removed support for DBSecurityGroup resources from the rds-controller (since Classic EC2 is end of lifed).

If you want to declare a VPC security group using a CRD, please use the ec2-controller's SecurityGroup resource and then reference that security group resource from your RDS DBInstance Spec.VPCSecurityGroupRefs field, which contains an array of AWSResourceReferenceWrapper structs.

The YAML would look like this:

apiVersion: ec2.services.k8s.aws/v1alpha1
kind: SecurityGroup
metadata:
  name: my-db-sec-group
spec:
  description: "DB security group"
  name: my-db-sec-group
<more fields...>
---
apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
metadata:
  name: my-db-instance
spec:
<more fields...>
  vpcSecurityGroupRefs:
   - from:
       name: my-db-sec-group

You can read more about the EC2 networking CRDs and the use of resource referencing in this tutorial.

Hope this helps!
-jay