(aws-rds): DatabaseClusterFromSnapshot construct should support storage encryption

[stephenwiebe]

General Issue

DatabaseClusterFromSnapshot construct should support storage enryption

The Question

I need to enable encryption on an Aurora database cluster that already exists, and it appears the way to do this is to take a snapshot, and restore it to a new database cluster with the Storage Encrypted option enabled (and an encryption key specified):

You can't convert an unencrypted DB cluster to an encrypted one. However, you can restore an unencrypted snapshot to an encrypted Aurora DB cluster. To do this, specify a KMS key when you restore from the unencrypted snapshot.

I've verified that I can do this manually through the AWS console. I also see that this StorageEncrypted option exists for the underlying CFN resource AWS::RDS::DBCluster, and also for the non-snapshotted DatabaseCluster CDK construct. However, the option for the CDK construct DatabaseClusterFromSnapshot should exist, but doesn't.

It looks like the fix for this is to move the properties storageEncrypted and storageEncryptionKey at https://github.com/aws/aws-cdk/blob/v1.130.0/packages/@aws-cdk/aws-rds/lib/cluster.ts#L460-L473 from DatabaseClusterProps to DatabaseClusterBaseProps.

CDK CLI Version

1.130.0

Framework Version

No response

Node.js Version

No response

OS

No response

Language

Typescript

Language Version

No response

Other information

No response