Custom CDK - Support for GT MRSC from gerrardcowburn/master

Add Global Tables MRSC CDK example including KMS and Witness Region

Author: tebanieo

.gitignore

@@ -29,3 +29,6 @@ workshops/relational-migration/source-tables/app_db.*
 
 **/.aws-sam/
 **.db
+
+cdk.out
+

infrastructure_as_code/cdk/MRSCGlobalTable/.gitignore

@@ -0,0 +1 @@
+!bin

infrastructure_as_code/cdk/MRSCGlobalTable/README.md

@@ -0,0 +1,114 @@
+# DynamoDB Global Table with Multi-Region Strong Consistency
+
+This example demonstrates how to create a DynamoDB Global Table with `MultiRegionConsistency: STRONG` using AWS CDK and a CloudFormation L1 override. The implementation supports JSON configuration for multi-region deployment with witness region capabilities.
+
+## Configuration
+
+### Setting up config.json
+
+1. Copy one of the example configurations from the `config-examples/` directory:
+   ```bash
+   cp config-examples/us-regions.json config.json
+   # OR
+   cp config-examples/eu-regions.json config.json
+   # OR
+   cp config-examples/ap-regions.json config.json
+   ```
+
+2. Modify the `config.json` file as needed for your deployment.
+
+### Configuration Format
+
+The `config.json` file defines deployment regions and witness settings:
+
+```json
+{
+  "regions": [
+    {
+      "region": "us-east-1",
+      "witness": false
+    },
+    {
+      "region": "us-east-2", 
+      "witness": false
+    },
+    {
+      "region": "us-west-2",
+      "witness": true
+    }
+  ]
+}
+```
+
+**Requirements:**
+- Minimum 3 regions required
+- All regions must be from the same geographical set
+- At least 2 regions must be full replicas (`"witness": false`)
+- Maximum 1 region can be a witness (`"witness": true`)
+
+### Valid Region Sets
+
+Regions must be from the same geographical set:
+
+- **US Regions**: us-east-1, us-east-2, us-west-2
+- **EU Regions**: eu-west-1, eu-west-2, eu-west-3, eu-central-1  
+- **AP Regions**: ap-northeast-1, ap-northeast-2, ap-northeast-3
+
+### Witness Regions
+
+Set `"witness": true` for a single region that should act as a witness-only replica. Only one witness region is allowed per global table. Witness regions provide additional voting capacity for strong consistency without serving read/write traffic.
+
+## Setup
+
+1. Install dependencies:
+   ```bash
+   npm install
+   ```
+
+2. Configure your deployment by copying an example:
+   ```bash
+   cp config-examples/us-regions.json config.json
+   ```
+
+3. Modify `config.json` for your specific requirements.
+
+## Deploy
+
+```bash
+npx cdk deploy --all
+```
+
+## Key Implementation
+
+The implementation includes:
+
+1. **JSON Configuration Loading**: Reads region configuration from `config.json`
+2. **Region Validation**: Ensures regions are valid and from the same geographical set
+3. **Dynamic KMS Stack Creation**: Creates regional KMS stacks based on configuration
+4. **Witness Region Support**: Adds `GlobalTableWitness` property for witness regions
+5. **Strong Consistency**: Applies `MultiRegionConsistency: STRONG` override
+
+```typescript
+// Load and validate configuration
+const config = this.loadConfig();
+this.validateConfig(config);
+
+// Create global table with dynamic replicas
+const globalTable = new dynamodb.TableV2(this, 'GlobalTable', {
+  // ... configuration
+  replicas: config.regions
+    .filter(r => r.region !== this.region)
+    .map(r => ({ region: r.region }))
+});
+
+// Add strong consistency and witness regions
+const cfnTable = globalTable.node.defaultChild as dynamodb.CfnTable;
+cfnTable.addPropertyOverride('MultiRegionConsistency', 'STRONG');
+this.addWitnessRegions(cfnTable, config);
+```
+
+## AWS Documentation References
+
+- [DynamoDB Global Tables](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/V2globaltables_HowItWorks.html) - Overview of Global Tables functionality
+- [CloudFormation GlobalTable Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-globaltable.html#cfn-dynamodb-globaltable-multiregionconsistency) - MultiRegionConsistency property reference
+- [GlobalTableWitness Property](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-dynamodb-globaltable-globaltablewitness.html) - Witness region configuration reference

infrastructure_as_code/cdk/MRSCGlobalTable/bin/app.ts

@@ -0,0 +1,41 @@
+#!/usr/bin/env node
+import * as cdk from 'aws-cdk-lib';
+import { DdbGlobalMrscCdkStack } from '../lib/ddb-global-mrsc-cdk-stack';
+import { RegionalKmsStack } from '../lib/regional-kms-stack';
+import * as fs from 'fs';
+import * as path from 'path';
+import { RegionConfig, GlobalTableConfig } from '../lib/types';
+
+const app = new cdk.App();
+
+// Load config
+const configPath = path.join(__dirname, '..', 'config.json');
+const config: GlobalTableConfig = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+
+// Create regional KMS stacks for all regions except primary
+const primaryRegion = config.regions[0].region;
+const regionalStacks: cdk.Stack[] = [];
+
+for (const regionConfig of config.regions) {
+  if (regionConfig.region !== primaryRegion && !regionConfig.witness) {
+    const stack = new RegionalKmsStack(app, `DdbGlobalMrsc${regionConfig.region.replace(/-/g, '')}`, {
+      env: { 
+        account: process.env.CDK_DEFAULT_ACCOUNT, 
+        region: regionConfig.region 
+      },
+      tableName: config.tableName
+    });
+    regionalStacks.push(stack);
+  }
+}
+
+// Main global table stack
+const globalStack = new DdbGlobalMrscCdkStack(app, 'DdbGlobalMrscCdkStack', {
+  env: { 
+    account: process.env.CDK_DEFAULT_ACCOUNT, 
+    region: primaryRegion
+  }
+});
+
+// Add dependencies
+regionalStacks.forEach(stack => globalStack.addDependency(stack));

infrastructure_as_code/cdk/MRSCGlobalTable/cdk.json

@@ -0,0 +1,3 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/app.ts"
+}

infrastructure_as_code/cdk/MRSCGlobalTable/config-examples/ap-regions.json

@@ -0,0 +1,17 @@
+{
+  "tableName": "ap-global-table",
+  "regions": [
+    {
+      "region": "ap-northeast-1",
+      "witness": false
+    },
+    {
+      "region": "ap-northeast-2", 
+      "witness": false
+    },
+    {
+      "region": "ap-northeast-3",
+      "witness": true
+    }
+  ]
+}

infrastructure_as_code/cdk/MRSCGlobalTable/config-examples/eu-regions.json

@@ -0,0 +1,17 @@
+{
+  "tableName": "eu-global-table",
+  "regions": [
+    {
+      "region": "eu-west-1",
+      "witness": false
+    },
+    {
+      "region": "eu-west-2", 
+      "witness": false
+    },
+    {
+      "region": "eu-central-1",
+      "witness": true
+    }
+  ]
+}

infrastructure_as_code/cdk/MRSCGlobalTable/config-examples/us-regions.json

@@ -0,0 +1,17 @@
+{
+  "tableName": "us-global-table",
+  "regions": [
+    {
+      "region": "us-east-1",
+      "witness": false
+    },
+    {
+      "region": "us-east-2", 
+      "witness": false
+    },
+    {
+      "region": "us-west-2",
+      "witness": true
+    }
+  ]
+}

infrastructure_as_code/cdk/MRSCGlobalTable/config.json

@@ -0,0 +1,17 @@
+{
+  "tableName": "global-table",
+  "regions": [
+    {
+      "region": "eu-west-1",
+      "witness": false
+    },
+    {
+      "region": "eu-west-2", 
+      "witness": false
+    },
+    {
+      "region": "eu-central-1",
+      "witness": true
+    }
+  ]
+}

infrastructure_as_code/cdk/MRSCGlobalTable/lib/ddb-global-mrsc-cdk-stack.ts

@@ -0,0 +1,107 @@
+import * as cdk from 'aws-cdk-lib';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import { Construct } from 'constructs';
+import * as fs from 'fs';
+import * as path from 'path';
+import { RegionConfig, GlobalTableConfig } from './types';
+
+const VALID_REGIONS = {
+  US: ['us-east-1', 'us-east-2', 'us-west-2'],
+  EU: ['eu-west-1', 'eu-west-2', 'eu-west-3', 'eu-central-1'],
+  AP: ['ap-northeast-1', 'ap-northeast-2', 'ap-northeast-3']
+};
+
+const ALL_VALID_REGIONS = [...VALID_REGIONS.US, ...VALID_REGIONS.EU, ...VALID_REGIONS.AP];
+
+export class DdbGlobalMrscCdkStack extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    const config = this.loadConfig();
+    this.validateConfig(config);
+
+    const primaryKey = new kms.Key(this, 'GlobalTableKey', {
+      description: 'KMS key for DynamoDB Global Table encryption',
+      enableKeyRotation: true,
+      alias: `${config.tableName}-${this.region}`
+    });
+
+    const replicaTableKeys = this.buildReplicaKeys(config);
+    const replicas = config.regions
+      .filter(r => r.region !== this.region && !r.witness)
+      .map(r => ({ region: r.region }));
+
+    const globalTable = new dynamodb.TableV2(this, 'GlobalTable', {
+      tableName: config.tableName,
+      partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
+      billing: dynamodb.Billing.onDemand(),
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      encryption: dynamodb.TableEncryptionV2.customerManagedKey(primaryKey, replicaTableKeys),
+      replicas
+    });
+
+    const cfnTable = globalTable.node.defaultChild as dynamodb.CfnTable;
+    cfnTable.addPropertyOverride('MultiRegionConsistency', 'STRONG');
+
+    this.addWitnessRegions(cfnTable, config);
+  }
+
+  private loadConfig(): GlobalTableConfig {
+    const configPath = path.join(__dirname, '..', 'config.json');
+    const configData = fs.readFileSync(configPath, 'utf8');
+    return JSON.parse(configData);
+  }
+
+  private validateConfig(config: GlobalTableConfig): void {
+    if (!config.regions || config.regions.length < 3) {
+      throw new Error('Config must specify at least 3 regions');
+    }
+
+    for (const regionConfig of config.regions) {
+      if (!ALL_VALID_REGIONS.includes(regionConfig.region)) {
+        throw new Error(`Invalid region: ${regionConfig.region}. Valid regions: ${ALL_VALID_REGIONS.join(', ')}`);
+      }
+    }
+
+    const regionSet = Object.values(VALID_REGIONS);
+    const configRegions = config.regions.map(r => r.region);
+    const isValidSet = regionSet.some(validSet => 
+      configRegions.every(region => validSet.includes(region))
+    );
+
+    if (!isValidSet) {
+      throw new Error('All regions must be from the same region set (US, EU, or AP)');
+    }
+
+    const witnessCount = config.regions.filter(r => r.witness).length;
+    const fullReplicaCount = config.regions.filter(r => !r.witness).length;
+    
+    if (witnessCount > 1) {
+      throw new Error('Maximum 1 witness region allowed');
+    }
+    
+    if (fullReplicaCount < 2) {
+      throw new Error('At least 2 full replica regions required');
+    }
+  }
+
+  private buildReplicaKeys(config: GlobalTableConfig): Record<string, string> {
+    const keys: Record<string, string> = {};
+    for (const regionConfig of config.regions) {
+      if (regionConfig.region !== this.region && !regionConfig.witness) {
+        keys[regionConfig.region] = `arn:aws:kms:${regionConfig.region}:${this.account}:alias/${config.tableName}-${regionConfig.region}`;
+      }
+    }
+    return keys;
+  }
+
+  private addWitnessRegions(cfnTable: dynamodb.CfnTable, config: GlobalTableConfig): void {
+    const witnessRegions = config.regions.filter(r => r.witness);
+    if (witnessRegions.length > 0) {
+      cfnTable.addPropertyOverride('GlobalTableWitnesses', 
+        witnessRegions.map(r => ({ Region: r.region }))
+      );
+    }
+  }
+}