New pattern - aurora-serverless-v2-lambda-bedrock-cdk#3094
Conversation
…v2 RAG with Bedrock Deploy Aurora Serverless v2 PostgreSQL (platform version 4, 30% perf boost) with Lambda functions that query stored knowledge via Data API and use Amazon Bedrock for AI-powered answers. Scales to zero.
|
Hi @biswanathmukherjee 👋 This shows Aurora Serverless v2 with RDS Data API + Bedrock — a unique integration demonstrating RAG with Aurora pgvector, zero VPC needed. First pattern combining Aurora Data API with Bedrock embeddings. Deployed and tested. |
marcojahn
left a comment
marcojahn
left a comment
There was a problem hiding this comment.
Hey @NithinChandranR-AWS, thank you for you PR. I've made some suggestions for changes, please review.
| serverlessV2MaxCapacity: 4, | ||
| writer: rds.ClusterInstance.serverlessV2("writer"), | ||
| vpc, | ||
| vpcSubnets: { subnetType: ec2.SubnetType.PUBLIC }, |
There was a problem hiding this comment.
The Aurora Serverless v2 cluster is placed in SubnetType.PUBLIC. AWS best practice is to host database clusters in private/isolated subnets so they are not reachable from the internet.
There was a problem hiding this comment.
I agree, moved the cluster into a dedicated VPC with PRIVATE_ISOLATED subnets. Since we use the RDS Data API, I think its okay if Lambda doesn't need to be in the VPC?
| queryFn.addToRolePolicy( | ||
| new iam.PolicyStatement({ | ||
| actions: ["bedrock:InvokeModel"], | ||
| resources: ["*"], |
There was a problem hiding this comment.
The query function's IAM policy allows bedrock:InvokeModel on resources: ["*"], permitting invocation of every foundation model and inference profile in the account. Least privilege recommends scoping to the specific model/inference profile in use.
There was a problem hiding this comment.
Scoped to the specific inference-profile and foundation-model ARNs for the model in use.
| const vpc = ec2.Vpc.fromLookup(this, "DefaultVpc", { isDefault: true }); | ||
|
|
||
| // Aurora Serverless v2 cluster (PostgreSQL, scales to zero) | ||
| const cluster = new rds.DatabaseCluster(this, "AuroraCluster", { |
There was a problem hiding this comment.
The cluster does not set storageEncrypted and does not provide a storageEncryptionKey. In CDK's rds.DatabaseCluster, storageEncrypted defaults to true only if storageEncryptionKey is provided, false otherwise. As written, the database is created without encryption at rest.
There was a problem hiding this comment.
Added storageEncrypted: true explicitly.
There was a problem hiding this comment.
A cached cdk.context.json is committed containing a real AWS account ID (742460038667), a VPC ID, and six subnet IDs.
There was a problem hiding this comment.
Deleted it and added cdk.context.json to .gitignore. Since the stack now creates its own VPC (no fromLookup), context is only needed for AZ resolution at deploy time.
|
|
||
| ## How it works | ||
|
|
||
|  |
There was a problem hiding this comment.
The README embeds architecture.png, but no such file exists in the pattern directory. The image will render as a broken link on serverlessland.com and GitHub.
There was a problem hiding this comment.
Replaced the broken image reference with a text architecture description.
There was a problem hiding this comment.
Naming
- "Lambda" used without the "AWS" prefix
- "Aurora Serverless v2" used without the "Amazon" prefix
- "Bedrock" used without the "Amazon" prefix
There was a problem hiding this comment.
Fixed. using full service names throughout: Amazon Aurora Serverless v2, AWS Lambda, Amazon Bedrock.
There was a problem hiding this comment.
Naming
- "Lambda" used without the "AWS" prefix
- "Aurora Serverless v2" used without the "Amazon" prefix
- "Bedrock" used without the "Amazon" prefix
There was a problem hiding this comment.
Updated title and description with proper service name prefixes.
- Move Aurora cluster to private/isolated subnets (not public) - Scope bedrock:InvokeModel to specific model ARN - Add storageEncrypted: true to cluster - Delete cdk.context.json with real account ID, add to .gitignore - Replace broken architecture.png reference with text description - Add full service name prefixes (Amazon Aurora, AWS Lambda, Amazon Bedrock) - Fix service names in example-pattern.json
|
All 7 comments addressed and pushed. Moved the cluster to isolated subnets, added encryption, scoped IAM, and cleaned up the committed context file. Thanks for the detailed review, @marcojahn. |
3 participants
Description
Deploy Aurora Serverless v2 PostgreSQL (platform version 4 with 30% better performance) with Lambda functions that query stored knowledge via RDS Data API and use Amazon Bedrock for AI-powered answers.
Features
Checklist