feat(database): enable Data API and connection logging (#123)

## Issue

close #122

## Problem

The Aurora Serverless v2 cluster lacks operational tooling for debugging
and diagnostics:

- **No Data API**: Operators must use SSH tunneling via Bastion Host to
run ad-hoc SQL queries, which is cumbersome during incident response.
- **No connection logging**: Diagnosing unexpected auto-pause resumes or
connection pool exhaustion requires guesswork, as PostgreSQL connection
events are not recorded.

## Solution

Add three CDK-native properties to the existing `DatabaseCluster`
construct:

1. **`enableDataApi: true`** — Enables the [RDS Data
API](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html),
allowing direct SQL execution from AWS CLI/Console without SSH
tunneling.
2. **`log_connections` / `log_disconnections`** — Standard PostgreSQL
parameters that record connection open/close events in the PostgreSQL
log.
3. **`cloudwatchLogsExports: ["postgresql"]`** with **1-week retention**
— Exports PostgreSQL logs to CloudWatch Logs for centralized analysis
([Aurora PostgreSQL CloudWatch
Publishing](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.CloudWatch.Publishing.html)).

## Changes

- `cdk/lib/constructs/database.ts`:
  - Added `import * as logs from "aws-cdk-lib/aws-logs"`
  - Added `enableDataApi: true` to `DatabaseCluster`
- Added `cloudwatchLogsExports: ["postgresql"]` and
`cloudwatchLogsRetention: logs.RetentionDays.ONE_WEEK`
- Added `log_connections: "1"` and `log_disconnections: "1"` to the
existing `ParameterGroup`

## Verification

- `npm run build` passes in `cdk/`
- After deployment:
  - `aws rds-data execute-statement` can run SQL against the cluster
- CloudWatch log group `/aws/rds/cluster/<cluster-name>/postgresql` is
created
  - Connection/disconnection events appear in the log stream

Author: konokenj

cdk/lib/constructs/database.ts

@@ -1,5 +1,6 @@
 import { CfnOutput, Stack, Token } from 'aws-cdk-lib';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as logs from 'aws-cdk-lib/aws-logs';
 import * as rds from 'aws-cdk-lib/aws-rds';
 import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
 import { Construct } from 'constructs';
@@ -34,11 +35,16 @@ export class Database extends Construct implements ec2.IConnectable {
       credentials: rds.Credentials.fromUsername(engine.defaultUsername ?? 'admin', {
         excludeCharacters: ' %+~`#$&*()|[]{}:;<>?!\'/@"\\,=^',
       }),
+      enableDataApi: true,
+      cloudwatchLogsExports: ['postgresql'],
+      cloudwatchLogsRetention: logs.RetentionDays.ONE_WEEK,
       parameterGroup: new rds.ParameterGroup(this, 'ParameterGroup', {
         engine,
         parameters: {
           // Close idle connection after 60 seconds for Aurora auto-pause
           idle_session_timeout: '60000',
+          log_connections: '1',
+          log_disconnections: '1',
         },
       }),
     });

cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit-without-domain.test.ts.snap

@@ -1754,6 +1754,10 @@ exports[`Snapshot test 2`] = `
         "DBSubnetGroupName": {
           "Ref": "DatabaseClusterSubnets5540150D",
         },
+        "EnableCloudwatchLogsExports": [
+          "postgresql",
+        ],
+        "EnableHttpEndpoint": true,
         "Engine": "aurora-postgresql",
         "EngineVersion": "16.6",
         "MasterUserPassword": {
@@ -1798,6 +1802,30 @@ exports[`Snapshot test 2`] = `
       "Type": "AWS::RDS::DBCluster",
       "UpdateReplacePolicy": "Snapshot",
     },
+    "DatabaseClusterLogRetentionpostgresql025D39CE": {
+      "Properties": {
+        "LogGroupName": {
+          "Fn::Join": [
+            "",
+            [
+              "/aws/rds/cluster/",
+              {
+                "Ref": "DatabaseCluster5B53A178",
+              },
+              "/postgresql",
+            ],
+          ],
+        },
+        "RetentionInDays": 7,
+        "ServiceToken": {
+          "Fn::GetAtt": [
+            "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A",
+            "Arn",
+          ],
+        },
+      },
+      "Type": "Custom::LogRetention",
+    },
     "DatabaseClusterSecretAttachmentDC8466C0": {
       "Properties": {
         "SecretId": {
@@ -2022,6 +2050,8 @@ exports[`Snapshot test 2`] = `
         "Family": "aurora-postgresql16",
         "Parameters": {
           "idle_session_timeout": "60000",
+          "log_connections": "1",
+          "log_disconnections": "1",
         },
       },
       "Type": "AWS::RDS::DBClusterParameterGroup",
@@ -2182,6 +2212,83 @@ exports[`Snapshot test 2`] = `
       "Type": "Custom::CrossRegionExportReader",
       "UpdateReplacePolicy": "Delete",
     },
+    "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A": {
+      "DependsOn": [
+        "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB",
+        "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB",
+      ],
+      "Properties": {
+        "Code": {
+          "S3Bucket": "cdk-hnb659fds-assets-123456789012-us-west-2",
+          "S3Key": "REDACTED",
+        },
+        "Handler": "index.handler",
+        "Role": {
+          "Fn::GetAtt": [
+            "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB",
+            "Arn",
+          ],
+        },
+        "Runtime": "nodejs22.x",
+        "Timeout": 900,
+      },
+      "Type": "AWS::Lambda::Function",
+    },
+    "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": "sts:AssumeRole",
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "lambda.amazonaws.com",
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "ManagedPolicyArns": [
+          {
+            "Fn::Join": [
+              "",
+              [
+                "arn:",
+                {
+                  "Ref": "AWS::Partition",
+                },
+                ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+              ],
+            ],
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Role",
+    },
+    "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB": {
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "logs:PutRetentionPolicy",
+                "logs:DeleteRetentionPolicy",
+              ],
+              "Effect": "Allow",
+              "Resource": "*",
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB",
+        "Roles": [
+          {
+            "Ref": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
     "LookupVersionArnc8730278af02f875114ca902814c77b68f19b0087110E04D0A": {
       "DeletionPolicy": "Delete",
       "DependsOn": [
@@ -3995,6 +4102,7 @@ service iptables save",
     "WebappMigrationTrigger42AFC1D9": {
       "DeletionPolicy": "Delete",
       "DependsOn": [
+        "DatabaseClusterLogRetentionpostgresql025D39CE",
         "DatabaseCluster5B53A178",
         "DatabaseClusterSecretAttachmentDC8466C0",
         "DatabaseClusterSecretD1FB634F",

cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit.test.ts.snap

@@ -1670,6 +1670,10 @@ exports[`Snapshot test 2`] = `
         "DBSubnetGroupName": {
           "Ref": "DatabaseClusterSubnets5540150D",
         },
+        "EnableCloudwatchLogsExports": [
+          "postgresql",
+        ],
+        "EnableHttpEndpoint": true,
         "Engine": "aurora-postgresql",
         "EngineVersion": "16.6",
         "MasterUserPassword": {
@@ -1714,6 +1718,30 @@ exports[`Snapshot test 2`] = `
       "Type": "AWS::RDS::DBCluster",
       "UpdateReplacePolicy": "Snapshot",
     },
+    "DatabaseClusterLogRetentionpostgresql025D39CE": {
+      "Properties": {
+        "LogGroupName": {
+          "Fn::Join": [
+            "",
+            [
+              "/aws/rds/cluster/",
+              {
+                "Ref": "DatabaseCluster5B53A178",
+              },
+              "/postgresql",
+            ],
+          ],
+        },
+        "RetentionInDays": 7,
+        "ServiceToken": {
+          "Fn::GetAtt": [
+            "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A",
+            "Arn",
+          ],
+        },
+      },
+      "Type": "Custom::LogRetention",
+    },
     "DatabaseClusterSecretAttachmentDC8466C0": {
       "Properties": {
         "SecretId": {
@@ -1938,6 +1966,8 @@ exports[`Snapshot test 2`] = `
         "Family": "aurora-postgresql16",
         "Parameters": {
           "idle_session_timeout": "60000",
+          "log_connections": "1",
+          "log_disconnections": "1",
         },
       },
       "Type": "AWS::RDS::DBClusterParameterGroup",
@@ -2099,6 +2129,83 @@ exports[`Snapshot test 2`] = `
       "Type": "Custom::CrossRegionExportReader",
       "UpdateReplacePolicy": "Delete",
     },
+    "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A": {
+      "DependsOn": [
+        "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB",
+        "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB",
+      ],
+      "Properties": {
+        "Code": {
+          "S3Bucket": "cdk-hnb659fds-assets-123456789012-us-west-2",
+          "S3Key": "REDACTED",
+        },
+        "Handler": "index.handler",
+        "Role": {
+          "Fn::GetAtt": [
+            "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB",
+            "Arn",
+          ],
+        },
+        "Runtime": "nodejs22.x",
+        "Timeout": 900,
+      },
+      "Type": "AWS::Lambda::Function",
+    },
+    "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": "sts:AssumeRole",
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "lambda.amazonaws.com",
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "ManagedPolicyArns": [
+          {
+            "Fn::Join": [
+              "",
+              [
+                "arn:",
+                {
+                  "Ref": "AWS::Partition",
+                },
+                ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+              ],
+            ],
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Role",
+    },
+    "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB": {
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "logs:PutRetentionPolicy",
+                "logs:DeleteRetentionPolicy",
+              ],
+              "Effect": "Allow",
+              "Resource": "*",
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB",
+        "Roles": [
+          {
+            "Ref": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
     "LookupVersionArnc8730278af02f875114ca902814c77b68f19b0087110E04D0A": {
       "DeletionPolicy": "Delete",
       "DependsOn": [
@@ -3801,6 +3908,7 @@ service iptables save",
     "WebappMigrationTrigger42AFC1D9": {
       "DeletionPolicy": "Delete",
       "DependsOn": [
+        "DatabaseClusterLogRetentionpostgresql025D39CE",
         "DatabaseCluster5B53A178",
         "DatabaseClusterSecretAttachmentDC8466C0",
         "DatabaseClusterSecretD1FB634F",