fix(aws-rds): correct Policy resource for Proxy::grantConnect()

fixes aws#12415

To generate the correct policy, the DatabaseProxy ARN is parsed
and the resulting components are used along with a new parameter
to grantConnect.

The unit test was updated and passes. Caveat lector, I was not
able to get a full docker build or a full local build to work on
my box.

I'm not sure if this should be considered a breaking change. While
it technically alters the functionality of a published function,
the current behavior provides no utility.

packages/@aws-cdk/aws-rds/README.md

@@ -283,7 +283,7 @@ instance.grantConnect(role); // Grant the role connection access to the DB.
 The following example shows granting connection access for RDS Proxy to an IAM role.
 
 ```ts
-const cluster = new rds.DatabaseCluster(stack, 'Database'{
+const cluster = new rds.DatabaseCluster(stack, 'Database', {
   engine: rds.DatabaseClusterEngine.AURORA,
   instanceProps: { vpc },
 });
@@ -295,7 +295,7 @@ const proxy = new rds.DatabaseProxy(stack, 'Proxy', {
 });
 
 const role = new Role(stack, 'DBProxyRole', { assumedBy: new AccountPrincipal(stack.account) });
-proxy.grantConnect(role); // Grant the role connection access to the DB Proxy.
+proxy.grantConnect(role, 'admin'); // Grant the role connection access to the DB Proxy for database user 'admin'.
 ```
 
 **Note**: In addition to the setup above, a database user will need to be created to support IAM auth.

packages/@aws-cdk/aws-rds/lib/proxy.ts

@@ -319,7 +319,7 @@ export interface IDatabaseProxy extends cdk.IResource {
   /**
    * Grant the given identity connection access to the proxy.
    */
-  grantConnect(grantee: iam.IGrantable): iam.Grant;
+  grantConnect(grantee: iam.IGrantable, databaseUser: string): iam.Grant;
 }
 
 /**
@@ -331,11 +331,15 @@ abstract class DatabaseProxyBase extends cdk.Resource implements IDatabaseProxy
   public abstract readonly dbProxyArn: string;
   public abstract readonly endpoint: string;
 
-  public grantConnect(grantee: iam.IGrantable): iam.Grant {
+  public grantConnect(grantee: iam.IGrantable, databaseUser: string): iam.Grant {
+    let parsedArn = {...cdk.Arn.parse(this.dbProxyArn, ':')};
+    parsedArn.service = 'rds-db';
+    parsedArn.resource = 'dbuser';
+    parsedArn.resourceName = `${parsedArn.resourceName}/${databaseUser}`;
     return iam.Grant.addToPrincipal({
       grantee,
-      actions: ['rds-db:connect'],
-      resourceArns: [this.dbProxyArn],
+      actions:      ['rds-db:connect'],
+      resourceArns: [cdk.Arn.format(parsedArn, cdk.Stack.of(this))]
     });
   }
 }

packages/@aws-cdk/aws-rds/test/test.proxy.ts

@@ -1,4 +1,4 @@
-import { ABSENT, expect, haveResourceLike, ResourcePart } from '@aws-cdk/assert';
+import { ABSENT, expect, haveResourceLike, stringLike, anything, ResourcePart } from '@aws-cdk/assert';
 import * as ec2 from '@aws-cdk/aws-ec2';
 import { AccountPrincipal, Role } from '@aws-cdk/aws-iam';
 import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
@@ -242,7 +242,8 @@ export = {
     const role = new Role(stack, 'DBProxyRole', {
       assumedBy: new AccountPrincipal(stack.account),
     });
-    proxy.grantConnect(role);
+    const databaseUser = 'test';
+    proxy.grantConnect(role, databaseUser);
 
     // THEN
     expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
@@ -251,11 +252,21 @@ export = {
           Effect: 'Allow',
           Action: 'rds-db:connect',
           Resource: {
-            'Fn::GetAtt': [
-              'ProxyCB0DFB71',
-              'DBProxyArn',
-            ],
-          },
+            'Fn::Join': [
+              '',
+              [
+                'arn:',
+                anything(),//partition
+                stringLike(':rds-db:'),
+                anything(),//region
+                ':',
+                anything(),//account
+                stringLike(':dbuser:'),
+                anything(),//proxy-id
+                stringLike(`/${databaseUser}`)
+              ]
+            ]
+          }
         }],
         Version: '2012-10-17',
       },