feat(aws): RDS Aurora Drizzle support — Data API migrations + runtime binding

[sam-goodwin]

Brings AWS RDS Aurora to feature parity with the Neon/Planetscale providers: deploy-time Drizzle migrations and a runtime Drizzle client, both over the RDS Data API (HTTPS+IAM, no VPC reachability required from the deploy machine or the function).

const schema = yield* Drizzle.Schema("AppSchema", { schema: "./src/schema.ts" });
const db = yield* AWS.RDS.Aurora("AppDb", { subnetIds, securityGroupIds });

// apply pending migrations through the Data API at deploy time
yield* AWS.RDS.Schema("AppDbSchema", {
  resourceArn: db.cluster.dbClusterArn,
  secretArn: db.secret.secretArn,
  migrationsDir: schema.out,
});

// runtime: query via Drizzle over the Data API (Lambda needs no VPC)
const orm = yield* AWS.RDSData.drizzle(db.cluster, { secret: db.secret, relations });
const users = yield* orm.select().from(Users);

New surface

• AWS.RDS.Schema — applies Drizzle.Schema output (or hand-authored SQL) to a cluster via rds-data executeStatement/transactions, tracked idempotently. Mirrors Neon's hash-gated diff/reconcile. Waits for the writer instance before applying (a fresh Aurora deploy races cluster-vs-instance availability).
• AWS.RDSData.drizzle / dataApi — the AWS analog of Drizzle.postgres, returning a chainable proxy whose query builders yield* directly. IAM is attached at deploy via the existing RDSData policies; the runtime client uses @aws-sdk/client-rds-data (added as an optional peer dep).
• AWS.RDS.connectionString — a postgres:// binding for the Drizzle.postgres path, with a JSDoc recipe for fronting Aurora with Cloudflare Hyperdrive.
• proxyChainPromise — proxyChain variant that wraps the aws-data-api driver's promise-based query builders into Effects (the effect-postgres driver is already Effect-native; the data-api one is not).

Framework fixes surfaced by live e2e testing

These were latent bugs in the AWS Lambda runtime path (a function's resource layer re-executes on cold start):

# Aurora: security groups belong on the cluster, not cluster-member instances
- vpcSecurityGroupIds: securityGroupIds,   // InvalidParameterCombination

• AWS/Lambda/Function.ts — provide a per-invocation ExecutionContext (scope + cache), matching WorkerBridge, so Drizzle.postgres/AWS.RDSData.drizzle memoization works in Lambda.
• AWS/EC2/Network.ts — resolve AWSEnvironment.current lazily (only when gateway endpoints are requested); it isn't provided at runtime, so the eager read crashed any function bound to a VPC-backed resource.

Example

examples/aws-lambda-rds-aurora-drizzle — Drizzle.Schema → AWS.RDS.Schema → a Lambda doing user CRUD via AWS.RDSData.drizzle. Verified end to end against real AWS (deploy → migrate → CRUD incl. relational query → destroy, all green).

[alchemy-version-bot]

Install the packages built from this commit:

alchemy

bun add alchemy@https://pkg.ing/alchemy/477397c

@alchemy.run/better-auth

bun add @alchemy.run/better-auth@https://pkg.ing/@alchemy.run/better-auth/477397c

@alchemy.run/pr-package

bun add @alchemy.run/pr-package@https://pkg.ing/@alchemy.run/pr-package/477397c