Skip to content

Commit

Permalink
fix(docdb): secret rotation ignores excluded characters in password (#…
Browse files Browse the repository at this point in the history
…17609)

We need to pass whatever `excludeCharacters` were passed to the generated Secret to the application responsible for the rotation.

Fixes #17347
Fixes #17575 

------

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
markussiebert authored Nov 25, 2021
1 parent 2d19e15 commit 1fe2215
Show file tree
Hide file tree
Showing 5 changed files with 18 additions and 2 deletions.
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-docdb/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ your instances will be launched privately or publicly:
const cluster = new DatabaseCluster(this, 'Database', {
masterUser: {
username: 'myuser' // NOTE: 'admin' is reserved by DocumentDB
excludeCharacters: '\"@/:', // optional, defaults to the set "\"@/"
excludeCharacters: '\"@/:', // optional, defaults to the set "\"@/" and is also used for eventually created rotations
secretName: '/myapp/mydocdb/masteruser', // optional, if you prefer to specify the secret name
},
instanceType: ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE),
Expand Down
2 changes: 2 additions & 0 deletions packages/@aws-cdk/aws-docdb/lib/cluster.ts
Original file line number Diff line number Diff line change
Expand Up @@ -491,6 +491,7 @@ export class DatabaseCluster extends DatabaseClusterBase {
secret: this.secret,
automaticallyAfter,
application: DatabaseCluster.SINGLE_USER_ROTATION_APPLICATION,
excludeCharacters: (this.node.tryFindChild('Secret') as DatabaseSecret)._excludedCharacters,
vpc: this.vpc,
vpcSubnets: this.vpcSubnets,
target: this,
Expand All @@ -508,6 +509,7 @@ export class DatabaseCluster extends DatabaseClusterBase {
secret: options.secret,
masterSecret: this.secret,
automaticallyAfter: options.automaticallyAfter,
excludeCharacters: (this.node.tryFindChild('Secret') as DatabaseSecret)._excludedCharacters,
application: DatabaseCluster.MULTI_USER_ROTATION_APPLICATION,
vpc: this.vpc,
vpcSubnets: this.vpcSubnets,
Expand Down
13 changes: 12 additions & 1 deletion packages/@aws-cdk/aws-docdb/lib/database-secret.ts
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,16 @@ export interface DatabaseSecretProps {
* @resource AWS::SecretsManager::Secret
*/
export class DatabaseSecret extends Secret {

/**
* the excluded characters for this Secret
* @internal
*/
public readonly _excludedCharacters: string;

constructor(scope: Construct, id: string, props: DatabaseSecretProps) {
const excludedCharacters = props.excludeCharacters ?? '"@/';

super(scope, id, {
secretName: props.secretName,
description: `Generated by the CDK for stack: ${Aws.STACK_NAME}`,
Expand All @@ -68,8 +77,10 @@ export class DatabaseSecret extends Secret {
masterarn: props.masterSecret?.secretArn,
}),
generateStringKey: 'password',
excludeCharacters: props.excludeCharacters ?? '"@/',
excludeCharacters: excludedCharacters,
},
});

this._excludedCharacters = excludedCharacters;
}
}
2 changes: 2 additions & 0 deletions packages/@aws-cdk/aws-docdb/test/cluster.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -684,6 +684,7 @@ describe('DatabaseCluster', () => {
],
},
functionName: 'DatabaseRotationSingleUser458A45BE',
excludeCharacters: '\"@/',
vpcSubnetIds: {
'Fn::Join': [
'',
Expand Down Expand Up @@ -796,6 +797,7 @@ describe('DatabaseCluster', () => {
],
},
functionName: 'DatabaseRotation0D47EBD2',
excludeCharacters: '\"@/',
vpcSubnetIds: {
'Fn::Join': [
'',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -785,6 +785,7 @@
]
},
"functionName": "awscdkdocdbclusterrotationDatabaseRotationSingleUser7DAE65BE",
"excludeCharacters": "\"@/",
"vpcSubnetIds": {
"Fn::Join": [
"",
Expand Down

0 comments on commit 1fe2215

Please sign in to comment.