From 1fe2215dc40eb58f1babc2c3fbca501a5e89b09f Mon Sep 17 00:00:00 2001 From: markussiebert Date: Thu, 25 Nov 2021 02:08:11 +0100 Subject: [PATCH] fix(docdb): secret rotation ignores excluded characters in password (#17609) We need to pass whatever `excludeCharacters` were passed to the generated Secret to the application responsible for the rotation. Fixes #17347 Fixes #17575 ------ *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-docdb/README.md | 2 +- packages/@aws-cdk/aws-docdb/lib/cluster.ts | 2 ++ packages/@aws-cdk/aws-docdb/lib/database-secret.ts | 13 ++++++++++++- packages/@aws-cdk/aws-docdb/test/cluster.test.ts | 2 ++ .../test/integ.cluster-rotation.lit.expected.json | 1 + 5 files changed, 18 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-docdb/README.md b/packages/@aws-cdk/aws-docdb/README.md index 650d37ffffc5f..2ee2a9791c7d0 100644 --- a/packages/@aws-cdk/aws-docdb/README.md +++ b/packages/@aws-cdk/aws-docdb/README.md @@ -21,7 +21,7 @@ your instances will be launched privately or publicly: const cluster = new DatabaseCluster(this, 'Database', { masterUser: { username: 'myuser' // NOTE: 'admin' is reserved by DocumentDB - excludeCharacters: '\"@/:', // optional, defaults to the set "\"@/" + excludeCharacters: '\"@/:', // optional, defaults to the set "\"@/" and is also used for eventually created rotations secretName: '/myapp/mydocdb/masteruser', // optional, if you prefer to specify the secret name }, instanceType: ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE), diff --git a/packages/@aws-cdk/aws-docdb/lib/cluster.ts b/packages/@aws-cdk/aws-docdb/lib/cluster.ts index fe208c068c213..52ce8ff5e3a64 100644 --- a/packages/@aws-cdk/aws-docdb/lib/cluster.ts +++ b/packages/@aws-cdk/aws-docdb/lib/cluster.ts @@ -491,6 +491,7 @@ export class DatabaseCluster extends DatabaseClusterBase { secret: this.secret, automaticallyAfter, application: DatabaseCluster.SINGLE_USER_ROTATION_APPLICATION, + excludeCharacters: (this.node.tryFindChild('Secret') as DatabaseSecret)._excludedCharacters, vpc: this.vpc, vpcSubnets: this.vpcSubnets, target: this, @@ -508,6 +509,7 @@ export class DatabaseCluster extends DatabaseClusterBase { secret: options.secret, masterSecret: this.secret, automaticallyAfter: options.automaticallyAfter, + excludeCharacters: (this.node.tryFindChild('Secret') as DatabaseSecret)._excludedCharacters, application: DatabaseCluster.MULTI_USER_ROTATION_APPLICATION, vpc: this.vpc, vpcSubnets: this.vpcSubnets, diff --git a/packages/@aws-cdk/aws-docdb/lib/database-secret.ts b/packages/@aws-cdk/aws-docdb/lib/database-secret.ts index 8f1bca671da6d..97b1f7bff1df0 100644 --- a/packages/@aws-cdk/aws-docdb/lib/database-secret.ts +++ b/packages/@aws-cdk/aws-docdb/lib/database-secret.ts @@ -48,7 +48,16 @@ export interface DatabaseSecretProps { * @resource AWS::SecretsManager::Secret */ export class DatabaseSecret extends Secret { + + /** + * the excluded characters for this Secret + * @internal + */ + public readonly _excludedCharacters: string; + constructor(scope: Construct, id: string, props: DatabaseSecretProps) { + const excludedCharacters = props.excludeCharacters ?? '"@/'; + super(scope, id, { secretName: props.secretName, description: `Generated by the CDK for stack: ${Aws.STACK_NAME}`, @@ -68,8 +77,10 @@ export class DatabaseSecret extends Secret { masterarn: props.masterSecret?.secretArn, }), generateStringKey: 'password', - excludeCharacters: props.excludeCharacters ?? '"@/', + excludeCharacters: excludedCharacters, }, }); + + this._excludedCharacters = excludedCharacters; } } diff --git a/packages/@aws-cdk/aws-docdb/test/cluster.test.ts b/packages/@aws-cdk/aws-docdb/test/cluster.test.ts index f8bfdc65adda1..d68a91f0b80c6 100644 --- a/packages/@aws-cdk/aws-docdb/test/cluster.test.ts +++ b/packages/@aws-cdk/aws-docdb/test/cluster.test.ts @@ -684,6 +684,7 @@ describe('DatabaseCluster', () => { ], }, functionName: 'DatabaseRotationSingleUser458A45BE', + excludeCharacters: '\"@/', vpcSubnetIds: { 'Fn::Join': [ '', @@ -796,6 +797,7 @@ describe('DatabaseCluster', () => { ], }, functionName: 'DatabaseRotation0D47EBD2', + excludeCharacters: '\"@/', vpcSubnetIds: { 'Fn::Join': [ '', diff --git a/packages/@aws-cdk/aws-docdb/test/integ.cluster-rotation.lit.expected.json b/packages/@aws-cdk/aws-docdb/test/integ.cluster-rotation.lit.expected.json index c063376359496..a2c3c5d8138a4 100644 --- a/packages/@aws-cdk/aws-docdb/test/integ.cluster-rotation.lit.expected.json +++ b/packages/@aws-cdk/aws-docdb/test/integ.cluster-rotation.lit.expected.json @@ -785,6 +785,7 @@ ] }, "functionName": "awscdkdocdbclusterrotationDatabaseRotationSingleUser7DAE65BE", + "excludeCharacters": "\"@/", "vpcSubnetIds": { "Fn::Join": [ "",