Skip to content

Commit

Permalink
feat: first draft
Browse files Browse the repository at this point in the history
  • Loading branch information
markussiebert committed Nov 20, 2021
1 parent 06c4d2c commit e309a3f
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 11 deletions.
24 changes: 15 additions & 9 deletions packages/@aws-cdk/aws-docdb/lib/cluster.ts
Original file line number Diff line number Diff line change
Expand Up @@ -311,6 +311,11 @@ export class DatabaseCluster extends DatabaseClusterBase {
*/
public readonly secret?: secretsmanager.ISecret;

/**
* The secret attached to this cluster
*/
public readonly databaseSecret?: DatabaseSecret | undefined;

/**
* The underlying CloudFormation resource for a database cluster.
*/
Expand Down Expand Up @@ -374,9 +379,8 @@ export class DatabaseCluster extends DatabaseClusterBase {
}

// Create the secret manager secret if no password is specified
let secret: DatabaseSecret | undefined;
if (!props.masterUser.password) {
secret = new DatabaseSecret(this, 'Secret', {
this.databaseSecret = new DatabaseSecret(this, 'Secret', {
username: props.masterUser.username,
encryptionKey: props.masterUser.kmsKey,
excludeCharacters: props.masterUser.excludeCharacters,
Expand All @@ -401,9 +405,9 @@ export class DatabaseCluster extends DatabaseClusterBase {
dbClusterParameterGroupName: props.parameterGroup?.parameterGroupName,
deletionProtection: props.deletionProtection,
// Admin
masterUsername: secret ? secret.secretValueFromJson('username').toString() : props.masterUser.username,
masterUserPassword: secret
? secret.secretValueFromJson('password').toString()
masterUsername: this.secret ? this.secret.secretValueFromJson('username').toString() : props.masterUser.username,
masterUserPassword: this.secret
? this.secret.secretValueFromJson('password').toString()
: props.masterUser.password!.toString(),
// Backup
backupRetentionPeriod: props.backup?.retention?.toDays(),
Expand All @@ -427,8 +431,8 @@ export class DatabaseCluster extends DatabaseClusterBase {
this.clusterEndpoint = new Endpoint(this.cluster.attrEndpoint, port);
this.clusterReadEndpoint = new Endpoint(this.cluster.attrReadEndpoint, port);

if (secret) {
this.secret = secret.attach(this);
if (this.databaseSecret) {
this.secret = this.databaseSecret.attach(this);
}

// Create the instances
Expand Down Expand Up @@ -476,7 +480,7 @@ export class DatabaseCluster extends DatabaseClusterBase {
* before Secrets Manager triggers the next automatic rotation.
*/
public addRotationSingleUser(automaticallyAfter?: Duration): secretsmanager.SecretRotation {
if (!this.secret) {
if (!this.secret || !this.databaseSecret) {
throw new Error('Cannot add single user rotation for a cluster without secret.');
}

Expand All @@ -490,6 +494,7 @@ export class DatabaseCluster extends DatabaseClusterBase {
secret: this.secret,
automaticallyAfter,
application: DatabaseCluster.SINGLE_USER_ROTATION_APPLICATION,
excludeCharacters: this.databaseSecret.excludedCharacters,
vpc: this.vpc,
vpcSubnets: this.vpcSubnets,
target: this,
Expand All @@ -500,13 +505,14 @@ export class DatabaseCluster extends DatabaseClusterBase {
* Adds the multi user rotation to this cluster.
*/
public addRotationMultiUser(id: string, options: RotationMultiUserOptions): secretsmanager.SecretRotation {
if (!this.secret) {
if (!this.secret || !this.databaseSecret) {
throw new Error('Cannot add multi user rotation for a cluster without secret.');
}
return new secretsmanager.SecretRotation(this, id, {
secret: options.secret,
masterSecret: this.secret,
automaticallyAfter: options.automaticallyAfter,
excludeCharacters: this.databaseSecret.excludedCharacters,
application: DatabaseCluster.MULTI_USER_ROTATION_APPLICATION,
vpc: this.vpc,
vpcSubnets: this.vpcSubnets,
Expand Down
15 changes: 13 additions & 2 deletions packages/@aws-cdk/aws-docdb/lib/database-secret.ts
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ export interface DatabaseSecretProps {
/**
* Characters to not include in the generated password.
*
* @default "\"@/"
* @default '\"@/'
*/
readonly excludeCharacters?: string;
}
Expand All @@ -48,7 +48,16 @@ export interface DatabaseSecretProps {
* @resource AWS::SecretsManager::Secret
*/
export class DatabaseSecret extends Secret {

/**
* the excluded characters for this Secret
*/
readonly excludedCharacters: string;

constructor(scope: Construct, id: string, props: DatabaseSecretProps) {

const excludedCharacters = props.excludeCharacters ?? '"@/';

super(scope, id, {
secretName: props.secretName,
description: `Generated by the CDK for stack: ${Aws.STACK_NAME}`,
Expand All @@ -68,8 +77,10 @@ export class DatabaseSecret extends Secret {
masterarn: props.masterSecret?.secretArn,
}),
generateStringKey: 'password',
excludeCharacters: props.excludeCharacters ?? '"@/',
excludeCharacters: excludedCharacters,
},
});

this.excludedCharacters = excludedCharacters;
}
}

0 comments on commit e309a3f

Please sign in to comment.