Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(docdb): Secretrotation can generate Secrets that are not accepted by cloudformation #17575

Closed
markussiebert opened this issue Nov 18, 2021 · 5 comments · Fixed by #17609
Closed
Assignees
Labels
@aws-cdk/aws-docdb Related to Amazon DocumentDB bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@markussiebert
Copy link
Contributor

What is the problem?

Changing properties of a deployed DocDB may fail, because the rotated secret contains characters, that cloudformation won't accept (even if they are "accepted" and rotated by the secret rotation).

   1/30 |5:59:20 PM | UPDATE_FAILED        | AWS::DocDB::DBCluster                       | my-beautifull-database/Database (Database123456789) The parameter MasterUserPassword is not a valid password. Only printable ASCII characters besides '/', '@', '"', ' ' may be used. (Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterValue; Request ID:  ...)

The password did contain an @

Reproduction Steps

Create a database with CDK and activate secret rotation single user ... after a while and some secret rotations you will maybe find a situation where neither update nor rollback will succeed... because cloudformation won't accept the password.

What did you expect to happen?

Create a database with CDK and activate secret rotation single user ... after a while and some secret rotations you will maybe find a situation where neither update nor rollback will succeed... because cloudformation won't accept the password.

What actually happened?

Cloudformation was not able to update - Rollback failed also

CDK CLI Version

1.121

Framework Version

No response

Node.js Version

12

OS

mac

Language

Typescript

Language Version

No response

Other information

No response

@markussiebert markussiebert added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 18, 2021
@github-actions github-actions bot added the @aws-cdk/aws-docdb Related to Amazon DocumentDB label Nov 18, 2021
@skinny85
Copy link
Contributor

Hey @markussiebert,

thanks for opening the issue. Would you mind showing your code? CDK excludes the @ character by default from the generate Secret.

Thanks,
Adam

@skinny85 skinny85 added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Nov 18, 2021
@markussiebert
Copy link
Contributor Author

The code is on my working machine ... I have no access till monday ...

Yes, the initial secret is fine, but in my opinion the rotation doesn't respect the default excluded charaters.

return new secretsmanager.SecretRotation(this, id, {

maybe it should include also the default or respect the secret defaults?

return new secretsmanager.SecretRotation(this, id, {
      secret: this.secret,
      automaticallyAfter,
      application: DatabaseCluster.SINGLE_USER_ROTATION_APPLICATION,
      excludeCharacters: '"@/',
      vpc: this.vpc,
      vpcSubnets: this.vpcSubnets,
      target: this,
    });

But will provide my code on mondaay

@skinny85
Copy link
Contributor

Oh, that's probably what it is - the rotation Lambda doesn't have the same excludeCharacters as the Secret itself.

@skinny85 skinny85 added effort/small Small work item – less than a day of effort p1 and removed response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. needs-triage This issue or PR still needs to be triaged. labels Nov 19, 2021
@skinny85 skinny85 removed their assignment Nov 19, 2021
@markussiebert markussiebert changed the title (docdb): Secretsmanager can generate Secrets that are not accepted by cloudformation (docdb): Secretrotation can generate Secrets that are not accepted by cloudformation Nov 20, 2021
@markussiebert
Copy link
Contributor Author

@skinny85 I've started to implement a fix for this, would like to hear your opinion on this

@mergify mergify bot closed this as completed in #17609 Nov 25, 2021
mergify bot pushed a commit that referenced this issue Nov 25, 2021
…17609)

We need to pass whatever `excludeCharacters` were passed to the generated Secret to the application responsible for the rotation.

Fixes #17347
Fixes #17575 

------

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

beezly pushed a commit to beezly/aws-cdk that referenced this issue Nov 29, 2021
…ws#17609)

We need to pass whatever `excludeCharacters` were passed to the generated Secret to the application responsible for the rotation.

Fixes aws#17347
Fixes aws#17575 

------

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
…ws#17609)

We need to pass whatever `excludeCharacters` were passed to the generated Secret to the application responsible for the rotation.

Fixes aws#17347
Fixes aws#17575 

------

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-docdb Related to Amazon DocumentDB bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants