-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(docdb): Secretrotation can generate Secrets that are not accepted by cloudformation #17575
Comments
Hey @markussiebert, thanks for opening the issue. Would you mind showing your code? CDK excludes the Thanks, |
The code is on my working machine ... I have no access till monday ... Yes, the initial secret is fine, but in my opinion the rotation doesn't respect the default excluded charaters.
maybe it should include also the default or respect the secret defaults? return new secretsmanager.SecretRotation(this, id, {
secret: this.secret,
automaticallyAfter,
application: DatabaseCluster.SINGLE_USER_ROTATION_APPLICATION,
excludeCharacters: '"@/',
vpc: this.vpc,
vpcSubnets: this.vpcSubnets,
target: this,
}); But will provide my code on mondaay |
Oh, that's probably what it is - the rotation Lambda doesn't have the same |
@skinny85 I've started to implement a fix for this, would like to hear your opinion on this |
|
What is the problem?
Changing properties of a deployed DocDB may fail, because the rotated secret contains characters, that cloudformation won't accept (even if they are "accepted" and rotated by the secret rotation).
The password did contain an
@
Reproduction Steps
Create a database with CDK and activate secret rotation single user ... after a while and some secret rotations you will maybe find a situation where neither update nor rollback will succeed... because cloudformation won't accept the password.
What did you expect to happen?
Create a database with CDK and activate secret rotation single user ... after a while and some secret rotations you will maybe find a situation where neither update nor rollback will succeed... because cloudformation won't accept the password.
What actually happened?
Cloudformation was not able to update - Rollback failed also
CDK CLI Version
1.121
Framework Version
No response
Node.js Version
12
OS
mac
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: