Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-rds: Subnet selection doesn't work for cluster.addRotationMultiUser #19233

Closed
arockett opened this issue Mar 4, 2022 · 2 comments · Fixed by #19237
Closed

aws-rds: Subnet selection doesn't work for cluster.addRotationMultiUser #19233

arockett opened this issue Mar 4, 2022 · 2 comments · Fixed by #19237
Assignees
@skinny85
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database bug This issue is a bug. in-progress This issue is being actively worked on. p1

Comments

@arockett
Copy link

arockett commented Mar 4, 2022
edited
Loading

What is the problem?

There's a bug in VPC selection for addRotationMultiUser. Commented on original issue as well: #17265

Even if you pass in props for the subnet type to place the rotation lambda, it will always get placed in the same subnets as the cluster. See https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-rds/lib/cluster.ts line 611 for the addRotationMultiUser function. Notice how the '...options' line gets overridden by the cluster subnets.

The addRotationSingleUser function doesn't have this problem because the options are injected after the defaults. See the same file as above.

Not sure if there's another section of aws-rds that has an addRotationMultiUser function but worth checking the other rotation functions for the same bug.

I won't have time to work on a PR for a few months so someone else can feel free to pick this up. Just want to make sure the bug gets tracked.

Reproduction Steps

Create a vpc with private and isolated subnets and place an Aurora cluster in the isolated subnets. Then set up a multi user rotation:

    this.secret = new rds.DatabaseSecret(this, 'Secret', {
      username: username,
      masterSecret: cluster.secret
    }).attach(cluster);

    cluster.addRotationMultiUser('Rotation', {
      secret: this.secret,
      automaticallyAfter: Duration.days(90),
      vpcSubnets: {
        subnetType: ec2.SubnetType.PRIVATE_WITH_NAT
      }
    });

What did you expect to happen?

Rotation lambda created in private subnet and able to talk to secrets manager through the internet.

What actually happened?

Rotation lambda created in isolated subnet (same subnet as cluster) and times out because it can't talk to the internet.

CDK CLI Version

2.12.0 (build c9786db)

Framework Version

No response

Node.js Version

v16.14.0

OS

macOS Monterey v12.1

Language

Typescript

Language Version

TypeScript Version 4.5.5

Other information

No response
@arockett arockett added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 4, 2022
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Mar 4, 2022
@arockett arockett mentioned this issue Mar 4, 2022
Closed
jogold added a commit to jogold/aws-cdk that referenced this issue Mar 4, 2022
@jogold
fix(rds): subnet selection not respected for multi user secret rotation
6716199 
The subnet selection was always overriden by the subnet selection of the
instance/cluster.

Avoid these kinds of errors by explicitely defining rotation options and
their defaults.

Closes aws#19233
@jogold jogold mentioned this issue Mar 4, 2022
Merged
@NGL321 NGL321 added in-progress This issue is being actively worked on. p1 and removed needs-triage This issue or PR still needs to be triaged. labels Mar 4, 2022
@NGL321
Copy link
Contributor

NGL321 commented Mar 4, 2022

It looks like @jogold has already published a PR that will resolve this, so we can consider this fix in-progress (thank you for the quick fix!).

😸

@mergify mergify bot closed this as completed in #19237 Mar 8, 2022
mergify bot pushed a commit that referenced this issue Mar 8, 2022
@jogold
fix(rds): subnet selection not respected for multi user secret rotati…
dc7a17c 
…on (#19237)

The subnet selection was always overriden by the subnet selection of the
instance/cluster.

Avoid these kinds of errors by explicitely defining rotation options and
their defaults.

Closes #19233


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Mar 8, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

TheRealAmazonKendra pushed a commit to TheRealAmazonKendra/aws-cdk that referenced this issue Mar 11, 2022
@jogold @TheRealAmazonKendra
fix(rds): subnet selection not respected for multi user secret rotati…
7e2a69b 
…on (aws#19237)

The subnet selection was always overriden by the subnet selection of the
instance/cluster.

Avoid these kinds of errors by explicitely defining rotation options and
their defaults.

Closes aws#19233


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skinny85 skinny85

Labels
@aws-cdk/aws-rds Related to Amazon Relational Database bug This issue is a bug. in-progress This issue is being actively worked on. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(rds): subnet selection not respected for multi user secret rotation jogold/aws-cdk
3 participants
@skinny85 @arockett @NGL321