Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RDS: Cannot connect to Serverless Cluster created from snapshot #20434

Closed
mostafafarzaneh opened this issue May 20, 2022 · 7 comments · Fixed by #20504
Closed

RDS: Cannot connect to Serverless Cluster created from snapshot #20434

mostafafarzaneh opened this issue May 20, 2022 · 7 comments · Fixed by #20504
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@mostafafarzaneh
Copy link

Describe the bug

I am using ServerlessClusterFromSnapshot to create cluster from snapshot. for the credential, I tried both rds.SnapshotCredentials.from_generated_secret("admin") and rds.SnapshotCredentials.from_generated_password("admin") . (I do not know the difference between these two methods!)

It creates the cluster successfully but I cannot connect to it with the generated secret in the secret manager. I tried query the database with secret ARN, but no luck.
The snapshot was taken from a database with the same "admin" username.

Expected Behavior

I should be able to create a serverless cluster from the snapshot and connect to it with the newly generated secret.

Current Behavior

It won't let me connect to the database with generated secret

Reproduction Steps

Take a snapshot from a serverless cluster. Then use the ServerlessClusterFromSnapshot method and pass rds.SnapshotCredentials.from_generated_secret("admin") as credential to it.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.13.0

Framework Version

No response

Node.js Version

16.15.0

OS

Debian 10

Language

Python

Language Version

No response

Other information

No response

@mostafafarzaneh mostafafarzaneh added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 20, 2022
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label May 20, 2022
@mostafafarzaneh
Copy link
Author

I ran this command: aws rds describe-db-clusters --db-cluster-identifier and this entry catch my eyes if that help:

"PendingModifiedValues": {
   "MasterUserPassword": "****"
}

@peterwoodworth
Copy link
Contributor

The ServerlessClusterFromSnapshot construct works similarly to DatabaseInstanceFromSnapshot rather than DatabaseClusterFromSnapshot in terms of credentials. Specifically, the former two will allow you to modify the password of the cluster/instance, while the latter one doesn't.

I think that ServerlessClusterFromSnapshot shouldn't allow you to modify the password - see the CloudFormation functionality of DBCluster.MasterUserPassword and DBInstance.MasterUserPassword - only DBInstance allows you to modify the password when creating from snapshot.

CC @jumic @jogold

@peterwoodworth peterwoodworth added p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels May 21, 2022
@mostafafarzaneh
Copy link
Author

But I need to start an Aurora serverless cluster from the snapshot. Furthermore, the ServerlessClusterFromSnapshot has a credential attribute that says:

credentials (Optional[[SnapshotCredentials]]) – Master user credentials. Note - It is not possible to change the master username for a snapshot; however, it is possible to provide (or generate) a new password. Default: - The existing username and password from the snapshot will be used.

So according to this, I should be able to change the master password of the cluster. But according to DBCluster.MasterUserPassword, that you provide, I won't be able to change the master password.

It seems there is a contradiction between documents. Anyhow, what is the best way to start an Aurora serverless cluster from snapshot in CDK?

@peterwoodworth
Copy link
Contributor

I've been testing this out today, and overall the credentials prop is pretty buggy and unintuitive. I can't recommend using it for any of the Snapshot constructs at this moment.

DBClusterFromSnapshot

  • The construct code guarantees that you cannot set the username or password of the cluster
  • However, it still creates a secret and secretTargetAttachment in the same cases as the non snapshot constructs do. So, when it does this, the secret will contain an incorrect password. Should instead use password from the snapshot

ServerlessClusterFromSnapshot

  • L2 code allows you to set password of cluster created from snapshot
  • However, this does nothing and the correct password is the password of the snapshot

I'll see what I can do about fixing this next week, the current functionality is a bit broken

@peterwoodworth
Copy link
Contributor

To show what I mean, If I create a new Cluster then take a snapshot of that cluster - any clusters i create from that snapshot through the ClusterFromSnapshot constructs will have the same credentials as the first cluster. But, if I specify credentials such that CDK generates a password, that password will be incorrect and I cannot login to the database. If I modify created secret to use password from first cluster, it will work.

@mostafafarzaneh
Copy link
Author

In my case when you use ServerlessClusterFromSnapshot and specify credential to be generated with rds.SnapshotCredentials.from_generated_secret("admin"), It creates the secret in the secret manager but does not update the serverless cluster to point to the new credential. I would like to not have to do manual work after creating the cluster.

@peterwoodworth peterwoodworth added effort/medium Medium work item – several days of effort and removed effort/small Small work item – less than a day of effort labels May 25, 2022
jogold added a commit to jogold/aws-cdk that referenced this issue May 26, 2022
@mergify mergify bot closed this as completed in #20504 Jun 2, 2022
mergify bot pushed a commit that referenced this issue Jun 2, 2022
#20504)

Deprecate `credentials` and explain how it is broken.

Replace it with `snapshotCredentials` that offer the expected behavior.

Fixes #20434
Closes #20473 


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Jun 2, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
3 participants