Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rds: use user-defined security group for db user rotation function #23086

Closed
1 of 2 tasks
clueleaf opened this issue Nov 25, 2022 · 2 comments · Fixed by #23087
Closed
1 of 2 tasks

rds: use user-defined security group for db user rotation function #23086

clueleaf opened this issue Nov 25, 2022 · 2 comments · Fixed by #23087
Assignees
@corymhall
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@clueleaf
Copy link
Contributor

Describe the feature

When using addRotationSingleUser or addRotationMultiUser from rds module, the security group of the rotation Lambda function is always automatically created.

Therefore it is difficult for Secrets Manager endpoint to restrict access only to the security group of the rotation Lambda function. You have to allow all traffic to the Secrets Manager endpoint from within the VPC.

Use Case

We will be able to limit access to the Secrets Manager endpoint from a single security group.

Proposed Solution

The props of secretsmanager.SecretRotation class already has a securityGroup property. Just add securityGroup property to the options of addRotationSingleUser and addRotationMultiUser methods and pass it to secretsmanager.SecretRotation.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.50.0

Environment details (OS name and version, etc.)

macOS Ventura 13.0
@clueleaf clueleaf added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 25, 2022
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Nov 25, 2022
@clueleaf clueleaf mentioned this issue Nov 25, 2022
Merged
4 tasks
@peterwoodworth peterwoodworth added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 26, 2022
@peterwoodworth
Copy link
Contributor

Thanks a bunch for creating a PR for this, we've left a review 🙂

@mergify mergify bot closed this as completed in #23087 Nov 29, 2022
mergify bot pushed a commit that referenced this issue Nov 29, 2022
@clueleaf
feat(rds): use user-defined security group for db user rotation funct…
9d8f69e 
…ion (#23087)

closes #23086 

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

brennanho pushed a commit to brennanho/aws-cdk that referenced this issue Dec 9, 2022
@clueleaf
feat(rds): use user-defined security group for db user rotation funct…
469db1a 
…ion (aws#23087)

closes aws#23086 

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
brennanho pushed a commit to brennanho/aws-cdk that referenced this issue Jan 20, 2023
@clueleaf
feat(rds): use user-defined security group for db user rotation funct…
1f37319 
…ion (aws#23087)

closes aws#23086 

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
brennanho pushed a commit to brennanho/aws-cdk that referenced this issue Feb 22, 2023
@clueleaf
feat(rds): use user-defined security group for db user rotation funct…
874f2a0 
…ion (aws#23087)

closes aws#23086 

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corymhall corymhall

Labels
@aws-cdk/aws-rds Related to Amazon Relational Database effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(rds): use user-defined security group for db user rotation function clueleaf/aws-cdk
3 participants
@clueleaf @corymhall @peterwoodworth