aws_rds: DatabaseClusterFromSnapshot creates a new secret when using SnapshotCredentials.fromSecret()

[jheino]

Describe the bug

If I create a new secret in a stack and provide it to rds.DatabaseCluster using the property credentials: rds.Credentials.fromSecret(secret), the secret is attached correctly to the new database cluster.

However, if I provide the same secret to rds.DatabaseClusterFromSnapshot using the property snapshotCredentials: rds.SnapshotCredentials.fromSecret(secret), a new additional secret is also created and attached to the database cluster.

Expected Behavior

rds.DatabaseClusterFromSnapshot uses the secret provided in snapshotCredentials and does not create any additional resources.

Current Behavior

rds.DatabaseClusterFromSnapshot creates a new secret even when snapshotCredentials refers to an existing secret. Two AWS::SecretsManager::SecretTargetAttachment resources are created, one using the provided existing secret and one using the newly created unnecessary secret.

Reproduction Steps

This minimal stack reproduces the problem:

import * as cdk from "aws-cdk-lib";
import { aws_secretsmanager as secretsmanager } from "aws-cdk-lib";
import { aws_ec2 as ec2 } from "aws-cdk-lib";
import { aws_rds as rds } from "aws-cdk-lib";
import { Construct } from "constructs";

export class CdkSandboxStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = new ec2.Vpc(this, "VPC", {
      natGateways: 0
    });

    const secret = new secretsmanager.Secret(this, "JSONSecret", {
      generateSecretString: {
        secretStringTemplate: JSON.stringify({ username: "Admin" }),
        excludePunctuation: true,
        includeSpace: false,
        passwordLength: 24,
        generateStringKey: "password",
      },
    });

    // Attaching the existing secret to a new cluster works fine
    /*
    const cluster = new rds.DatabaseCluster(this, "Database", {
      engine: rds.DatabaseClusterEngine.auroraMysql({
        version: rds.AuroraMysqlEngineVersion.VER_3_02_1,
      }),
      credentials: rds.Credentials.fromSecret(secret),
      instanceProps: {
        vpcSubnets: {
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
        },
        vpc,
      },
    });
    */

    // Attaching the existing secret to a new cluster will create a new DatabaseSecret instead
    const cluster = new rds.DatabaseClusterFromSnapshot(this, "Database", {
      snapshotIdentifier: "test-snapshot-for-cdk",
      engine: rds.DatabaseClusterEngine.auroraMysql({
        version: rds.AuroraMysqlEngineVersion.VER_3_02_1,
      }),
      snapshotCredentials: rds.SnapshotCredentials.fromSecret(secret),
      instanceProps: {
        vpcSubnets: {
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
        },
        vpc,
      },
    });
  }
}

When running cdk diff, the resource list output will contain two Secrets/Attachments, not one as expected:

Resources
...
[+] AWS::SecretsManager::Secret JSONSecret JSONSecret6FE68AEF
[+] AWS::SecretsManager::SecretTargetAttachment JSONSecret/Attachment JSONSecretAttachmentCB690F4F
...
[+] AWS::SecretsManager::Secret Database/Secret DatabaseSecret3B817195
[+] AWS::SecretsManager::SecretTargetAttachment Database/Secret/Attachment DatabaseSecretAttachmentE5D1B020
...

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.61.1 (build d319d9c)

Framework Version

No response

Node.js Version

v18.13.0

OS

macOS Monterey (arm64)

Language

Typescript

Language Version

TypeScript (4.9.4)

Other information

No response

[pahud]

Thanks for your report. I will try reproduce this in my account.

[yantsipun]

Having the same issue.

      return new DatabaseClusterFromSnapshot(this, 'Database', {
        ...clusterProps,
        snapshotIdentifier,
        snapshotCredentials:
          snapshotCredentials ??
          SnapshotCredentials.fromGeneratedSecret('postgres'),
      })

After this I'm dumping the Secret ARN into SSM by using cluster.secret.secretFullArn.
However, two pairs of "AWS::SecretsManager::SecretTargetAttachment" and "AWS::SecretsManager::Secret" resources are created after.
Two secrets are containing different passwords and I can access the cluster with the secret, ARN of which I dumped to SSM.

"aws-cdk-lib": "2.38.1"

[pahud]

Yes I can reproduce this bug:

As DatabaseClusterFromSnapshot extends DatabaseClusterNew, which always runs renderCredentials() to generate a new secret if props.credentials is not provided. I guess this is something we should fix.

[CptBalistico]

Out of curiosity, is there any update on this issue? We would like to update our version of the library, but newer versions have deprecated .credentials(Credentials.fromSecret(...)).

Since secret rotation is mandatory for us, but since we have no control over the second, extra secret resulting from using .snapshotCredentials(SnapshotCredentials.fromSecret(...)), this is currently not possible.

[colifran]

@dominiquems I'm looking into this to see what we can do to prevent the extra secret from being created.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.