Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cdk-lib.aws_rds: Cannot set secret to use for master password management on CfnDBInstance #27288

Closed
jmihalich opened this issue Sep 25, 2023 · 3 comments
Closed

aws-cdk-lib.aws_rds: Cannot set secret to use for master password management on CfnDBInstance #27288

jmihalich opened this issue Sep 25, 2023 · 3 comments
Labels
aws-cdk-lib Related to the aws-cdk-lib package bug This issue is a bug. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed.

Comments

@jmihalich
Copy link

jmihalich commented Sep 25, 2023
edited
Loading

Describe the bug

Hi,

The L1 CfnDBInstanceProps class has a MasterUserSecret variable and is a getter/setter. I am trying to specify the secret to use by creating a Secret construct and setting the MasterUserSecret.SecretArn to the Arn of the secret. That all seems to work, and the template shows the secret arn in that field.

However, the CfnDBInstance code seems to be ignoring it, as it is always creating it's own secret key with a format similar to rds!db-5a03a378-08a8-4ccc-98e3-c84e8619a38b.

I was using the L2 class DBInstance, which allowed this and worked fine. But now that i've dropped down to the L1 class, i need the same functionality.

Thanks,
Joe

Expected Behavior

It should have written the username and password to the secret that i gave it.

Current Behavior

It creates its own secret and writes the username and password there.

Reproduction Steps

    //create a secret in secrets manager that will have the admin username/password in it
    var secret = new Secret(stack,
                            "SecretLogicalName",
                            new SecretProps()
                            {
                                GenerateSecretString = new SecretStringGenerator()
                                {
                                    //note: the database instance class that uses this secret will expect the password to be in the following
                                    //secret value json format: 
                                    //{"password":"<generated-password>"}
                                    //The value of GenerateStringKey needs to be the key name in the json, which is: password
                                    GenerateStringKey = "password",
                                    SecretStringTemplate = "{username\":\"admin\"}",
                                    RequireEachIncludedType = true,
                                    PasswordLength = 15,
                                    IncludeSpace = false,
                                    ExcludePunctuation = true,
                                    ExcludeLowercase = false,
                                    ExcludeUppercase = false,
                                    ExcludeNumbers = false
                                },
                                SecretName = "MySecretName",
                                RemovalPolicy = RemovalPolicy.DESTROY
                            });

    //create database
    CfnDBInstance = new CfnDBInstance(rdsInstanceProperties.ConstructScope, rdsInstanceProperties.ConstructId, new CfnDBInstanceProps()
    {
        AllocatedStorage = "20",
        AllowMajorVersionUpgrade = false,
        AutoMinorVersionUpgrade = true,
        BackupRetentionPeriod = 30,
        CaCertificateIdentifier = "rds-ca-ecc384-g1",
        CertificateRotationRestart = true,
        CopyTagsToSnapshot = true,
        DbInstanceClass = "db.t4g.micro",
        DbName = "MyRDSInstance",
        DbSubnetGroupName = "MySubnetGroupId",
        DeleteAutomatedBackups = false,
        DeletionProtection = true,
        EnableCloudwatchLogsExports = new string[]
        {
            "error"
        },
        EnableIamDatabaseAuthentication = false,
        Engine = "mysql",
        EngineVersion = "8.0.34",
        ManageMasterUserPassword = true,
        MasterUsername = "admin",
        MasterUserSecret = new CfnDBInstance.MasterUserSecretProperty()
        {
            SecretArn = secret.SecretArn,
        },
        MultiAz = false,
        NetworkType = "IPV4",
        Port = "3306",
        PubliclyAccessible = false,
        StorageEncrypted = false,
        StorageType = "gp2",
        VpcSecurityGroups = 
		[
		   "MySecurityGroup1"
		]
    });

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.97.0 (build d7cf3be)

Framework Version

No response

Node.js Version

10.1.0

OS

WSL Ubuntu 22.04

Language

.NET

Language Version

7.0

Other information

This is the relevant CF template code that was generated:

`secret:
"PublicApiMySqlInstanceRDSAdminCredentialsC86A16E8": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"GenerateSecretString": {
"ExcludeLowercase": false,
"ExcludeNumbers": false,
"ExcludePunctuation": true,
"ExcludeUppercase": false,
"GenerateStringKey": "password",
"IncludeSpace": false,
"PasswordLength": 15,
"RequireEachIncludedType": true,
"SecretStringTemplate": "{"username":"admin"}"
},
"Name": "ct/publicapi/mysql/master/mysqlcredentials"
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "MySqlRDSStack/PublicApiMySqlInstanceRDSAdminCredentials/Resource"
}
},

rds:

"PublicApiMySqlInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"AllocatedStorage": "20",
"AllowMajorVersionUpgrade": false,
"AutoMinorVersionUpgrade": true,
"BackupRetentionPeriod": 1,
"CACertificateIdentifier": "rds-ca-ecc384-g1",
"CertificateRotationRestart": true,
"CopyTagsToSnapshot": true,
"DBInstanceClass": "db.t4g.micro",
"DBSubnetGroupName": "PublicApiRDSSubnetGroup",
"DeleteAutomatedBackups": false,
"DeletionProtection": true,
"EnableCloudwatchLogsExports": [
"error"
],
"EnableIAMDatabaseAuthentication": false,
"Engine": "mysql",
"EngineVersion": "8.0.34",
"ManageMasterUserPassword": true,
"MasterUserSecret": {
"SecretArn": {
"Ref": "PublicApiMySqlInstanceRDSAdminCredentialsC86A16E8"
}
},
"MasterUsername": "admin",
"MultiAZ": false,
"NetworkType": "IPV4",
"Port": "3306",
"PubliclyAccessible": false,
"StorageEncrypted": false,
"StorageType": "gp2",
"VPCSecurityGroups": [
{
"Fn::GetAtt": [
"PublicApiRDSSecurityGroup",
"GroupId"
]
}
]
},
"DependsOn": [
"PublicApiRDSSecurityGroup",
"PublicApiRDSSubnetGroup"
],
"Metadata": {
"aws:cdk:path": "MySqlRDSStack/PublicApiMySqlInstance"
}
}`
@jmihalich jmihalich added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 25, 2023
@github-actions github-actions bot added the aws-cdk-lib Related to the aws-cdk-lib package label Sep 25, 2023
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Sep 25, 2023
@peterwoodworth
Copy link
Contributor

Hey @jmihalich,

The L1 resources are essentially using CloudFormation directly, so we don't really know what's going on under the hood exactly on deployment. I'm not very familiar with setting this up, but taking a look at the API reference for CreateDBInstance you can see that it actually wants a KMS key. But, I am only assuming that CloudFormation is using this API, so I'm not sure if that's what CloudFormation needs.

I think CloudFormation could afford to improve the documentation here, and they should throw an error if the configuration won't work as you describe. The best place to report this is at the CloudFormation Coverage Roadmap

@peterwoodworth peterwoodworth added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. needs-triage This issue or PR still needs to be triaged. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. needs-triage This issue or PR still needs to be triaged. labels Sep 25, 2023
@jmihalich
Copy link
Author

OK, thank for you the quick response. I'll inquire over in the CF area.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Sep 26, 2023
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Oct 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aws-cdk-lib Related to the aws-cdk-lib package bug This issue is a bug. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmihalich @peterwoodworth @khushail