-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(rds): clusters created from snapshots generate incorrect passwords #20473
Conversation
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for picking this up Peter! <3
* | ||
* @default - No credentials are generated | ||
*/ | ||
readonly snapshotCredentials?: ClusterSnapshotCredentials; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you need this to be a different field because you want to change the default behavior, from how the current credentials
field behaves (in the details)? Or does it need to be a different field because it means something completely different?
If it's the first, a feature flag might be better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need a different field because I want the customer to use ClusterSnapshotCredentials
, as its designed specifically for using credentials when creating clusters from snapshots.
First, I tried to modify the Credentials
class and renderCredentials()
to work with what the customer might already have, but the code got confusing (would have been pretty difficult to document functionality for users too), and would be hard to maintain in the future. So I deprecated the prop to have customer use ClusterSnapshotCredentials
when creating a cluster from snapshot and setting credentials. This class allows you to reference a full existing secret, or it will generate a new secret for you based on your login credentials passed as a secret value.
Sidenote - I believe this latter functionality (generating a secret based on login credentials) in my PR is bugged at the moment, or at the least poorly documented. The problem is that the fromPassword()
method doesn't describe that the user should probably also have a username field in their passed SecretValue
. I originally wanted to set the secretStringValue
of the generated secret to contain the username which is passed in directly through CDK code, but I couldn't figure out how to properly set the eventual SecretString field to contain anything other than the customer passed SecretValue (other than with sloppy escape hatches).
So, long way to answer that I want this to be something completely different. wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this a case where a breaking change might be acceptable? The current credentials
prop is not usable as it does not set the password of a cluster created from a snapshot, moreover it doesn't work with rotation. So no one is using this to set a password?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it not possible to use the existing SnapshotCredentials
class here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So no one is using this to set a password?
Correction: it is maybe used with secrets containing the snapshot password and that need to benefit from the attachment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RDS is considered stable, so we can't make a breaking change. You can use Credentials.fromSecret()
to use an existing secret that you know works, and there could be users out there doing that. As far as I can tell though, all the other methods on the Credentials
class are broken (fromPassword
ends up doing nothing as far as I can tell)
I tried using the existing SnapshotCredentials
class as well, but that got a bit sloppy with the way it's correctly implemented for DatabaseInstanceFromSnapshot
. Ends up being safest for the user to not make mistakes with a new class
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it should be possible to do this with existing SnapshotCredentials
class, I will make some tests.
I see that with the new class you're creating a secret that is not a JSON but a string with the password. This will not work with attachment or rotation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do think it's possible, but I personally wasn't a fan of how the documentation of the methods would have to have two different definitions depending on if the method is being used for an instance or cluster, and I was also would have rather just not let the customer be able to access the generate methods on the SnapshotCredentials
class.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think it would still be better to use the SnapshotCredentials
class?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't able to figure out how to create a secret with JSON - I feel like I'm missing something simple but that's ideally what I'd like to do so that the user can pass in the username directly through CDK
#20504) Deprecate `credentials` and explain how it is broken. Replace it with `snapshotCredentials` that offer the expected behavior. Fixes #20434 Closes #20473 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
fixes #20434
ClusterSnapshotCredentials
to distinguish clusters created from snapshot and instances created from snapshotDBClusterFromSnapshot.credentials
andServerlessClusterFromSnapshot.credentials
to use new classAll Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integ
to deploy the infrastructure and generate the snapshot (i.e.yarn integ
without--dry-run
)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license