Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(rds): clusters created from snapshots generate incorrect passwords #20473

Closed
wants to merge 2 commits into from

Conversation

peterwoodworth
Copy link
Contributor

@peterwoodworth peterwoodworth commented May 24, 2022

fixes #20434

  • Creates new class ClusterSnapshotCredentials to distinguish clusters created from snapshot and instances created from snapshot
  • deprecates DBClusterFromSnapshot.credentials and ServerlessClusterFromSnapshot.credentials to use new class
  • need to document and add tests still

All Submissions:

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented May 24, 2022

@aws-cdk-automation aws-cdk-automation requested a review from a team May 24, 2022 09:12
@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p1 labels May 24, 2022
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label May 24, 2022
@peterwoodworth peterwoodworth marked this pull request as ready for review May 24, 2022 23:22
@peterwoodworth
Copy link
Contributor Author

@jogold @jumic would appreciate a look from you guys. Let me know if you think this is the right way to approach this. Also, unsure if DatabaseClusterFromSnapshot can actually rotate credentials. Should we override those methods for that construct?

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: a5967b7
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

@rix0rrr rix0rrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for picking this up Peter! <3

*
* @default - No credentials are generated
*/
readonly snapshotCredentials?: ClusterSnapshotCredentials;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you need this to be a different field because you want to change the default behavior, from how the current credentials field behaves (in the details)? Or does it need to be a different field because it means something completely different?

If it's the first, a feature flag might be better.

Copy link
Contributor Author

@peterwoodworth peterwoodworth May 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need a different field because I want the customer to use ClusterSnapshotCredentials, as its designed specifically for using credentials when creating clusters from snapshots.

First, I tried to modify the Credentials class and renderCredentials() to work with what the customer might already have, but the code got confusing (would have been pretty difficult to document functionality for users too), and would be hard to maintain in the future. So I deprecated the prop to have customer use ClusterSnapshotCredentials when creating a cluster from snapshot and setting credentials. This class allows you to reference a full existing secret, or it will generate a new secret for you based on your login credentials passed as a secret value.

Sidenote - I believe this latter functionality (generating a secret based on login credentials) in my PR is bugged at the moment, or at the least poorly documented. The problem is that the fromPassword() method doesn't describe that the user should probably also have a username field in their passed SecretValue. I originally wanted to set the secretStringValue of the generated secret to contain the username which is passed in directly through CDK code, but I couldn't figure out how to properly set the eventual SecretString field to contain anything other than the customer passed SecretValue (other than with sloppy escape hatches).

So, long way to answer that I want this to be something completely different. wdyt?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this a case where a breaking change might be acceptable? The current credentials prop is not usable as it does not set the password of a cluster created from a snapshot, moreover it doesn't work with rotation. So no one is using this to set a password?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it not possible to use the existing SnapshotCredentials class here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So no one is using this to set a password?

Correction: it is maybe used with secrets containing the snapshot password and that need to benefit from the attachment.

Copy link
Contributor Author

@peterwoodworth peterwoodworth May 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RDS is considered stable, so we can't make a breaking change. You can use Credentials.fromSecret() to use an existing secret that you know works, and there could be users out there doing that. As far as I can tell though, all the other methods on the Credentials class are broken (fromPassword ends up doing nothing as far as I can tell)

I tried using the existing SnapshotCredentials class as well, but that got a bit sloppy with the way it's correctly implemented for DatabaseInstanceFromSnapshot. Ends up being safest for the user to not make mistakes with a new class

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it should be possible to do this with existing SnapshotCredentials class, I will make some tests.

I see that with the new class you're creating a secret that is not a JSON but a string with the password. This will not work with attachment or rotation.

Copy link
Contributor Author

@peterwoodworth peterwoodworth May 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do think it's possible, but I personally wasn't a fan of how the documentation of the methods would have to have two different definitions depending on if the method is being used for an instance or cluster, and I was also would have rather just not let the customer be able to access the generate methods on the SnapshotCredentials class.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think it would still be better to use the SnapshotCredentials class?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't able to figure out how to create a secret with JSON - I feel like I'm missing something simple but that's ideally what I'd like to do so that the user can pass in the username directly through CDK

@mergify mergify bot closed this in #20504 Jun 2, 2022
mergify bot pushed a commit that referenced this pull request Jun 2, 2022
#20504)

Deprecate `credentials` and explain how it is broken.

Replace it with `snapshotCredentials` that offer the expected behavior.

Fixes #20434
Closes #20473 


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@TheRealAmazonKendra TheRealAmazonKendra deleted the peterwoodworth/clusterFromSnapshotFix branch February 14, 2023 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/small Small work item – less than a day of effort p1
Projects
None yet
Development

Successfully merging this pull request may close these issues.

RDS: Cannot connect to Serverless Cluster created from snapshot
4 participants