-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(secretsmanager/rds): support credential rotation #2052
Conversation
Add construct for rotation schedule, secret target attachment and RDS rotation single user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also describe these classes in the README. A section should be something like "how to set up credential rotation"
/** | ||
* The connections object of the RDS database instance or cluster. | ||
*/ | ||
connections: ec2.Connections; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'd rather you pass an IConnectable
here. Any reason that wouldn't work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right, this should have been an IConnectable
.
/** | ||
* Options to add a secret attachement to a secret. | ||
*/ | ||
export interface SecretTargetAttachmentOptions { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feel like this should be an interface like:
export interface ISecretAttachmentTarget {
asSecretAttachmentTarget(): SecretAttachmentTargetProps;
}
export interface SecretAttachmentTargetProps {
targetId: string;
targetType: AttachmentTargetType;
}
export interface SecretTargetAttachmentOptions {
target: ISecretAttachmentTarget;
}
And then have the DBInstance and DBCluster classes implement ISecretAttachmentTarget
.
// This allows to reference the secret after attachment (dependency). When | ||
// creating a secret for a RDS cluster or instance this is the secret that | ||
// will be used as the input for the rotation. | ||
this.secret = Secret.import(this, 'Secret', { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It feels like this is something that users might forget, especially since these docs are in implementation notes.
Another idea (not necessarily saying you must do this), how about changing this into:
class AttachedSecret implements ISecret {
...
}
So that an AttachedSecret
can be used anywhere a secret can be used? And if not that, then at least put these notes in a public comment somewhere, seems very relevant to this construct's usage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this idea of the AttachedSecret
@@ -0,0 +1,204 @@ | |||
import ec2 = require('@aws-cdk/aws-ec2'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feels like this whole file should live in the aws-rds
package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK to move the RDS rotation, in the same PR then? It breaks the conventional commit + squash convention here...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what you mean. The only thing it might break is the scope, if the scope were a single package.
I would feel comfortable with a feat(secretsmanager/rds): support credential rotation
.
Since there's already a breaking change for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Jonathan, I think this is just fantastic. Thank you!
packages/@aws-cdk/aws-rds/README.md
Outdated
@@ -53,3 +53,28 @@ attributes: | |||
```ts | |||
const writeAddress = cluster.clusterEndpoint.socketAddress; // "HOSTNAME:PORT" | |||
``` | |||
|
|||
### Rotating master password | |||
When the master password is generated and stored in AWS Secrets Manager, it can be rotated automatically: [example of setting up master password rotation](test/integ.cluster-rotation.lit.ts) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be on a line by itself.
*/ | ||
export class DatabaseCluster extends cdk.Construct implements IDatabaseCluster { | ||
export abstract class DatabaseClusterBase extends cdk.Construct implements IDatabaseCluster { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<3
* Parameter or the SSM Parameter Store instead. | ||
* Do not put passwords in your CDK code directly. | ||
* | ||
* @default a Secrets Manager generated password |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<3
Will merge after current release process is over. You just missed the cut, sorry, it will be in the next release. |
No prob, have you seen this?
|
Oh totally. Though can you create a new PR for that please? |
See #2063 |
Add construct for rotation schedule, secret target attachment and RDS rotation single user.
This is needed in order to implement something like
cluster.addRotationSingleUser(...)
inaws-rds
which will allow to create a cluster (or instance, no construct yet) with a secrets manager generated master password and add rotation to it (PR to follow if this one is accepted).Question: where does the construct RdsRotationSingleUser fit? Here in
aws-secretsmanager
or inaws-rds
?Pull Request Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.