Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_rds: DatabaseClusterFromSnapshot creates a new secret when using SnapshotCredentials.fromGeneratedSecret()/fromGeneratedPassword #28761

Closed
talalong opened this issue Jan 18, 2024 · 3 comments
Closed

aws_rds: DatabaseClusterFromSnapshot creates a new secret when using SnapshotCredentials.fromGeneratedSecret()/fromGeneratedPassword #28761

talalong opened this issue Jan 18, 2024 · 3 comments
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@talalong
Copy link

Describe the bug

I am encountering an issue similar to #23815. However, I am utilizing the fromGeneratedSecret() or fromGeneratedPassword() function to reuse the master username from the snapshot ('t3'). The CDK generates two secrets: one with the default username 'postgres' (which I did not expect) and the other with 't3' (as expected)

Screenshot 2024-01-18 at 21 01 03 Screenshot 2024-01-18 at 21 01 36 Screenshot 2024-01-18 at 21 01 52

Expected Behavior

I anticipate having only one secret with the correct username ('t3'). The secret with the default username 'postgres' should not be present in the first place. Using the deprecated property credentials would resolve this issue.

Current Behavior

CDK generates two secrets

Screenshot 2024-01-18 at 21 21 31

Reproduction Steps

Here is an example how I define my DB.

const database = new rds.DatabaseClusterFromSnapshot(this, "Database", {
      engine: rds.DatabaseClusterEngine.auroraPostgres({
        version: rds.AuroraPostgresEngineVersion.VER_14_5,
      }),
      vpc: vpc,
      vpcSubnets: { subnetType: SubnetType.PRIVATE_ISOLATED },
      writer: rds.ClusterInstance.provisioned("ClusterWriter", {
        instanceType: new ec2.InstanceType("t3.medium"),
      }),
      readers: [],
      defaultDatabaseName: "t3",
      backup: { retention: Duration.days(1) },
      storageEncrypted: true,
      cloudwatchLogsExports: ["postgresql"],
      cloudwatchLogsRetention: RetentionDays.ONE_DAY,
      copyTagsToSnapshot: true,
      snapshotCredentials: rds.SnapshotCredentials.fromGeneratedPassword("t3"),
      snapshotIdentifier:
        "arn:aws:rds:eu-central-1:875116653029:snapshot:playground-abc-def",
    });

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.122.0

Framework Version

No response

Node.js Version

18.12.1

OS

Sonoma 14.2.1

Language

TypeScript

Language Version

TypeScript (4.9.5)

Other information

No response
@talalong talalong added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 18, 2024
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Jan 18, 2024
@pahud
Copy link
Contributor

pahud commented Jan 19, 2024

Based on

aws-cdk/packages/aws-cdk-lib/aws-rds/lib/props.ts

Line 366 in 20ad55e

generatePassword: true,

and

aws-cdk/packages/aws-cdk-lib/aws-rds/lib/private/util.ts

Line 118 in 2511956

if (!secret && renderedCredentials?.generatePassword) {

A new Secret will be created

aws-cdk/packages/aws-cdk-lib/aws-rds/lib/private/util.ts

Lines 124 to 130 in 2511956

new DatabaseSecret(scope, 'SnapshotSecret', {
username: renderedCredentials.username,
encryptionKey: renderedCredentials.encryptionKey,
excludeCharacters: renderedCredentials.excludeCharacters,
replaceOnPasswordCriteriaChanges: renderedCredentials.replaceOnPasswordCriteriaChanges,
replicaRegions: renderedCredentials.replicaRegions,
}),

looks like this is related to #23441

Yes this is probably a bug and we should also make it more clear in the document.

@pahud pahud added p1 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 19, 2024
@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
@moelasmar moelasmar self-assigned this Feb 8, 2024
@jl4nz jl4nz mentioned this issue May 22, 2024
Open
@pahud pahud added p2 and removed p1 labels Jun 11, 2024
@moelasmar moelasmar removed their assignment Sep 8, 2024
@talalong
Copy link
Author

I tried the CDK today with the latest version 2.171 and the issue is gone. I close this issue now. Thank you for your work. 👍

@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 26, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @talalong @moelasmar