aws-cdk: (aws_rds): addRotationMultiUser secrets missing engine on bootstrap
Describe the bug
When I addRotationMultiUser with a DatabaseSecret,
const secret = new aws_rds.DatabaseSecret(this, 'Secret', {
username: 'a_user_name',
encryptionKey,
secretName: 'aUserName',
masterSecret: cluster.secret,
});
cluster.addRotationMultiUser('aUserName', { secret });
the rotation lambda fails with
[ERROR] KeyError: "Database engine must be set to 'postgres' in order to use this rotation lambda" Traceback (most recent call last): File "/var/task/lambda_function.py", line 77, in lambda_handler create_secret(service_client, arn, token) File "/var/task/lambda_function.py", line 113, in create_secret current_dict = get_secret_dict(service_client, arn, "AWSCURRENT") File "/var/task/lambda_function.py", line 451, in get_secret_dict raise KeyError("Database engine must be set to 'postgres' in order to use this rotation lambda")
Expected Behavior
It should work.
Current Behavior
It doesn’t work.
Reproduction Steps
import { App, Stack, StackProps, aws_ec2, aws_rds } from 'aws-cdk-lib';
import { Construct } from 'constructs';
export class MyStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps = {}) {
super(scope, id, props);
const vpc = aws_ec2.Vpc.fromLookup(this, 'VPC', {
tags: { TheVpc: 'Default' }, // or whatever.
});
const cluster = new aws_rds.DatabaseCluster(this, 'MyCluster', {
credentials: {
username: 'manager',
},
engine: aws_rds.DatabaseClusterEngine.auroraPostgres({
version: aws_rds.AuroraPostgresEngineVersion.VER_12_8,
}),
instanceProps: {
instanceType: aws_ec2.InstanceType.of(
aws_ec2.InstanceClass.T3,
aws_ec2.InstanceSize.MEDIUM
),
vpc,
},
instances: 1, // be cheap
});
cluster.addRotationSingleUser();
const secret = new aws_rds.DatabaseSecret(this, 'ReaderSecret', {
username: 'reader',
masterSecret: cluster.secret,
});
cluster.addRotationMultiUser('ReaderRotation', { secret });
}
}
// for development, use account/region from cdk cli
const devEnv = {
account: process.env.CDK_DEFAULT_ACCOUNT,
region: process.env.CDK_DEFAULT_REGION,
};
const app = new App();
new MyStack(app, 'my-stack-dev', { env: devEnv });
app.synth();
Chase down the substack for the multi-rotation, find the lambda, find it’s execution logs. Lo and behold, an error message appears!
Possible Solution
aws_rds.DatabaseSecret() should be bootstrapping the secret with basics from the masterSecret.
Additional Information/Context
No response
CDK CLI Version
2.18.0 (build 75c90fa)
Framework Version
same
Node.js Version
v16.13.1
OS
Darwin Kernel Version 21.2.0: Sun Nov 28 20:29:10 PST 2021; root:xnu-8019.61.5~1/RELEASE_ARM64_T8101 arm64
Language
Typescript
Language Version
"typescript": "^4.6.3"
Other information
No response
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 23 (21 by maintainers)
Ah, got it. I mean, yeah, if the rotation application has some bug, then yes, it needs to be fixed upstream.
Note that the current rotation applications we use in the CDK are also very old - maybe the problem has been fixed in newer versions already. We have an open issue about it (https://github.com/aws/aws-cdk/issues/18249), you can use this workaround: https://github.com/aws/aws-cdk/issues/18249#issuecomment-1005121223 for now if you want to try updating the application to the latest version, and seeing if that helps.