aws-cdk: (rds): unable to alter master user password when using DatabaseClusterFromSnapshot with snapshotCredentials

Describe the bug

About 2 months ago a this PR got merged, which states that we should be able to alter the master user password of the snapshot using the snapshotCredentials prop. However when using this prop CDK creates a new secret in Secrets Manager, but the master user password still remains unchanged. It seems like the DatabaseSecret that is created is not being used.

Looking at the code of the PR, the masterUserPassword gets changed in the cfnDbCluster while also having the snapshotIdentifier prop. However the docs state to NOT use the masterUserPassword prop together with the snapshotIdentifier prop.

Expected Behavior

When using the snapshotCredentials property with rds.SnapshotCredentials.fromGeneratedSecret() inside the DatabaseClusterFromSnapshot construct. I expect the master user password to be changed to the password that is generated in Secrets Manager.

Current Behavior

A DatabaseSecret is created inside Secrets Manger, however the master user password of the snapshot remains unchanged.

Reproduction Steps

  1. Create a RDS DB using Aurora Serverless using the DatabaseCluster construct in CDK
  2. Create snapshot
  3. Add DatabaseClusterFromSnapshot construct to CDK using the snapshotCredentials with SnapshotCredentials.fromGeneratedSecret(), and remove the DatabaseCluster construct from CDK
  4. Try logging in the DB as master user using the generated DatabaseSecret that is created from the DatabaseClusterFromSnapshot

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.27.0

Framework Version

No response

Node.js Version

16

OS

Linux

Language

Typescript

Language Version

No response

Other information

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 12
  • Comments: 24 (10 by maintainers)

Most upvoted comments

@MitchWijt I tried again today and it’s not working for me anymore. I’m not sure if something changed, or I just messed something up the last time I tried. After looking into it more, I’m not sure how it ever could have worked. In all of my testing, including with the integration test, it always uses the previous database password (which is inline with the documentation).

It seems like this issue impacts a significant number of customers, and I’ve tagged it as P1, which means it should be on our near-term roadmap.

We welcome community contributions! If you are able, we encourage you to contribute (https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) a bug fix or new feature to the CDK. If you decide to contribute, please start an engineering discussion in this issue to ensure there is a commonly understood design before submitting code. This will minimize the number of review cycles and get your code merged faster.

+3
corymhall on Sep 6, 2022

@pflueras I’ve been investigating this and it seems from some initial testing that the bug is fixed for me too. I’m going to continue testing this today with some different variations, but I’m wondering if anyone else has had a chance to retry this with success too. @MitchWijt would you be able to retry on your end to see if this is now working for you?

+1
colifran on May 18, 2023

I’ve created a Cfn issue for the desired behavior: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1500

+1
ryparker on Jan 31, 2023
Read more comments on GitHub
← aws-cdk: [rds] Database Secret broken after upgrade to 1.67
aws-cdk: rds.Credentials: cannot generate secret even having lots of characters excluded →