Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-rds): adding secret rotation via SAM application fails #19487

Closed
thchia opened this issue Mar 21, 2022 · 1 comment · Fixed by #19490
Closed

(aws-rds): adding secret rotation via SAM application fails #19487

thchia opened this issue Mar 21, 2022 · 1 comment · Fixed by #19490
Assignees
@skinny85
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@thchia
Copy link
Contributor

thchia commented Mar 21, 2022

What is the problem?

When adding a secret rotation to a database (in my case, ServerlessCluster) via the .addRotationSingleUser() method, CDK deployment fails because it cannot access the S3 bucket where the rotation lambda code is stored.

The RDS method is still using the (old?) way of creating a rotation via a SAM application, and I recently updated my CDK from v1 to v2. Prior to that, it was working.

I know there was a soft intention to replace the application method of creating rotation lambdas with the hosted lambdas, but I didn't see anything about the old way being deprecated.

Reproduction Steps

    const vpc = new ec2.Vpc(this, "VPC");

    const credentials = new secrets.Secret(
      this,
      "Credentials",
      {
        generateSecretString: {
          excludePunctuation: true,
          secretStringTemplate: JSON.stringify({
            username: 'username',
          }),
          generateStringKey: "password",
        },
      }
    );

    const cluster = new rds.ServerlessCluster(this, "Database", {
      engine: rds.DatabaseClusterEngine.AURORA_POSTGRESQL,
      vpc,
      enableDataApi: true,
      credentials: rds.Credentials.fromSecret(credentials),
      defaultDatabaseName: "testdb",
      parameterGroup: rds.ParameterGroup.fromParameterGroupName(
        this,
        "ParameterGroup",
        "default.aurora-postgresql10"
      ),
      scaling: {
        autoPause: Duration.minutes(5),
        minCapacity: rds.AuroraCapacityUnit.ACU_2,
        maxCapacity: rds.AuroraCapacityUnit.ACU_2
      },
      vpcSubnets: {
        subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
      },
    });

    cluster.addRotationSingleUser();

What did you expect to happen?

Successful deployment (in particular, creation of rotation lambda from the SAM application).

What actually happened?

Rotation Lambda failed to create, it seems I can't access the bucket with its source code.

Screenshot 2022-03-21 at 5 09 15 PM

CDK CLI Version

2.16.0

Framework Version

No response

Node.js Version

16.13.1

OS

macOS

Language

Typescript

Language Version

3.9.10

Other information

I am running the deploy command using an Administrator role, though CloudFormation is assuming the generated roles from the bootstrap: arn:aws:iam::<account id>:role/cdk-hnb659fds-cfn-exec-role-<account id>-<region>.

When I create a rotation using only the Secrets Manager construct (and use the hosted lambda properties instead of application), then it works.
@thchia thchia added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 21, 2022
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Mar 21, 2022
jogold added a commit to jogold/aws-cdk that referenced this issue Mar 21, 2022
@jogold
fix(secretsmanager): secret rotation uses old application versions
d916a73 
Closes aws#19487
@jogold jogold mentioned this issue Mar 21, 2022
Merged
2 tasks
@mergify mergify bot closed this as completed in #19490 Mar 21, 2022
mergify bot pushed a commit that referenced this issue Mar 21, 2022
@jogold
fix(secretsmanager): secret rotation uses old application versions (#…
0c983ad 
…19490)

Closes #19487


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](../CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](../CONTRIBUTING.md/#adding-new-unconventional-dependencies)

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skinny85 skinny85

Labels
@aws-cdk/aws-rds Related to Amazon Relational Database bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(secretsmanager): secret rotation uses old application versions jogold/aws-cdk
2 participants
@skinny85 @thchia