Fix secrets rotation workflow and improve rotation lambda logic#615
Fix secrets rotation workflow and improve rotation lambda logic#615
Conversation
- Added exit statements in the secrets rotation workflow to handle timeout scenarios more effectively, ensuring the process fails gracefully. - Improved PostgreSQL secret handling by using `psycopg2.sql.Identifier` for safe username quoting, preventing potential SQL injection vulnerabilities. - Updated error handling in the `finish_secret` function to raise a ValueError when no AWSCURRENT version is found, ensuring clear failure states for secret rotations.
|
@claude please review this PR |
|
Claude finished @jfrench9's task in 1m 50s —— View job PR Review: Fix secrets rotation workflow and improve rotation lambda logic
Overall this is a solid set of bugfixes with one genuine security improvement. All four changes are correct. Details below.
|
| Change | Verdict |
|---|---|
Workflow exit 1 on timeout (×4) |
✅ Correct — prevents false-positive success on timeout |
sql.Identifier for username |
✅ Security fix — closes SQL injection via AsIs() |
Log key username → POSTGRES_USER |
✅ Correct — key matches secret structure |
finishSecret raise instead of warn |
✅ Correct — prevents half-rotated state in both Lambdas |
All changes are backward-compatible. The Lambdas will need redeployment to pick up the updated logic, as the PR notes. No blocking issues — this is good to merge.
Summary
This PR addresses several issues in the secrets rotation infrastructure, improving the reliability and correctness of the PostgreSQL and Valkey rotation Lambda functions, as well as the GitHub Actions workflow that orchestrates secret rotation.
Key Accomplishments
Workflow Enhancements
PostgreSQL Rotation Lambda Fixes
Valkey Rotation Lambda Fixes
Breaking Changes
None. These are backward-compatible bugfixes to existing rotation infrastructure. The rotation Lambdas maintain the same interface and integration points with AWS Secrets Manager.
Testing Notes
Infrastructure Considerations
🤖 Generated with Claude Code
Branch Info:
bugfix/secrets-rotation-fixesmainCo-Authored-By: Claude noreply@anthropic.com