-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-rds): addRotationMultiUser()
changes the username, adds _clone
suffix
#20704
Comments
From the logs:
|
Hi @ahammond, The multi user strategy works with two sets of credentials to maximize availability, have a look at This is the expected behavior. |
@jogold this is totally on me. Thank you for the link, that totally clarifies things! I was working on the mistaken assumption that |
Adds docs to clarify the semantics of rotations. Closes #20704 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Assuming you have a const myHostedRotation = HostedRotation.mysqlSingleUser({ vpc: myVpc });
mySecret.addRotationSchedule('Rotation', {
hostedRotation: myHostedRotation,
});
myDb.allowDefaultPortFrom(myHostedRotation); PS1: if you want to play with PS2: JSON format for secret {
"engine": "<required: database engine>",
"host": "<required: instance host name>",
"username": "<required: username>",
"password": "<required: password>",
"dbname": "<optional: database name>",
"port": "<optional: if not specified, default port will be used>"
} |
@jogold WRT the To clarify, in order to add a user to my aurora instance via CDK, I would need to
|
The code is at https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/80b407354909519cf4f2d744c2d9dace09b05d39/SecretsManagerRDSPostgreSQLRotationSingleUser/lambda_function.py#L118 =>
Yes, you can use a
Yes or create it by any other means
You can add it immediately, it will only start/succeed when the user is correctly created in the DB |
@jogold this is awesome! Thank you so much, Is there a canonical example that shows all of this stuff? Also, I recognize that set of |
Looks like they added const rotationSchedule = mySecret.addRotationSchedule('Rotation', {
hostedRotation: HostedRotation.mysqlSingleUser({ vpc: myVpc }),
});
const cfnRotationSchedule = rotationSchedule.node.defaultChild as CfnRotationSchedule;
cfnRotationSchedule.addPropertyOverride('HostedRotationLambda.ExcludeCharacters', '<your chars>'); Will open a PR to add this option. |
|
Adds docs to clarify the semantics of rotations. Closes aws#20704 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the bug
After our rotator lambda ran, we discovered that the username in the secret had been change to add a
_clone
suffix.Expected Behavior
The rotator should rotate the password without completely undocumented side-effects like, for example, changing the username.
Current Behavior
Our users with
addRotationMultiUser()
are getting their usernames changed.Reproduction Steps
import { Aurora } from '@time-loop/cdk-aurora';
import { App, aws_ec2, aws_kms, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { Namer } from 'multi-convention-namer';
export class AuroraDemoStack extends Stack {
constructor(scope: Construct, props: StackProps) {
const id = new Namer(['aurora', 'demo']);
super(scope, id.pascal, props);
}
}
// for development, use account/region from cdk cli
const devEnv = {
account: process.env.CDK_DEFAULT_ACCOUNT,
region: process.env.CDK_DEFAULT_REGION,
};
const app = new App();
new AuroraDemoStack(app, { env: devEnv });
app.synth();
Possible Solution
I think that the decision to SAM in the rotator functions has been a mess. These rotator functions should be rewritten in TypeScript and inlined into the code and actually managed.
Related issues
Additional Information/Context
No response
CDK CLI Version
2.27.0 (build 8e89048)
Framework Version
2.27.0
Node.js Version
v16.13.1
OS
Darwin Kernel Version 21.5.0: Tue Apr 26 21:08:29 PDT 2022; root:xnu-8020.121.3~4/RELEASE_ARM64_T8101 arm64
Language
Typescript
Language Version
4.7.3
Other information
No response
The text was updated successfully, but these errors were encountered: