Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-rds: is it possible to implement addRotationSingleUser / addRotationMultiUser for ServerlessClusterFromSnapshot? #27041

Open
2 tasks
clueleaf opened this issue Sep 7, 2023 · 2 comments
Open
2 tasks

aws-rds: is it possible to implement addRotationSingleUser / addRotationMultiUser for ServerlessClusterFromSnapshot? #27041

clueleaf opened this issue Sep 7, 2023 · 2 comments
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database feature-request A feature should be added or improved. p2

Comments

@clueleaf
Copy link
Contributor

clueleaf commented Sep 7, 2023

Describe the feature

While we can add secret rotation by using addRotationSingleUser, addRotationMultiUser for ServerlessCluster custruct, these methods are not implemented in ServerlessClusterFromSnapshot. I still prefer to rotate user secrets when creating a serverless cluster from snapshot.

Are there any problems to add these methods for ServerlessClusterFromSnapshot?
I'll also appreciate any other recommended measures to achieve user rotation.

maybe related: #20434

Use Case

Achieve user rotation for Aurora Serverless cluster created from a snapshot.

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.92.0

Environment details (OS name and version, etc.)

macOS Ventura
@clueleaf clueleaf added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Sep 7, 2023
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Sep 7, 2023
@indrora indrora added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Sep 7, 2023
@indrora
Copy link
Contributor

indrora commented Sep 7, 2023
edited
Loading

Thanks for the suggestion. Is there a reasonable way to do this using CloudFormation currently or does it require the SDK/CLI to perform this action?

(ignore the closure; accidental click)

@indrora indrora closed this as completed Sep 7, 2023
@indrora indrora reopened this Sep 7, 2023
@aws aws deleted a comment from github-actions bot Sep 7, 2023
@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Sep 8, 2023
@clueleaf
Copy link
Contributor Author

clueleaf commented Sep 8, 2023

Did some further research.
Relating issues are #20434 and #21730 (the later one seemingly shouldn't get closed).

When I created a DB cluster using ServerlessCluster construct, DB secret is stored to Secrets Manager all together, and we can perform addRotationSingleUser.

When using ServerlessClusterFromSnapshot to restore from a snapshot, the secret is not stored to Secrets Manager.
However if I use credentials property like credentials: rds.SnapshotCredentials.fromGeneratedSecret(...) (which added MasterUserPassword property to cfn template), a new secret is stored to Secrets Manager, and I was able to login to the database with it.

The tricky part is, according to CloudFormation document, we shouldn't specify MasterUserPassword property when using SnapshotIdentifier. I have no idea why it actually worked.

Considering the above, I'm not sure what can be done regarding addRotationSingleUser when it is not recommended to store the master secret to Secrets Manager. But I think we can at least implement addRotationMultiUser because this method explicitly requires a secret as its property.

@github-actions github-actions bot mentioned this issue Oct 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@indrora @clueleaf