Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-rds): Cannot change removal policy of DatabaseInstance's admin secret

See original GitHub issue

What is the problem?

It’s not possible to change the default DatabaseInstance.secret removal policy. The instance of the secret does have a apply_removal_policy method bound to it (I can see it when printing dir(secret)), but calling it makes no difference.

Reproduction Steps

Create a rds.DatabaseInstance and the master secret will have a default removal policy DELETE with no way to change it (even if changing the removal policy of the instance).

What did you expect to happen?

I would expect, that calling rds_instance.secret.apply_removal_policy would apply the removal policy.

What actually happened?

It doesn’t

CDK CLI Version

1.134.0 (build dd5e12d)

Framework Version

1.134.0

Node.js Version

v16.12.0

OS

Arch Linux 5.15.4-arch1-1

Language

Python

Language Version

3.9.7

Other information

No response

Issue Analytics

State:
Created 2 years ago
Comments:7 (5 by maintainers)

Top GitHub Comments

1reaction

mskripcommented, Dec 20, 2021

@skinny85 Yes, that makes sense. Maybe it would be useful if SecretTargetAttachment had a reference to the Secret resource it’s attaching so the policies can be applied explicitly. But that might be too much of a change to the interface so I’m not sure.

1reaction

peterwoodworthcommented, Nov 26, 2021

I believe this is because the secret is declared as an ISecret, which doesn’t have the applyRemovalPolicy() function. I’m not sure if this is something that we can change

To work around this and apply the removal policy you want to the secret, you can use an escape hatch!

Here’s an example for TypeScript, let me know if you need one for Python.

    const db = new DatabaseInstance(this, 'db', {
      vpc: vpc,
      engine: dsb.DatabaseInstanceEngine.postgres({version: dsb.PostgresEngineVersion.VER_13_4})
    });

    const secret = db.node.children[2] as DatabaseSecret
    secret.applyRemovalPolicy(RemovalPolicy.RETAIN)

Top Results From Across the Web

rds-instance-deletion-protection-enabled - AWS Config

Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled. This rule is NON_COMPLIANT if an Amazon RDS instance...

modify-db-instance — AWS CLI 1.27.37 Command Reference

A list of Amazon EC2 VPC security groups to authorize on this DB instance. This change is asynchronously applied as soon as possible....

Troubleshooting Amazon RDS identity and access

Use the following information to help you diagnose and fix common issues that you might encounter when working with Amazon RDS and IAM....

AWS managed policies for Amazon RDS

You can't change the permissions in AWS managed policies. ... Services don't remove permissions from an AWS managed policy, so policy updates don't...

Configuring a DB instance for Amazon RDS Custom for Oracle

You also can't rename the CDB using the modify-db-instance command. ... The procedure is similar to the procedure for creating an Amazon RDS...