(aws-rds): Cannot change removal policy of DatabaseInstance's admin secret
See original GitHub issueWhat is the problem?
It’s not possible to change the default DatabaseInstance.secret removal policy. The instance of the secret does have a apply_removal_policy
method bound to it (I can see it when printing dir(secret)
), but calling it makes no difference.
Reproduction Steps
Create a rds.DatabaseInstance
and the master secret will have a default removal policy DELETE
with no way to change it (even if changing the removal policy of the instance).
What did you expect to happen?
I would expect, that calling rds_instance.secret.apply_removal_policy
would apply the removal policy.
What actually happened?
It doesn’t
CDK CLI Version
1.134.0 (build dd5e12d)
Framework Version
1.134.0
Node.js Version
v16.12.0
OS
Arch Linux 5.15.4-arch1-1
Language
Python
Language Version
3.9.7
Other information
No response
Issue Analytics
- State:
- Created 2 years ago
- Comments:7 (5 by maintainers)
Top Results From Across the Web
rds-instance-deletion-protection-enabled - AWS Config
Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled. This rule is NON_COMPLIANT if an Amazon RDS instance...
Read more >modify-db-instance — AWS CLI 1.27.37 Command Reference
A list of Amazon EC2 VPC security groups to authorize on this DB instance. This change is asynchronously applied as soon as possible....
Read more >Troubleshooting Amazon RDS identity and access
Use the following information to help you diagnose and fix common issues that you might encounter when working with Amazon RDS and IAM....
Read more >AWS managed policies for Amazon RDS
You can't change the permissions in AWS managed policies. ... Services don't remove permissions from an AWS managed policy, so policy updates don't...
Read more >Configuring a DB instance for Amazon RDS Custom for Oracle
You also can't rename the CDB using the modify-db-instance command. ... The procedure is similar to the procedure for creating an Amazon RDS...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@skinny85 Yes, that makes sense. Maybe it would be useful if
SecretTargetAttachment
had a reference to theSecret
resource it’s attaching so the policies can be applied explicitly. But that might be too much of a change to the interface so I’m not sure.I believe this is because the secret is declared as an
ISecret
, which doesn’t have theapplyRemovalPolicy()
function. I’m not sure if this is something that we can changeTo work around this and apply the removal policy you want to the secret, you can use an escape hatch!
Here’s an example for TypeScript, let me know if you need one for Python.