Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws_rds): addRotationMultiUser secrets missing engine on bootstrap

See original GitHub issue

Describe the bug

When I addRotationMultiUser with a DatabaseSecret,

const secret = new aws_rds.DatabaseSecret(this, 'Secret', {
  username: 'a_user_name',
  encryptionKey,
  secretName: 'aUserName',
  masterSecret: cluster.secret,
});
cluster.addRotationMultiUser('aUserName', { secret });

the rotation lambda fails with

[ERROR] KeyError: "Database engine must be set to 'postgres' in order to use this rotation lambda" Traceback (most recent call last):   File "/var/task/lambda_function.py", line 77, in lambda_handler     create_secret(service_client, arn, token)   File "/var/task/lambda_function.py", line 113, in create_secret     current_dict = get_secret_dict(service_client, arn, "AWSCURRENT")   File "/var/task/lambda_function.py", line 451, in get_secret_dict     raise KeyError("Database engine must be set to 'postgres' in order to use this rotation lambda")

Expected Behavior

It should work.

Current Behavior

It doesn’t work.

Reproduction Steps

import { App, Stack, StackProps, aws_ec2, aws_rds } from 'aws-cdk-lib';
import { Construct } from 'constructs';

export class MyStack extends Stack {
  constructor(scope: Construct, id: string, props: StackProps = {}) {
    super(scope, id, props);

    const vpc = aws_ec2.Vpc.fromLookup(this, 'VPC', {
      tags: { TheVpc: 'Default' }, // or whatever.
    });

    const cluster = new aws_rds.DatabaseCluster(this, 'MyCluster', {
      credentials: {
        username: 'manager',
      },
      engine: aws_rds.DatabaseClusterEngine.auroraPostgres({
        version: aws_rds.AuroraPostgresEngineVersion.VER_12_8,
      }),
      instanceProps: {
        instanceType: aws_ec2.InstanceType.of(
          aws_ec2.InstanceClass.T3,
          aws_ec2.InstanceSize.MEDIUM
        ),
        vpc,
      },
      instances: 1, // be cheap
    });
    cluster.addRotationSingleUser();

    const secret = new aws_rds.DatabaseSecret(this, 'ReaderSecret', {
      username: 'reader',
      masterSecret: cluster.secret,
    });

    cluster.addRotationMultiUser('ReaderRotation', { secret });
  }
}

// for development, use account/region from cdk cli
const devEnv = {
  account: process.env.CDK_DEFAULT_ACCOUNT,
  region: process.env.CDK_DEFAULT_REGION,
};

const app = new App();

new MyStack(app, 'my-stack-dev', { env: devEnv });

app.synth();

Chase down the substack for the multi-rotation, find the lambda, find it’s execution logs. Lo and behold, an error message appears!

Possible Solution

aws_rds.DatabaseSecret() should be bootstrapping the secret with basics from the masterSecret.

Additional Information/Context

No response

CDK CLI Version

2.18.0 (build 75c90fa)

Framework Version

same

Node.js Version

v16.13.1

OS

Darwin Kernel Version 21.2.0: Sun Nov 28 20:29:10 PST 2021; root:xnu-8019.61.5~1/RELEASE_ARM64_T8101 arm64

Language

Typescript

Language Version

"typescript": "^4.6.3"

Other information

No response

Issue Analytics

State:
Created a year ago
Comments:23 (21 by maintainers)

Top GitHub Comments

1reaction

skinny85commented, Apr 7, 2022

Ah, got it. I mean, yeah, if the rotation application has some bug, then yes, it needs to be fixed upstream.

Note that the current rotation applications we use in the CDK are also very old - maybe the problem has been fixed in newer versions already. We have an open issue about it (https://github.com/aws/aws-cdk/issues/18249), you can use this workaround: https://github.com/aws/aws-cdk/issues/18249#issuecomment-1005121223 for now if you want to try updating the application to the latest version, and seeing if that helps.

0reactions

ahammondcommented, Jul 4, 2022

@xplsek03 i think it was because I didn’t attach the secret.

Top Results From Across the Web

Multi-user secrets rotation for Amazon RDS - AWS

This architecture works with any Amazon RDS engine that can work with AWS provided password rotation functions. Problem context. Secrets Manager ...

Securing a Distributed Platform — Identity, Secrets, and Key ...

This specific blog will tackle the challenges of securing infrastructure, applications, and data across multiple clusters. TL;DR (Summary).

Chapter 7. Troubleshooting OpenShift Container Platform 4.10

The control plane machines use the bootstrap machine to form an etcd cluster. The bootstrap machine starts a temporary Kubernetes control plane using...

Untitled

Ramada agent rewards, Pc points plus participating stores, Scaricatore musica per ... Jeep go devil engine, Barton 1995, Metilfenidato farmacias similares, ...

LuE - River Thames Conditions - Environment Agency - GOV.UK

Vokac cmolik, Servo motor schematic symbol, Exemple promesse d'embauche sans papier, ... Add bots tf2 multiplayer, Ideal age difference for marriage india, ...