Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[elasticsearch] masterUserPassword does not accept SecretValue

See original GitHub issue

aws-elasticsearch Domain construct / AdvancedSecurityOptions interface / masterUserPassword property does not accept SecretValue class in python version of the CDK.

I’ve tried passing a SecretValue from aws_secretsmanager.Secret.secretValue, based on this documentation, as well as secretsmanager.Secret.fromSecretAttributes and SecretValue.plainText based on this documentation, but each errors out with the same message:

jsii.errors.JSIIError: Expected object reference, got true

Reproduction Steps

class ElasticSearchStack(core.Stack):

    def __init__(self, scope, id, es_secret, **kwargs):
        super().__init__(scope, id, **kwargs)

        elasticsearch.Domain(
            self,
            'Domain',
            version=elasticsearch.ElasticsearchVersion.V7_1,
            encryption_at_rest=True,  # Must be enabled for fine_grained_access_control
            node_to_node_encryption=True,  # Must be enabled for fine_grained_access_control
            fine_grained_access_control={
                "master_user_name": "master_user",
                "master_user_password": core.SecretValue('password')
            },
        )

app = core.App()
ElasticSearchStack(app, "es-domain", env={'region': 'us-west-2'}, )

class ElasticSearchStack(core.Stack):

    def __init__(self, scope, id, es_secret, **kwargs):
        super().__init__(scope, id, **kwargs)

        elasticsearch.Domain(
            self,
            'Domain',
            version=elasticsearch.ElasticsearchVersion.V7_1,
            encryption_at_rest=True,  # Must be enabled for fine_grained_access_control
            node_to_node_encryption=True,  # Must be enabled for fine_grained_access_control
            fine_grained_access_control={
                "master_user_name": es_secret.secret.secret_name,
                "master_user_password": secretsmanager.Secret.from_secret_attributes(
                    self, 'es-secret-workaround', secret_arn=es_secret.secret.secret_arn)
            }
        )

app = core.App()
es_secret = SecretsManagerStack(app, "es-secret", env={'region': 'us-west-2'})
ElasticSearchStack(app, "es-domain", es_secret, env={'region': 'us-west-2'}, )

class ElasticSearchStack(core.Stack):

    def __init__(self, scope, id, **kwargs):
        super().__init__(scope, id, **kwargs)

        secret = secretsmanager.Secret(
            self,
            "TemplatedSecret",
            generate_secret_string=secretsmanager.SecretStringGenerator(
                secret_string_template='{"username": "es_master"}',
                generate_string_key="password",
            )
        )

        elasticsearch.Domain(
            self,
            'Domain',
            version=elasticsearch.ElasticsearchVersion.V7_1,
            capacity={
                'master_nodes': 5,
                'data_nodes': 20,
            },
            ebs={
                'volume_size': 20
            },
            zone_awareness={
                'availability_zone_count': 3
            },
            logging={
                'slow_search_log_enabled': True,
                'app_log_enabled': True,
                'slow_index_log_enabled': True,
            },
            encryption_at_rest=True,  # Must be enabled for fine_grained_access_control
            node_to_node_encryption=True,  # Must be enabled for fine_grained_access_control
            fine_grained_access_control={
                "master_user_name": secret.secret_name,
                "master_user_password": secret.secret_value
            }
        )


app = core.App()
ElasticSearchStack(app, "test-es-cluster", env={'region': 'us-west-2'})

What did you expect to happen?

I expected cdk synth to return a valid cloud-formation template or running the file in python would not produce an error.

What actually happened?

jsii.errors.JavaScriptError:
  Error: Expected object reference, got true
      at Object.deserialize (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6927:23)
      at Kernel._toSandbox (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8328:61)
      at /Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6959:29
      at mapValues (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7231:27)
      at Object.deserialize (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6955:20)
      at Kernel._toSandbox (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8328:61)
      at /Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8381:33
      at Array.map (<anonymous>)
      at Kernel._boxUnboxParameters (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8381:19)
      at Kernel._wrapSandboxCode (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8422:19)
      at Kernel._create (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7934:26)
      at Kernel.create (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7678:21)
      at KernelHost.processRequest (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7458:28)
      at KernelHost.run (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7396:14)
      at Immediate._onImmediate (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7399:37)
      at processImmediate (internal/timers.js:458:21)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/Users/spage/.pyenv/versions/3.7.6/lib/python3.7/runpy.py", line 183, in _run_module_as_main
    mod_name, mod_spec, code = _get_module_details(mod_name, _Error)
  File "/Users/spage/.pyenv/versions/3.7.6/lib/python3.7/runpy.py", line 109, in _get_module_details
    __import__(pkg_name)
  File "/Users/spage/Developer/cdk-test/elasticsearch_cdk/elasticsearch_stack.py", line 51, in <module>
    x = ElasticSearchStack(app, "test-es-cluster", env={'region': 'us-west-2'})
  File "/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_runtime.py", line 69, in __call__
    inst = super().__call__(*args, **kwargs)
  File "/Users/spage/Developer/cdk-test/elasticsearch_cdk/elasticsearch_stack.py", line 45, in __init__
    "master_user_password": secret.secret_value
  File "/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_runtime.py", line 69, in __call__
    inst = super().__call__(*args, **kwargs)
  File "/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/aws_cdk/aws_elasticsearch/__init__.py", line 4478, in __init__
    jsii.create(Domain, self, [scope, id, props])
  File "/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_kernel/__init__.py", line 257, in create
    for iface in getattr(klass, "__jsii_ifaces__", [])
  File "/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_kernel/providers/process.py", line 336, in create
    return self._process.send(request, CreateResponse)
  File "/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_kernel/providers/process.py", line 321, in send
    raise JSIIError(resp.error) from JavaScriptError(resp.stack)
jsii.errors.JSIIError: Expected object reference, got true

Environment

**CLI Version :1.68.0 (build a6a3f46)
**Framework Version: (How do I find this?)
Node.js Version: v14.5.0
**OS : macOS 10.15.6
Language (Version): Python 3.7.6

Other

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

bosatsucommented, Oct 26, 2020

Understood, thanks for the responses @iliapolo !

0reactions

github-actions[bot]commented, Oct 26, 2020

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

Top Results From Across the Web

aws-cdk/aws-elasticsearch module - AWS Documentation

If no password is configured a default master user password is created and stored in the AWS Secrets Manager as secret. The secret...

Referencing AWS Parameter Store's Secure String in ...

CloudFormation does not support SecureString as template parameter type. You can confirm it in the documentation below, let me quote it.

awslabs/aws-cdk - Gitter

... RedshiftCluster The parameter MasterUserPassword is not a valid password. ... secret value and that's what redshift is trying to use for the...

Using dynamic references to specify template values

Do not create a dynamic reference that has a backslash (\) as the final value. ... CloudFormation doesn't support using parameter labels or...

awselasticsearch - Go Packages

Amazon Elasticsearch Service Construct Library ... Returns: The construct as a stack element or undefined if it is not a stack element. Experimental....