[elasticsearch] masterUserPassword does not accept SecretValue
See original GitHub issueaws-elasticsearch Domain construct / AdvancedSecurityOptions interface / masterUserPassword property does not accept SecretValue class in python version of the CDK.
I’ve tried passing a SecretValue
from aws_secretsmanager.Secret.secretValue, based on this documentation, as well as secretsmanager.Secret.fromSecretAttributes
and SecretValue.plainText
based on this documentation, but each errors out with the same message:
jsii.errors.JSIIError: Expected object reference, got true
Reproduction Steps
class ElasticSearchStack(core.Stack):
def __init__(self, scope, id, es_secret, **kwargs):
super().__init__(scope, id, **kwargs)
elasticsearch.Domain(
self,
'Domain',
version=elasticsearch.ElasticsearchVersion.V7_1,
encryption_at_rest=True, # Must be enabled for fine_grained_access_control
node_to_node_encryption=True, # Must be enabled for fine_grained_access_control
fine_grained_access_control={
"master_user_name": "master_user",
"master_user_password": core.SecretValue('password')
},
)
app = core.App()
ElasticSearchStack(app, "es-domain", env={'region': 'us-west-2'}, )
class ElasticSearchStack(core.Stack):
def __init__(self, scope, id, es_secret, **kwargs):
super().__init__(scope, id, **kwargs)
elasticsearch.Domain(
self,
'Domain',
version=elasticsearch.ElasticsearchVersion.V7_1,
encryption_at_rest=True, # Must be enabled for fine_grained_access_control
node_to_node_encryption=True, # Must be enabled for fine_grained_access_control
fine_grained_access_control={
"master_user_name": es_secret.secret.secret_name,
"master_user_password": secretsmanager.Secret.from_secret_attributes(
self, 'es-secret-workaround', secret_arn=es_secret.secret.secret_arn)
}
)
app = core.App()
es_secret = SecretsManagerStack(app, "es-secret", env={'region': 'us-west-2'})
ElasticSearchStack(app, "es-domain", es_secret, env={'region': 'us-west-2'}, )
class ElasticSearchStack(core.Stack):
def __init__(self, scope, id, **kwargs):
super().__init__(scope, id, **kwargs)
secret = secretsmanager.Secret(
self,
"TemplatedSecret",
generate_secret_string=secretsmanager.SecretStringGenerator(
secret_string_template='{"username": "es_master"}',
generate_string_key="password",
)
)
elasticsearch.Domain(
self,
'Domain',
version=elasticsearch.ElasticsearchVersion.V7_1,
capacity={
'master_nodes': 5,
'data_nodes': 20,
},
ebs={
'volume_size': 20
},
zone_awareness={
'availability_zone_count': 3
},
logging={
'slow_search_log_enabled': True,
'app_log_enabled': True,
'slow_index_log_enabled': True,
},
encryption_at_rest=True, # Must be enabled for fine_grained_access_control
node_to_node_encryption=True, # Must be enabled for fine_grained_access_control
fine_grained_access_control={
"master_user_name": secret.secret_name,
"master_user_password": secret.secret_value
}
)
app = core.App()
ElasticSearchStack(app, "test-es-cluster", env={'region': 'us-west-2'})
What did you expect to happen?
I expected cdk synth
to return a valid cloud-formation template or running the file in python would not produce an error.
What actually happened?
jsii.errors.JavaScriptError:
Error: Expected object reference, got true
at Object.deserialize (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6927:23)
at Kernel._toSandbox (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8328:61)
at /Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6959:29
at mapValues (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7231:27)
at Object.deserialize (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6955:20)
at Kernel._toSandbox (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8328:61)
at /Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8381:33
at Array.map (<anonymous>)
at Kernel._boxUnboxParameters (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8381:19)
at Kernel._wrapSandboxCode (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8422:19)
at Kernel._create (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7934:26)
at Kernel.create (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7678:21)
at KernelHost.processRequest (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7458:28)
at KernelHost.run (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7396:14)
at Immediate._onImmediate (/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7399:37)
at processImmediate (internal/timers.js:458:21)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/Users/spage/.pyenv/versions/3.7.6/lib/python3.7/runpy.py", line 183, in _run_module_as_main
mod_name, mod_spec, code = _get_module_details(mod_name, _Error)
File "/Users/spage/.pyenv/versions/3.7.6/lib/python3.7/runpy.py", line 109, in _get_module_details
__import__(pkg_name)
File "/Users/spage/Developer/cdk-test/elasticsearch_cdk/elasticsearch_stack.py", line 51, in <module>
x = ElasticSearchStack(app, "test-es-cluster", env={'region': 'us-west-2'})
File "/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_runtime.py", line 69, in __call__
inst = super().__call__(*args, **kwargs)
File "/Users/spage/Developer/cdk-test/elasticsearch_cdk/elasticsearch_stack.py", line 45, in __init__
"master_user_password": secret.secret_value
File "/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_runtime.py", line 69, in __call__
inst = super().__call__(*args, **kwargs)
File "/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/aws_cdk/aws_elasticsearch/__init__.py", line 4478, in __init__
jsii.create(Domain, self, [scope, id, props])
File "/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_kernel/__init__.py", line 257, in create
for iface in getattr(klass, "__jsii_ifaces__", [])
File "/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_kernel/providers/process.py", line 336, in create
return self._process.send(request, CreateResponse)
File "/Users/spage/Developer/cdk-test/.env/lib/python3.7/site-packages/jsii/_kernel/providers/process.py", line 321, in send
raise JSIIError(resp.error) from JavaScriptError(resp.stack)
jsii.errors.JSIIError: Expected object reference, got true
Environment
- **CLI Version :1.68.0 (build a6a3f46)
- **Framework Version: (How do I find this?)
- Node.js Version: v14.5.0
- **OS : macOS 10.15.6
- Language (Version): Python 3.7.6
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
aws-cdk/aws-elasticsearch module - AWS Documentation
If no password is configured a default master user password is created and stored in the AWS Secrets Manager as secret. The secret...
Read more >Referencing AWS Parameter Store's Secure String in ...
CloudFormation does not support SecureString as template parameter type. You can confirm it in the documentation below, let me quote it.
Read more >awslabs/aws-cdk - Gitter
... RedshiftCluster The parameter MasterUserPassword is not a valid password. ... secret value and that's what redshift is trying to use for the...
Read more >Using dynamic references to specify template values
Do not create a dynamic reference that has a backslash (\) as the final value. ... CloudFormation doesn't support using parameter labels or...
Read more >awselasticsearch - Go Packages
Amazon Elasticsearch Service Construct Library ... Returns: The construct as a stack element or undefined if it is not a stack element. Experimental....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Understood, thanks for the responses @iliapolo !
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.