Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[rds] Database Secret broken after upgrade to 1.67

See original GitHub issue

After upgrading a stack from CDK 1.60 to 1.67 not only the password was regenerated without changing the database password (see https://github.com/aws/aws-cdk/issues/10716), also the values for host, port, dbName are entirely missing. Our application cannot access the DB anymore as all connection data was pulled from Secret Manager.

It seems like the changed ExcludeCharacters value caused a regenerate of the secret.

Environment

CLI Version :
Framework Version: 1.67.0
Node.js Version: 14.11
OS : MacOS 10.15.7
Language (Version): TypeScript 4.0.3

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Reactions:12
Comments:34 (25 by maintainers)

Top GitHub Comments

1reaction

alukachcommented, Oct 30, 2020

@jogold Great tip, thanks so much!

The following worked for me:

Add the code mentioned by @jogold to my construct. Deploy.
Copy the newly generated secret’s value and save it as the value of the old DB secret.
Remove the above-mentioned code from my construct. Deploy.

1reaction

jogoldcommented, Oct 30, 2020

This is how you can unblock yourself and upgrade (database is a rds.DatabaseInstance or rds.DatabaseCluster in the code below).

// Create a new DB secret, use the same username as the one currently used
const dbSecret = new rds.DatabaseSecret(this, 'Secret', { username: '<your master username here>' });

// Override MasterUserPassword property in AWS::RDS::DBInstance or AWS::RDS::DBCluster
const cfnDatabase = database.node.defaultChild as cdk.CfnResource;
cfnDatabase.addPropertyOverride('MasterUserPassword', dbSecret.secretValueFromJson('password').toString());

// Override SecretId property in the AWS::SecretsManager::SecretTargetAttachment
const attachment = database.secret?.node.defaultChild as cdk.CfnResource;
attachment.addPropertyOverride('SecretId', dbSecret.secretArn);

After this, if you need to reference your secret elsewhere in your code you can still use database.secret as it references the attachment and not the secret itself.

(your old secret remains in place and linked to your instance/cluster but for the username only: its password is now useless, not in sync with your database anymore)