Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(rds): add support for manageMasterUserPassword in L2 construct #30997

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(rds): add support for manageMasterUserPassword in L2 construct #30997

wants to merge 7 commits into from
+2,104 −14

Conversation

epoctic
Copy link

@epoctic epoctic commented Aug 1, 2024
edited
Loading

Issue # (if applicable)

Closes #29239

Reason for this change

In order to make the properties in the manageMasterUserPassword of the L1 Construct CfnDBCluster configurable in the L2 Construct.

Even when using a CFN override to set manageMasterUserPassword, the L2 cluster construct would create an additional unused secret. This PR adds native support for the manageMasterUserPassword CloudFormation attribute and eliminates the extra secret that the workaround caused.

Description of changes

To ensure existing clusters wouldn't have a new cfn property added and set to false, I had to use a few conditional statements. I also wanted to make sure that the created secret supported a customer defined username and kms key.

Description of how you validated changes

I deployed a database cluster using the new code and logged into it using the managed password with custom username. I also manually triggered rotations on the secret and ensured that the newly generated secret also worked for logging into the database.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 labels Aug 1, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team August 1, 2024 01:29
@epoctic epoctic force-pushed the epoctic/support-rds-managed-cluster-secret branch from 7ba289f to de886c9 Compare August 1, 2024 01:36
@epoctic epoctic mentioned this pull request Aug 1, 2024
Open
2 tasks
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Aug 1, 2024
lpizzinidev
lpizzinidev suggested changes Aug 1, 2024
View reviewed changes
Copy link
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍 Left some comments for adjustments.
Also, can you please add unit test coverage?

packages/aws-cdk-lib/aws-rds/lib/cluster.ts Outdated Show resolved Hide resolved
packages/aws-cdk-lib/aws-rds/lib/cluster.ts Show resolved Hide resolved
packages/aws-cdk-lib/aws-rds/README.md Outdated Show resolved Hide resolved
packages/aws-cdk-lib/aws-rds/README.md Show resolved Hide resolved
@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Aug 1, 2024
@github-actions github-actions bot mentioned this pull request Aug 5, 2024
Closed
@epoctic epoctic force-pushed the epoctic/support-rds-managed-cluster-secret branch from 0bd1d1d to 3909d7e Compare August 5, 2024 22:19
@epoctic epoctic changed the title feat(rds): add support for cluster managed master password in L2 cons… feat(rds): add support for manageMasterUserPassword in L2 construct Aug 5, 2024
@epoctic
Copy link
Author

epoctic commented Aug 6, 2024
edited
Loading

Thanks 👍 Left some comments for adjustments. Also, can you please add unit test coverage?

Done, sorry about the wait!

@epoctic epoctic requested a review from lpizzinidev August 6, 2024 00:04
@epoctic epoctic force-pushed the epoctic/support-rds-managed-cluster-secret branch from 58f8a79 to 5f89799 Compare August 6, 2024 17:58
@epoctic epoctic requested a review from lpizzinidev August 13, 2024 00:51
@epoctic epoctic force-pushed the epoctic/support-rds-managed-cluster-secret branch 2 times, most recently from c47961e to 02cebb7 Compare August 13, 2024 20:20
@epoctic
Copy link
Author

epoctic commented Aug 13, 2024

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 02cebb7
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

This failure doesn't seem to be related to code I've committed.

@epoctic epoctic force-pushed the epoctic/support-rds-managed-cluster-secret branch from 02cebb7 to 744e065 Compare August 14, 2024 00:38
@github-actions github-actions bot mentioned this pull request Sep 1, 2024
Closed
@epoctic epoctic requested a review from a-bigelow September 5, 2024 13:29
@aws-cdk-automation
Copy link
Collaborator

This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

@epoctic epoctic force-pushed the epoctic/support-rds-managed-cluster-secret branch from 744e065 to 7b0ecee Compare September 30, 2024 19:43
@antonfelich
Copy link

Any idea when this might be merged in? I've been using the CfnDBCluster ManageMasterUserPassword work around, but suddenly today it's decided not to work any more. The unused secret seems to be attaching to the cluster first, and then when the real secret is trying to attach it blows up because there already is one. CloudFormation just gives a Internal Failure (RequestToken: 6e94374a-4094-6627-e639-c8c95a165caf) which isn't particularly helpful unfortunately.

@epoctic
Copy link
Author

epoctic commented Oct 2, 2024
edited
Loading

Any idea when this might be merged in? I've been using the CfnDBCluster ManageMasterUserPassword work around, but suddenly today it's decided not to work any more. The unused secret seems to be attaching to the cluster first, and then when the real secret is trying to attach it blows up because there already is one. CloudFormation just gives a Internal Failure (RequestToken: 6e94374a-4094-6627-e639-c8c95a165caf) which isn't particularly helpful unfortunately.

@antonfelich I'm still waiting on a community approval, please feel free to review it!

@epoctic epoctic requested a review from Hawxy October 2, 2024 15:02
antonfelich
antonfelich approved these changes Oct 2, 2024
View reviewed changes
Copy link

@antonfelich antonfelich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, keen to see this out in the wild!

packages/aws-cdk-lib/aws-rds/lib/cluster.ts Show resolved Hide resolved
packages/aws-cdk-lib/aws-rds/lib/cluster.ts Show resolved Hide resolved
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

2 similar comments
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@epoctic epoctic force-pushed the epoctic/support-rds-managed-cluster-secret branch 8 times, most recently from d137d34 to d589245 Compare October 11, 2024 14:15
@epoctic epoctic force-pushed the epoctic/support-rds-managed-cluster-secret branch 4 times, most recently from e245190 to 8c04abe Compare October 17, 2024 18:35
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@epoctic epoctic force-pushed the epoctic/support-rds-managed-cluster-secret branch from 8c04abe to 7261444 Compare November 3, 2024 02:12
@epoctic epoctic force-pushed the epoctic/support-rds-managed-cluster-secret branch from 7261444 to 215631f Compare November 18, 2024 17:23
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@epoctic epoctic force-pushed the epoctic/support-rds-managed-cluster-secret branch from 889bc8f to 7261444 Compare December 10, 2024 20:19
@epoctic epoctic force-pushed the epoctic/support-rds-managed-cluster-secret branch from 7261444 to 73e7421 Compare December 10, 2024 20:29
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 73e7421
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antonfelich antonfelich antonfelich approved these changes

@lpizzinidev lpizzinidev Awaiting requested review from lpizzinidev

@a-bigelow a-bigelow Awaiting requested review from a-bigelow

@Hawxy Hawxy Awaiting requested review from Hawxy

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AWS::RDS::DBCluster Password management with Amazon Aurora and AWS Secrets Manager
6 participants
@epoctic @aws-cdk-automation @antonfelich @Hawxy @lpizzinidev @a-bigelow