search

aws-samples / aws-secrets-manager-rotation-lambdas

Contains Lambda functions to be used for automatic rotation of secrets stored in AWS Secrets Manager
MIT No Attribution
329 stars 282 forks source link

add multi-user rotation support for multi-AZ clusters #116

Closed adithyasolai closed 1 year ago

adithyasolai commented 1 year ago

Issue #, if available:

Description of changes: Amazon RDS now offers Multi-AZ DB Clusters for MySQL & PostgreSQL engines. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/multi-az-db-clusters-concepts.html

This PR updates our Multi-User Rotation Lambda Template to be compatible with Multi-AZ DB Clusters, particularly in the case where the Admin Master Secret used for Multi-User Rotation is an RDS-Managed Admin Secret. In the RDS-Managed Admin Secret case, this PR ensures we use the DescribeDBClusters RDS API to fetch connection parameters instead of the DescribeDBInstances RDS API that is used in the non-Multi-AZ-Cluster case.

This code change has already been live for a while, and customers have been receiving this updated code in newly-created Rotation Lambdas for a while, but this PR documents the code change in this public Github Repo.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

adithyasolai commented 1 year ago 
# Fetch dbname from the Child User
master_dict['dbname'] = current_dict.get('dbname', None)

This code change is unrelated to the Multi-AZ Cluster support changes.

This code change was deployed to solve an edge case in the RDS-managed Admin Secret flow caused by the RDS describeDBInstances API only returning the dbname that the RDS Instance was initialized with.