Unable to rotate Aurora Postgres secret if using the ReadOnly endpoint as Host

[LukaHedtSV]

Hi there,

I'm attempting to set up an Aurora v2 Cluster with the following users with Auto-Rotate password turned on for all of them:

• postgres (admin)
• lambda_writer (connects to the Aurora Writer endpoint)
• lambda_reader (connects to the Aurora Reader endpoint)

lambda_writer's setup is the default, and it seems to work properly.

I've set up the Database Secret so that lambda_reader's host value is the ReadOnly endpoint for Aurora, as I don't want any users connecting with this secret to tax a potentially stressed Writer instance.

Unfortunately, Aurora v2 Reader instances aren't consider by the RDS client to be "Read Replicas", so when the Multi-User Rotation lambda goes to set the secret, and sees that the hostnames for the master and child secrets differ, the "isReadReplica" (see below) function fails:

https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/7f56d1b8fe56f6f346ac2d41ca9cbd64c9516d88/SecretsManagerRDSPostgreSQLRotationMultiUser/lambda_function.py#L501-L538

I've checked as to why with the following setup:

• An Aurora v2 DbCluster with:
  • 1 Writer instance
  • 1 Reader instance

And then I got the following in the CLI:

aws rds describe-db-instances --region ap-southeast-2 | grep Replica
            "ReadReplicaDBInstanceIdentifiers": [],
            "ReadReplicaDBInstanceIdentifiers": [],

I think the potential solution is to check that the host value is an Endpoint for the given cluster potentially, since Secret.attach adds the dbClusterIdentifier to the Secret Value for Aurora DB Connections, but I'm not sure tbh.

Thanks!

[LukaHedtSV]

Additional note: Our org is set up to need almost everything to be done as part of CDK code, and Ideally I don't want to be writing my own custom CR to do this task that looks like CDK should handle natively.