I'm attempting to set up an Aurora v2 Cluster with the following users with Auto-Rotate password turned on for all of them:
postgres (admin)
lambda_writer (connects to the Aurora Writer endpoint)
lambda_reader (connects to the Aurora Reader endpoint)
lambda_writer's setup is the default, and it seems to work properly.
I've set up the Database Secret so that lambda_reader's host value is the ReadOnly endpoint for Aurora, as I don't want any users connecting with this secret to tax a potentially stressed Writer instance.
Unfortunately, Aurora v2 Reader instances aren't consider by the RDS client to be "Read Replicas", so when the Multi-User Rotation lambda goes to set the secret, and sees that the hostnames for the master and child secrets differ, the "isReadReplica" (see below) function fails:
I think the potential solution is to check that the host value is an Endpoint for the given cluster potentially, since Secret.attach adds the dbClusterIdentifier to the Secret Value for Aurora DB Connections, but I'm not sure tbh.
Additional note: Our org is set up to need almost everything to be done as part of CDK code, and Ideally I don't want to be writing my own custom CR to do this task that looks like CDK should handle natively.
Hi there,
I'm attempting to set up an Aurora v2 Cluster with the following users with Auto-Rotate password turned on for all of them:
postgres
(admin)lambda_writer
(connects to the Aurora Writer endpoint)lambda_reader
(connects to the Aurora Reader endpoint)lambda_writer
's setup is the default, and it seems to work properly.I've set up the Database Secret so that
lambda_reader
'shost
value is the ReadOnly endpoint for Aurora, as I don't want any users connecting with this secret to tax a potentially stressed Writer instance.Unfortunately, Aurora v2 Reader instances aren't consider by the RDS client to be "Read Replicas", so when the Multi-User Rotation lambda goes to set the secret, and sees that the hostnames for the master and child secrets differ, the "isReadReplica" (see below) function fails:
https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/7f56d1b8fe56f6f346ac2d41ca9cbd64c9516d88/SecretsManagerRDSPostgreSQLRotationMultiUser/lambda_function.py#L501-L538
I've checked as to why with the following setup:
And then I got the following in the CLI:
I think the potential solution is to check that the
host
value is an Endpoint for the given cluster potentially, sinceSecret.attach
adds thedbClusterIdentifier
to the Secret Value for Aurora DB Connections, but I'm not sure tbh.Thanks!