search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.41k stars 3.8k forks source link

aws_rds: DatabaseClusterFromSnapshot creates a new secret when using SnapshotCredentials.fromGeneratedSecret()/fromGeneratedPassword #28761

Open talalong opened 6 months ago

talalong commented 6 months ago

Describe the bug

I am encountering an issue similar to #23815. However, I am utilizing the fromGeneratedSecret() or fromGeneratedPassword() function to reuse the master username from the snapshot ('t3'). The CDK generates two secrets: one with the default username 'postgres' (which I did not expect) and the other with 't3' (as expected)

Screenshot 2024-01-18 at 21 01 03 Screenshot 2024-01-18 at 21 01 36 Screenshot 2024-01-18 at 21 01 52

Expected Behavior

I anticipate having only one secret with the correct username ('t3'). The secret with the default username 'postgres' should not be present in the first place. Using the deprecated property credentials would resolve this issue.

Current Behavior

CDK generates two secrets

Screenshot 2024-01-18 at 21 21 31

Reproduction Steps

Here is an example how I define my DB.

const database = new rds.DatabaseClusterFromSnapshot(this, "Database", {
      engine: rds.DatabaseClusterEngine.auroraPostgres({
        version: rds.AuroraPostgresEngineVersion.VER_14_5,
      }),
      vpc: vpc,
      vpcSubnets: { subnetType: SubnetType.PRIVATE_ISOLATED },
      writer: rds.ClusterInstance.provisioned("ClusterWriter", {
        instanceType: new ec2.InstanceType("t3.medium"),
      }),
      readers: [],
      defaultDatabaseName: "t3",
      backup: { retention: Duration.days(1) },
      storageEncrypted: true,
      cloudwatchLogsExports: ["postgresql"],
      cloudwatchLogsRetention: RetentionDays.ONE_DAY,
      copyTagsToSnapshot: true,
      snapshotCredentials: rds.SnapshotCredentials.fromGeneratedPassword("t3"),
      snapshotIdentifier:
        "arn:aws:rds:eu-central-1:875116653029:snapshot:playground-abc-def",
    });

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.122.0

Framework Version

No response

Node.js Version

18.12.1

OS

Sonoma 14.2.1

Language

TypeScript

Language Version

TypeScript (4.9.5)

Other information

No response

pahud commented 6 months ago

Based on

https://github.com/aws/aws-cdk/blob/20ad55e7aec7d387550db865257dc6f8ebcab067/packages/aws-cdk-lib/aws-rds/lib/props.ts#L366

and

https://github.com/aws/aws-cdk/blob/2511956fc619ffa2c55d7e2637e97d7359f96de3/packages/aws-cdk-lib/aws-rds/lib/private/util.ts#L118

A new Secret will be created

https://github.com/aws/aws-cdk/blob/2511956fc619ffa2c55d7e2637e97d7359f96de3/packages/aws-cdk-lib/aws-rds/lib/private/util.ts#L124-L130

looks like this is related to https://github.com/aws/aws-cdk/issues/23441

Yes this is probably a bug and we should also make it more clear in the document.