search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.37k stars 3.78k forks source link

(aws-glue-alpha): Unable to use secret that has been imported using aws_cdk.Fn.import_value() with glue connection #30291

Open PekonenIlmari opened 1 month ago

PekonenIlmari commented 1 month ago

Describe the bug

When importing secret using aws_secretsmanager.Secret.from_secret_complete_arn() and populating the secret_complete_arn with the arn value that has been exported using CfnOutput from other stack, it is not possible to use this secret with aws_glue_alpha.Connection.

This problem only occurs when you are trying to import secret using the arn from import_value, if the arn is harcoded everything works as supposed.

Expected Behavior

This is the expected behaviour when trying to change SECRET_ID with secret.secret_name from secret imported with harcoded arn. This also populates the secret name in the console.

CDK change set:

[~] AWS::Glue::Connection pipelines/test-pipeline/dev/glue_assets/OracleConnection OracleConnectionXXXXXXXX may be replaced
 └─ [~] ConnectionInput (may cause replacement)
     └─ [~] .ConnectionProperties:
         └─ [~] .SECRET_ID:
             └─ @@ -1,13 +1,1 @@
                [-] "oldsecret"
                [+] "newsecret"

Current Behavior

This is the behaviour when trying to change SECRET_ID with secret.secret_name from secret imported with aws_cdk.Fn.import_value() arn. This doesn't populate the secret name in console.

CDK change set:

[~] AWS::Glue::Connection pipelines/test-pipeline/dev/glue_assets/OracleConnection OracleConnectionXXXXXXXX may be replaced
 └─ [~] ConnectionInput (may cause replacement)
     └─ [~] .ConnectionProperties:
         └─ [~] .SECRET_ID:
             └─ @@ -1,13 +1,1 @@
                [-] "oldsecret"
                [+] {
                [+]   "Fn::Select": [
                [+]     6,
                [+]     {
                [+]       "Fn::Split": [
                [+]         ":",
                [+]         {
                [+]           "Fn::ImportValue": "newsecret"
                [+]         }
                [+]       ]
                [+]     }
                [+]   ]
                [+] }

Reproduction Steps

Create secret in a Stack and export it using CfnOutput

secret = sm.Secret(
            self,
            TestSecret
            secret_name="newsecret",
)

CfnOutput(
    self,
    "SecretOutput",
    value=secret.secret_full_arn,
    export_name="newsecret"
)

import value in other Stack using `aws_cdk.Fn.import_value()' and create a connection

secret_value = aws_cdk.Fn.import_value("newsecret")

glue_alpha.Connection(
            self,
            id,
            connection_name=connection_name,
            type=glue_alpha.ConnectionType.JDBC,
            subnet=subnet,
            security_groups=security_groups,
            properties={
                "JDBC_CONNECTION_URL": connection_url,
                "SECRET_ID": secret_value.secret_name,
            },
)

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.138.0

Framework Version

No response

Node.js Version

20.11.0

OS

MacOS

Language

Python

Language Version

No response

Other information

No response

pahud commented 1 month ago

Please note when your consumer stack has imported the value from an exported stack, you won't be allowed to update that exported resource as it has been consumed. This is a limitation of cloudformation.

secret_value = aws_cdk.Fn.import_value("newsecret")

glue_alpha.Connection(
            self,
            id,
            connection_name=connection_name,
            type=glue_alpha.ConnectionType.JDBC,
            subnet=subnet,
            security_groups=security_groups,
            properties={
                "JDBC_CONNECTION_URL": connection_url,
                "SECRET_ID": secret_value.secret_name,
            },
)

Given above, were you trying to update the secret from another stack? What is the error messages?

PekonenIlmari commented 1 month ago

I was trying to update the value of SECRET_ID for connection properties and not the secret value itself. The problem is that when trying to extract the secret_name from this imported value the secret_name isn't updated on AWS side (value under AWS Secret). There is no error message at any point.

image