Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(secretsmanager/rds): addReplicaRegion on Secret created by fromGeneratedSecret #16480

Closed
2 tasks
davidmckenzie opened this issue Sep 14, 2021 · 4 comments · Fixed by #16497
Closed
2 tasks

(secretsmanager/rds): addReplicaRegion on Secret created by fromGeneratedSecret #16480

davidmckenzie opened this issue Sep 14, 2021 · 4 comments · Fixed by #16497
Assignees
@skinny85 @njlynch
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@davidmckenzie
Copy link

The ISecret interface that is produced by the RDS fromGeneratedSecret method does not implement addReplicaRegion.

Use Case

DB credentials should always be replicated across regions along with DB snapshots to aid in DR/BC. When creating a new RDS cluster, the auto-generated credentials should be replicated across multiple regions.

Proposed Solution

Either fromGeneratedSecret should allow you to access a full Secret object, or addReplicaRegion should be added to ISecret, in a similar way to addRotationSchedule

Other

I tagged both secretsmanager and rds as I'm not sure which side needs to implement this :)

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@davidmckenzie davidmckenzie added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Sep 14, 2021
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Sep 14, 2021
@github-actions github-actions bot added the @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager label Sep 14, 2021
@skinny85
Copy link
Contributor

Hey @davidmckenzie,

thanks for opening the issue. I believe you can add the replica regions right now in RDS by going:

const cluster = new rds.DatabaseCluster(this, 'Cluster', {
  credentials: rds.fromGeneratedSecret(...
  // ...
});
(cluster.secret as secretsmanager.Secret).addReplicaRegion('us-east-2');

But I guess the point is to get rid of the that cast there, and make addReplicaRegion() available in ISecret, do I understand your feature request correctly...?

Thanks,
Adam

@skinny85 skinny85 added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Sep 14, 2021
@davidmckenzie
Copy link
Author

Oh neat, thanks! I'm weak in Typescript, didn't know you could do that :)

But yes, it probably would still make sense for it to be available in ISecret, since I assume you could add replicas to imported secrets as well without danger.

@jogold
Copy link
Contributor

jogold commented Sep 15, 2021

How about adding an option to fromGeneratedSecret()?

const cluster = new rds.DatabaseCluster(this, 'Cluster', {
  credentials: rds.fromGeneratedSecret('username', { replicaRegions: [{ region: 'us-east-2' }] }),
  // ...
});

addReplicaRegion() is not available in ISecret because it's not available for an imported secret.

jogold added a commit to jogold/aws-cdk that referenced this issue Sep 15, 2021
@jogold
feat(rds): region replication for generated secrets
3ad59b3 
Add a `replicaRegions` option to `fromGeneratedSecret()` both in
`Credentials` and `SnapshotCredentials`.

Closes aws#16480
@jogold jogold mentioned this issue Sep 15, 2021
Merged
@mergify mergify bot closed this as completed in #16497 Sep 20, 2021
mergify bot pushed a commit that referenced this issue Sep 20, 2021
@jogold
feat(rds): region replication for generated secrets (#16497)
1e9d8be 
Add a `replicaRegions` option to `fromGeneratedSecret()` both in
`Credentials` and `SnapshotCredentials`.

Closes #16480


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skinny85 skinny85

@njlynch njlynch

Labels
@aws-cdk/aws-rds Related to Amazon Relational Database @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(rds): region replication for generated secrets jogold/aws-cdk
4 participants
@skinny85 @davidmckenzie @njlynch @jogold