feat(secretsmanager/rds): support credential rotation #2052
Conversation
Add construct for rotation schedule, secret target attachment and RDS rotation single user.
| /** | ||
| * The connections object of the RDS database instance or cluster. | ||
| */ | ||
| connections: ec2.Connections; |
There was a problem hiding this comment.
I think I'd rather you pass an IConnectable here. Any reason that wouldn't work?
There was a problem hiding this comment.
You are right, this should have been an IConnectable.
| /** | ||
| * Options to add a secret attachement to a secret. | ||
| */ | ||
| export interface SecretTargetAttachmentOptions { |
There was a problem hiding this comment.
Feel like this should be an interface like:
export interface ISecretAttachmentTarget {
asSecretAttachmentTarget(): SecretAttachmentTargetProps;
}
export interface SecretAttachmentTargetProps {
targetId: string;
targetType: AttachmentTargetType;
}
export interface SecretTargetAttachmentOptions {
target: ISecretAttachmentTarget;
}And then have the DBInstance and DBCluster classes implement ISecretAttachmentTarget.
| // This allows to reference the secret after attachment (dependency). When | ||
| // creating a secret for a RDS cluster or instance this is the secret that | ||
| // will be used as the input for the rotation. | ||
| this.secret = Secret.import(this, 'Secret', { |
There was a problem hiding this comment.
It feels like this is something that users might forget, especially since these docs are in implementation notes.
Another idea (not necessarily saying you must do this), how about changing this into:
class AttachedSecret implements ISecret {
...
}So that an AttachedSecret can be used anywhere a secret can be used? And if not that, then at least put these notes in a public comment somewhere, seems very relevant to this construct's usage.
There was a problem hiding this comment.
I like this idea of the AttachedSecret
| @@ -0,0 +1,204 @@ | |||
| import ec2 = require('@aws-cdk/aws-ec2'); | |||
There was a problem hiding this comment.
Feels like this whole file should live in the aws-rds package.
There was a problem hiding this comment.
OK to move the RDS rotation, in the same PR then? It breaks the conventional commit + squash convention here...
There was a problem hiding this comment.
Not sure what you mean. The only thing it might break is the scope, if the scope were a single package.
I would feel comfortable with a feat(secretsmanager/rds): support credential rotation.
jogold
changed the title
|
Since there's already a breaking change for |
packages/@aws-cdk/aws-rds/README.md
Outdated
| @@ -53,3 +53,28 @@ attributes: | |||
| ```ts | |||
| const writeAddress = cluster.clusterEndpoint.socketAddress; // "HOSTNAME:PORT" | |||
| ``` | |||
|
|
|||
| ### Rotating master password | |||
| When the master password is generated and stored in AWS Secrets Manager, it can be rotated automatically: [example of setting up master password rotation](test/integ.cluster-rotation.lit.ts) | |||
There was a problem hiding this comment.
This needs to be on a line by itself.
| */ | ||
| export class DatabaseCluster extends cdk.Construct implements IDatabaseCluster { | ||
| export abstract class DatabaseClusterBase extends cdk.Construct implements IDatabaseCluster { |
| * Parameter or the SSM Parameter Store instead. | ||
| * Do not put passwords in your CDK code directly. | ||
| * | ||
| * @default a Secrets Manager generated password |
|
Will merge after current release process is over. You just missed the cut, sorry, it will be in the next release. |
|
No prob, have you seen this?
|
|
Oh totally. Though can you create a new PR for that please? |
See #2063 |
Add construct for rotation schedule, secret target attachment and RDS rotation single user.
This is needed in order to implement something like
cluster.addRotationSingleUser(...)inaws-rdswhich will allow to create a cluster (or instance, no construct yet) with a secrets manager generated master password and add rotation to it (PR to follow if this one is accepted).Question: where does the construct RdsRotationSingleUser fit? Here in
aws-secretsmanageror inaws-rds?Pull Request Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.