Skip to content

Commit 4ac9db6

Browse files
penniapennia
committed
fix(redshift): Fix Redshift User Secret Multi-User Rotation
Fixes Redshift User Secret Multi-User Rotation for new Users by including `masterarn` in the Secret's Serialized JSON Object Text. Note: This doesn't affect existing users (nor fixes roation for them) since the secret string template is only used when the secret is first created. For those existing secrets, the secret text will need to be updated to include `masterarn` using the GetSecretValue and UpdateSecret SecretManager APIs. closes #28852 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent b1e3dfd commit 4ac9db6

25 files changed

Lines changed: 4169 additions & 3 deletions

packages/@aws-cdk/aws-redshift-alpha/lib/database-secret.ts

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,13 @@ export interface DatabaseSecretProps {
1717
* @default default master key
1818
*/
1919
readonly encryptionKey?: kms.IKey;
20+
21+
/**
22+
* The master secret which will be used to rotate this secret.
23+
*
24+
* @default - no master secret information will be included
25+
*/
26+
readonly masterSecret?: secretsmanager.ISecret;
2027
}
2128

2229
/**
@@ -30,10 +37,13 @@ export class DatabaseSecret extends secretsmanager.Secret {
3037
encryptionKey: props.encryptionKey,
3138
generateSecretString: {
3239
passwordLength: 30, // Redshift password could be up to 64 characters
33-
secretStringTemplate: JSON.stringify({ username: props.username }),
40+
secretStringTemplate: JSON.stringify({
41+
username: props.username,
42+
masterarn: props.masterSecret?.secretArn,
43+
}),
3444
generateStringKey: 'password',
3545
excludeCharacters: '"@/\\\ \'',
3646
},
3747
});
3848
}
39-
}
49+
}

packages/@aws-cdk/aws-redshift-alpha/lib/user.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,7 @@ export class User extends UserBase {
153153
const secret = new DatabaseSecret(this, 'Secret', {
154154
username,
155155
encryptionKey: props.encryptionKey,
156+
masterSecret: props.adminUser,
156157
});
157158
const attachedSecret = secret.attach(props.cluster);
158159
this.password = attachedSecret.secretValueFromJson('password');

packages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-rotationmultiuser.js.snapshot/ClusterMultiUserRotationIntegDefaultTestDeployAssert9A5C1D17.assets.json

Lines changed: 19 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-rotationmultiuser.js.snapshot/ClusterMultiUserRotationIntegDefaultTestDeployAssert9A5C1D17.template.json

Lines changed: 36 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-rotationmultiuser.js.snapshot/asset.6bdd909f81c84ffe7d00cf4d6a2dbac8606429bcc05b0db3da842c1941a532f2/handler-name.js

Lines changed: 10 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-rotationmultiuser.js.snapshot/asset.6bdd909f81c84ffe7d00cf4d6a2dbac8606429bcc05b0db3da842c1941a532f2/index.js

Lines changed: 21 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-rotationmultiuser.js.snapshot/asset.6bdd909f81c84ffe7d00cf4d6a2dbac8606429bcc05b0db3da842c1941a532f2/privileges.js

Lines changed: 65 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)