docdb.DatabaseSecret: Secret generated with invalid characters

[Voyen]

docdb.DatabaseSecret by default calls aws_secretsmanager.Secret specifying exclusion characters of '"', '@', and '/'.
However since many databases use a 'proto://user:password@host.....' connection URL, a colon should be included in this exclusions list.

I'm currently trying to spin up a mongo-express container in my ECS environment but can't get it to connect because the secret that was generated contains a colon and so the connection URL is invalid.

Reproduction Steps

const secret = new docdb.DatabaseSecret(this, 'ClusterSecret', {
    username: 'root',
    secretName: 'myClusterSecret',
});

What did you expect to happen?

A valid secret is generated that can be used in a connection URL

What actually happened?

Secret generated with a ':' in it which makes connection URLs invalid

Environment

• CDK CLI Version : 1.114.0 (build 7e41b6b)
• Framework Version:
• Node.js Version: v15.4.0
• OS : 5.12.15.arch1-1
• Language (Version): Using Typescript but I assume this affect all

Other

Note that while using this within your own applications is controllable (my Spring Boot application builds the connection string and url-encodes the password), providing this to out of the box images as environment secrets is impossible

---

This is 🐛 Bug Report

[skinny85]

Thanks for opening the issue @Voyen. I see two possible ways out of this:

1. Change the default excludeCharacters here to have more characters, like :.
2. Allow passing your own excludeCharacters to DatabaseSecret, like we do in RDS.

Thoughts?

[Voyen]

@skinny85 I feel like the ideal scenario would be to go with both. The default should be updated as it's technically not a reasonable default to begin with (allowing invalid connection URLs in environments where you cannot encode it), but the option to be able to specify your own excludeCharaters would be a great feature as it both lines up with an existing similar construct (RDS) and allows for more flexibility/control.

[skinny85]

Fair enough @Voyen!

Any chance you could open us a Pull Request implementing this? Here's out "Contributing" guide: https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md.

Thanks,
Adam

[jumic]

I just submitted a PR which adds property excludeCharaters.

@skinny85 Before changing the default excludeCharacters, can I have your feedback on this topic again?
From my point of view, changing the excludeCharacters will trigger the generation of a new Secret. If we change the default behavior in DocumentDB, a new password is created. If the password is maintained manually in a third party system, this will be a breaking change because the password will change.

Which option do you prefer?

• Change the default excludeCharacters and don't care about the regeneration of new passwords (I wouldn't recommend this option).
• Change the default excludeCharacters, add CDK feature flag to active this change in new CDK apps on only.
• Don't change the default excludeCharacters.

Thanks.