(RDS): Rotation applications are very old and insecure

[iurquiza]

What is the problem?

I deployed a MySQL RDS instance in isolated subnets and added a lambda to rotate the database credentials using the addRotationMultiUser method. The Lambda function is provision correctly, but fails when it call the set_secret method. Connecting to the database fails with the following error:

[ERROR] ModuleNotFoundError: No module named 'asn1crypto' Traceback (most recent call last): File "/var/task/lambda_function.py", line 78, in lambda_handler

The dependency could be missing or the issue could be caused by a version update. Lock the version using a requirements.txt file when installing the dependencies.
pip install -r requirements.txt

Reproduction Steps

rds-stack.txt

What did you expect to happen?

Create the "Secrets Manager RDS MySQL Handler" Lambda and rotate the database credentials successfully without throwing errors.

What actually happened?

[ERROR] ModuleNotFoundError: No module named 'asn1crypto' Traceback (most recent call last): File "/var/task/lambda_function.py", line 78, in lambda_handler

CDK CLI Version

1.137.0

Framework Version

No response

Node.js Version

14.15.5

OS

macOS Big Sur Version 11.6.2

Language

Typescript

Language Version

3.9.7

Other information

No response

[skinny85]

Hey @iurquiza,

thanks for opening the issue. Can you show the CDK you use for creating the Instance (I'm mostly interested in the engine).

Considering we simply use the ready-made Serverless Application Repositories apps to perform this rotation, I wonder whether it's a problem with one of them.

Thanks,
Adam

[iurquiza]

I attached the TypeScript code in the rd-stack.txt. It would not let me attach a .ts file. Below are the file contents:

import * as cdk from '@aws-cdk/core';
import * as ec2 from '@aws-cdk/aws-ec2';
import * as rds from '@aws-cdk/aws-rds';
import * as secretmanager from '@aws-cdk/aws-secretsmanager';

export interface RdsStackProps extends cdk.NestedStackProps {
  readonly vpc: ec2.IVpc;
}
export class RdsStack extends cdk.NestedStack {
  public readonly credsSecretNamePrefix: string;

  public readonly credsAdminSecret: secretmanager.ISecret;

  public readonly credsReaderSecret: secretmanager.ISecret;

  public readonly credsWriterSecret: secretmanager.ISecret;

  public readonly dbServer: rds.DatabaseInstance;

  public readonly dbName: string;

  constructor(scope: cdk.Stack, id: string, props: RdsStackProps) {
    super(scope, id, props);
    const prefix = this.node.tryGetContext('PREFIX').toLowerCase();

    this.credsSecretNamePrefix = `/${prefix}/rds/creds/`.toLowerCase();
    const credsAdminSecretName = `${this.credsSecretNamePrefix}admin`;
    const credsReaderSecretName = `${this.credsSecretNamePrefix}reader`;
    const credsWriterSecretName = `${this.credsSecretNamePrefix}writer`;
    this.credsAdminSecret = new rds.DatabaseSecret(this, 'RdsCredentialsAdmin', {
      secretName: credsAdminSecretName,
      username: 'admin',
    });

    this.dbName = `${prefix}Db`;
    this.dbServer = new rds.DatabaseInstance(this, 'RdsInstance', {
      databaseName: this.dbName,
      vpcSubnets: {
        onePerAz: true,
        subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
      },
      credentials: rds.Credentials.fromSecret(this.credsAdminSecret),
      vpc: props.vpc,
      port: 3306,
      allocatedStorage: 20,
      instanceIdentifier: prefix,
      engine: rds.DatabaseInstanceEngine.mysql({
        version: rds.MysqlEngineVersion.VER_8_0_26,
      }),
      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.LARGE),
    });
    // potentially allow connections to the RDS instance...

    this.credsReaderSecret = new rds.DatabaseSecret(this, 'RdsCredentialsReader', {
      secretName: credsReaderSecretName,
      username: 'reader',
      masterSecret: this.dbServer.secret,
    });

    this.credsWriterSecret = new rds.DatabaseSecret(this, 'RdsCredentialsWriter', {
      secretName: credsWriterSecretName,
      username: 'writer',
      masterSecret: this.dbServer.secret,
    });

    const readerUserSecretAttached = this.credsReaderSecret.attach(this.dbServer);
    this.dbServer.addRotationMultiUser('RdsCredentialsReaderRotation', {
      secret: readerUserSecretAttached,
    });

    const writerUserSecretAttached = this.credsWriterSecret.attach(this.dbServer);
    this.dbServer.addRotationMultiUser('RdsCredentialsWriterRotation', {
      secret: writerUserSecretAttached,
    });
  }
}

[skinny85]

Hmm. There is one interesting thing I see in the resulting template, and that is the version of the application we use for rotation:

Mappings:
  InstanceRdsCredentialsReaderRotationSARMapping495081D4:
    aws:
      applicationId: arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationMultiUser
      semanticVersion: 1.1.60

1.1.60 is pretty old - I see this application is now at version 1.1.217.

@iurquiza can you try bumping this version to 1.1.217, and see if that helps?

The code to do that:

        const rotation = instance.addRotationMultiUser('RdsCredentialsReaderRotation', {
            secret: readerUserSecretAttached,
        });

        const sarMapping = rotation.node.findChild('SARMapping') as cdk.CfnMapping;
        sarMapping.setValue('aws', 'semanticVersion', '1.1.217');

Thanks,
Adam

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[iurquiza]

I believe updating the sarMapping addressed the original issue, but the function is still failing to connect to the database. I need more time to test and verify that the issue has been resolved. This change packages the Lambda handler and its dependencies differently making it difficult to trace the error; the source code for the rotation function is no hosted locally. I will post an update a soon as I have more information.