rds: `secret` property is `None` after changing from `DatabaseInstance` to `DatabaseInstanceFromSnapshot`

[l0b0]

Describe the bug

After changing two lines of code (replacing DatabaseInstance with DatabaseInstanceFromSnapshot and adding a snapshot_identifier) the resulting DB instance object's secret property changed from a usable value to None. The documentation doesn't mention in which circumstances the secret value is not None, but this is surprising.

Expected Behavior

secret should still be an ISecret.

Current Behavior

secret is None.

Reproduction Steps

Succeeds:

from os import environ
from typing import Any, Optional

from aws_cdk import App, Environment, Stack, aws_ec2, aws_rds
from constructs import Construct

app = App()

environment = Environment(
    account=environ["CDK_DEFAULT_ACCOUNT"], region=environ["CDK_DEFAULT_REGION"]
)


class DBStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs: Optional[Any]) -> None:
        super().__init__(scope, construct_id, **kwargs)

        db = aws_rds.DatabaseInstance(
            self,
            "db-replica",
            engine=aws_rds.DatabaseInstanceEngine.postgres(
                version=aws_rds.PostgresEngineVersion.VER_10_16
            ),
            vpc=aws_ec2.Vpc.from_lookup(self, "vpc", tags={"bde-processor-db-replica": "yes"}),
            vpc_subnets=aws_ec2.SubnetSelection(subnet_type=aws_ec2.SubnetType.PRIVATE_ISOLATED),
        )
        assert db.secret is not None


db_stack = DBStack(app, "database-stack", env=environment)

app.synth()

Fails:

from os import environ
from typing import Any, Optional

from aws_cdk import App, Environment, Stack, aws_ec2, aws_rds
from constructs import Construct

app = App()

environment = Environment(
    account=environ["CDK_DEFAULT_ACCOUNT"], region=environ["CDK_DEFAULT_REGION"]
)


class DBStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs: Optional[Any]) -> None:
        super().__init__(scope, construct_id, **kwargs)

        db = aws_rds.DatabaseInstanceFromSnapshot(
            self,
            "db-replica",
            snapshot_identifier="release-test",
            engine=aws_rds.DatabaseInstanceEngine.postgres(
                version=aws_rds.PostgresEngineVersion.VER_10_16
            ),
            vpc=aws_ec2.Vpc.from_lookup(self, "vpc", tags={"bde-processor-db-replica": "yes"}),
            vpc_subnets=aws_ec2.SubnetSelection(subnet_type=aws_ec2.SubnetType.PRIVATE_ISOLATED),
        )
        assert db.secret is not None


db_stack = DBStack(app, "database-stack", env=environment)

app.synth()

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.24.1 (build 585f9ca)

Framework Version

No response

Node.js Version

v14.18.1

OS

NixOS

Language

Python

Language Version

3.8.11

Other information

No response

[peterwoodworth]

This is happening because there's a check in the code for DatabaseInstanceFromSnapshot that will only generate a secret if you specify it

aws-cdk/packages/@aws-cdk/aws-rds/lib/instance.ts

Line 1081 in 2edcbba

if (!secret && credentials?.generatePassword) {

We need to document this, as it functions differently in this regard than Cluster, ClusterSnapshot, and Instance

[l0b0]

So, do I need to specify something like credentials=SnapshotCredentials.from_generated_password(username) or credentials=SnapshotCredentials.from_generated_secret(username)? The documentation on these isn't clear on which one I should use, but given that the secret is used in the form db.secret.secret_value_from_json("username").to_string() I guess the latter?

[peterwoodworth]

credentials=SnapshotCredentials.from_generated_password(username) or credentials=SnapshotCredentials.from_generated_secret(username)

I believe that either one of these will work. I'm working on the documentation right now

[l0b0]

OK, now I just need to figure how to get the username. Based on the documentation for credentials it looks like I need to get the username of the snapshot, which at a glance doesn't seem to be provided by aws_rds.

[peterwoodworth]

This should explain everything, let me know if there's more confusion https://github.com/aws/aws-cdk/pull/20431/files