(aws-rds): `addRotationMultiUser()` changes the username, adds `_clone` suffix

[ahammond]

Describe the bug

After our rotator lambda ran, we discovered that the username in the secret had been change to add a _clone suffix.

❯ aws secretsmanager list-secret-version-ids --region="$AWS_REGION" --secret-id="ColdStorageWriter"
{
    "Versions": [
        {
            "VersionId": "6a00bb61-5e22-4cb4-ab46-eb6b78402d05",
            "VersionStages": [
                "AWSCURRENT",
                "AWSPENDING"
            ],
            "LastAccessedDate": "2022-06-09T17:00:00-07:00",
            "CreatedDate": "2022-06-08T15:12:32.509000-07:00",
            "KmsKeyIds": [
                "redacted"
            ]
        },
        {
            "VersionId": "ec55412e-18ee-46ce-8aa5-e5199b2ece1e",
            "VersionStages": [
                "AWSPREVIOUS"
            ],
            "LastAccessedDate": "2022-06-07T17:00:00-07:00",
            "CreatedDate": "2022-05-09T13:31:13.330000-07:00",
            "KmsKeyIds": [
                "redacted"
            ]
        }
    ],
    "ARN": "redacted",
    "Name": "ColdStorageWriter"
}

❯ aws secretsmanager get-secret-value --region="$AWS_REGION" --secret-id="ColdStorageWriter" --version-id="ec55412e-18ee-46ce-8aa5-e5199b2ece1e"
{
    "ARN": "arn:aws:secretsmanager:us-west-2:514308641592:secret:ColdStorageWriter-rZPWY6",
    "Name": "ColdStorageWriter",
    "VersionId": "ec55412e-18ee-46ce-8aa5-e5199b2ece1e",
    "SecretString": "{\"password\":\"redacted\",\"masterarn\":\"redacted did not change",\"username\":\"cold_storage_writer\",\"host\":\"redacted\",\"engine\":\"postgres\",\"proxyHost\":\"redacted\"}",
    "VersionStages": [
        "AWSPREVIOUS"
    ],
    "CreatedDate": "2022-05-09T13:31:13.330000-07:00"
}

❯ aws secretsmanager get-secret-value --region="$AWS_REGION" --secret-id="ColdStorageWriter"
{
    "ARN": "arn:aws:secretsmanager:us-west-2:514308641592:secret:ColdStorageWriter-rZPWY6",
    "Name": "ColdStorageWriter",
    "VersionId": "6a00bb61-5e22-4cb4-ab46-eb6b78402d05",
    "SecretString": "{\"password\": \"redacted", \"masterarn\": \"redacted\", \"username\": \"cold_storage_writer_clone\", \"host\": \"redacted\", \"engine\": \"postgres\", \"proxyHost\": \"redacted\"}",
    "VersionStages": [
        "AWSCURRENT",
        "AWSPENDING"
    ],
    "CreatedDate": "2022-06-08T15:12:32.509000-07:00"
}

Expected Behavior

The rotator should rotate the password without completely undocumented side-effects like, for example, changing the username.

Current Behavior

Our users with addRotationMultiUser() are getting their usernames changed.

Reproduction Steps

import { Aurora } from '@time-loop/cdk-aurora';
import { App, aws_ec2, aws_kms, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { Namer } from 'multi-convention-namer';

export class AuroraDemoStack extends Stack {
constructor(scope: Construct, props: StackProps) {
const id = new Namer(['aurora', 'demo']);
super(scope, id.pascal, props);

const vpc = aws_ec2.Vpc.fromLookup(this, 'Vpc', {
  isDefault: true,
});

const kmsKey = new aws_kms.Key(this, 'Key', {
  description: `${id.pascal} encryption key`,
});

const a = new Aurora(this, id, {
  defaultDatabaseName: 'demo',
  instances: 1, // It's just a demo
  kmsKey,
  vpc,
});

}
}

// for development, use account/region from cdk cli
const devEnv = {
account: process.env.CDK_DEFAULT_ACCOUNT,
region: process.env.CDK_DEFAULT_REGION,
};

const app = new App();

new AuroraDemoStack(app, { env: devEnv });

app.synth();

Possible Solution

I think that the decision to SAM in the rotator functions has been a mess. These rotator functions should be rewritten in TypeScript and inlined into the code and actually managed.

Related issues

• (RDS): Rotation applications are very old and insecure #18249 - no ownership on the aws-cdk side for keeping the SAM rotators up to date
• RotationMultiUser doesn't set host and engine from masterSecret aws-samples/aws-secrets-manager-rotation-lambdas#84 - no ownership on the SAM side for... well... anything.

Additional Information/Context

No response

CDK CLI Version

2.27.0 (build 8e89048)

Framework Version

2.27.0

Node.js Version

v16.13.1

OS

Darwin Kernel Version 21.5.0: Tue Apr 26 21:08:29 PDT 2022; root:xnu-8020.121.3~4/RELEASE_ARM64_T8101 arm64

Language

Typescript

Language Version

4.7.3

Other information

No response

[ahammond]

From the logs:

  | 2022-06-08T15:12:30.850-07:00 | START RequestId: c4527649-ebfb-48f7-be79-85d9043c7b1a Version: $LATEST
-- | -- | --
  | 2022-06-08T15:12:31.100-07:00 | [INFO] 2022-06-08T22:12:31.100Z c4527649-ebfb-48f7-be79-85d9043c7b1a Found credentials in environment variables.
  | 2022-06-08T15:12:32.521-07:00 | [INFO] 2022-06-08T22:12:32.521Z c4527649-ebfb-48f7-be79-85d9043c7b1a createSecret: Successfully put secret for ARN redacted and version 6a00bb61-5e22-4cb4-ab46-eb6b78402d05.
  | 2022-06-08T15:12:32.557-07:00 | END RequestId: c4527649-ebfb-48f7-be79-85d9043c7b1a
  | 2022-06-08T15:12:32.557-07:00 | REPORT RequestId: c4527649-ebfb-48f7-be79-85d9043c7b1a Duration: 1706.67 ms Billed Duration: 1707 ms Memory Size: 128 MB Max Memory Used: 69 MB Init Duration: 395.95 ms
  | 2022-06-08T15:12:32.560-07:00 | START RequestId: 2b62b783-8553-4f16-9ae5-d16259bf6c8e Version: $LATEST
  | 2022-06-08T15:12:33.461-07:00 | [INFO] 2022-06-08T22:12:33.461Z 2b62b783-8553-4f16-9ae5-d16259bf6c8e Successfully established SSL/TLS connection as user 'cold_storage_writer' with host: 'redacted'
  | 2022-06-08T15:12:33.681-07:00 | [INFO] 2022-06-08T22:12:33.681Z 2b62b783-8553-4f16-9ae5-d16259bf6c8e Successfully established SSL/TLS connection as user 'cold_storage_manager' with host: 'redacted'
  | 2022-06-08T15:12:33.708-07:00 | [INFO] 2022-06-08T22:12:33.708Z 2b62b783-8553-4f16-9ae5-d16259bf6c8e setSecret: Successfully set password for cold_storage_writer_clone in PostgreSQL DB for secret arn redacted.
  | 2022-06-08T15:12:33.757-07:00 | END RequestId: 2b62b783-8553-4f16-9ae5-d16259bf6c8e
  | 2022-06-08T15:12:33.757-07:00 | REPORT RequestId: 2b62b783-8553-4f16-9ae5-d16259bf6c8e Duration: 1196.35 ms Billed Duration: 1197 ms Memory Size: 128 MB Max Memory Used: 73 MB
  | 2022-06-08T15:12:35.438-07:00 | START RequestId: 78b21a09-635e-4eb5-9043-9960b600b4fd Version: $LATEST
  | 2022-06-08T15:12:35.698-07:00 | [INFO] 2022-06-08T22:12:35.697Z 78b21a09-635e-4eb5-9043-9960b600b4fd finishSecret: Successfully set AWSCURRENT stage to version 6a00bb61-5e22-4cb4-ab46-eb6b78402d05 for secret redacted.
  | 2022-06-08T15:12:35.757-07:00 | END RequestId: 78b21a09-635e-4eb5-9043-9960b600b4fd
  | 2022-06-08T15:12:35.757-07:00 | REPORT RequestId: 78b21a09-635e-4eb5-9043-9960b600b4fd Duration: 317.90 ms Billed Duration: 318 ms Memory Size: 128 MB Max Memory Used: 73 MB

[jogold]

Hi @ahammond,

The multi user strategy works with two sets of credentials to maximize availability, have a look at
https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users.

This is the expected behavior.

[ahammond]

@jogold this is totally on me. Thank you for the link, that totally clarifies things! I was working on the mistaken assumption that addRotationSingleUser was only for managing the admin user and that addRotationMultiUser was for managing the rotation of other users, and that this was just awkward naming. Is there any way to get the addRotationSingleUser applied on a user that isn't the admin user? Also, would you guys accept a doc PR that adds the above link to the docstrings for these two methods?

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.