(rds): unable to alter master user password when using DatabaseClusterFromSnapshot with snapshotCredentials

[MitchWijt]

Describe the bug

About 2 months ago a this PR got merged, which states that we should be able to alter the master user password of the snapshot using the snapshotCredentials prop. However when using this prop CDK creates a new secret in Secrets Manager, but the master user password still remains unchanged. It seems like the DatabaseSecret that is created is not being used.

Looking at the code of the PR, the masterUserPassword gets changed in the cfnDbCluster while also having the snapshotIdentifier prop. However the docs state to NOT use the masterUserPassword prop together with the snapshotIdentifier prop.

Expected Behavior

When using the snapshotCredentials property with rds.SnapshotCredentials.fromGeneratedSecret() inside the DatabaseClusterFromSnapshot construct. I expect the master user password to be changed to the password that is generated in Secrets Manager.

Current Behavior

A DatabaseSecret is created inside Secrets Manger, however the master user password of the snapshot remains unchanged.

Reproduction Steps

1. Create a RDS DB using Aurora Serverless using the DatabaseCluster construct in CDK
2. Create snapshot
3. Add DatabaseClusterFromSnapshot construct to CDK using the snapshotCredentials with SnapshotCredentials.fromGeneratedSecret(), and remove the DatabaseCluster construct from CDK
4. Try logging in the DB as master user using the generated DatabaseSecret that is created from the DatabaseClusterFromSnapshot

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.27.0

Framework Version

No response

Node.js Version

16

OS

Linux

Language

Typescript

Language Version

No response

Other information

No response

[corymhall]

@MitchWijt can you provide an example that I can deploy to reproduce? We have an integration test that tests this scenario and I tried to reproduce using this test and was unable to.

https://github.com/aws/aws-cdk/blob/main/packages/@aws-cdk/aws-rds/test/integ.cluster-snapshot.ts

One thing I noticed is that all DB instances have to be created before the password is updated to the new generated password.

[MitchWijt]

@corymhall The problem seems to be in the secret rotation. We have Permissions Boundary Aspects on our stack. However CDK tries to create a role for the rotating lambda function without these Aspects in a nested stack. Which is the reason it fails.

Its mentioned in this issue

But I do not see a solution for it at the moment.

As a sidenote. Since by default the DatabaseClusterFromSnapshot copies the master username and master password from the original cluster. Wouldn't it be more logical if the secret property returned from DatabaseClusterFromSnapshot would contain the correct DatabaseSecret with the same password and username as from the original cluster, unless snapshotCredentials is being used?

Currently the secret returned is unreliable since it can't be used to login to the Cluster that is created

[MitchWijt]

Should a rotation be needed in order for the password to be updated to the new generated password? If not, then the password is not being updated on my end.

Example:
1. Deploy this:

new rds.DatabaseCluster(this, `DatabaseCluster`, 
{
            defaultDatabaseName: "postgres",
            engine: rds.DatabaseClusterEngine.auroraPostgres({
                version: AuroraPostgresEngineVersion.VER_13_6,
            }),
            instances: 1,
            backup: {
                retention: Duration.days(7)
            },
            removalPolicy: RemovalPolicy.RETAIN,
            instanceProps: {
                vpc: vpc,
                instanceType: CustomInstanceType.SERVERLESS as unknown as ec2.InstanceType,
                autoMinorVersionUpgrade: true,
                publiclyAccessible: false,
                vpcSubnets: {
                    subnets: vpc.isolatedSubnets
                },
            },
            cloudwatchLogsExports: ["postgresql"],
        }
)

2. Create Snapshot

3. Create cluster from Snapshot and deploy

new rds.DatabaseClusterFromSnapshot(this, `DatabaseClusterFromSnapshot`, {
                ...samePropsAsStep1,
                snapshotCredentials: rds.SnapshotCredentials.fromGeneratedSecret('postgres', {
                    excludeCharacters: '`+{}[]()\'"/\\'
                }),
                snapshotIdentifier: props.snapshotIdentifier
            })

4. Unable to login using generated secret

[corymhall]

@MitchWijt I tried again today and it's not working for me anymore. I'm not sure if something changed, or I just messed something up the last time I tried. After looking into it more, I'm not sure how it ever could have worked. In all of my testing, including with the integration test, it always uses the previous database password (which is inline with the documentation).

It seems like this issue impacts a significant number of customers, and I've tagged it as P1, which means it should be on our near-term roadmap.

We welcome community contributions! If you are able, we encourage you to contribute (https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) a bug fix or new feature to the CDK. If you decide to contribute, please start an engineering discussion in this issue to ensure there is a commonly understood design before submitting code. This will minimize the number of review cycles and get your code merged faster.