fix(rds): clusters created from snapshots generate incorrect passwords#20473
fix(rds): clusters created from snapshots generate incorrect passwords#20473peterwoodworth wants to merge 2 commits intov1-mainfrom
Conversation
|
|
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
rix0rrr
left a comment
There was a problem hiding this comment.
Thanks for picking this up Peter! <3
| * | ||
| * @default - No credentials are generated | ||
| */ | ||
| readonly snapshotCredentials?: ClusterSnapshotCredentials; |
There was a problem hiding this comment.
Do you need this to be a different field because you want to change the default behavior, from how the current credentials field behaves (in the details)? Or does it need to be a different field because it means something completely different?
If it's the first, a feature flag might be better.
There was a problem hiding this comment.
I need a different field because I want the customer to use ClusterSnapshotCredentials, as its designed specifically for using credentials when creating clusters from snapshots.
First, I tried to modify the Credentials class and renderCredentials() to work with what the customer might already have, but the code got confusing (would have been pretty difficult to document functionality for users too), and would be hard to maintain in the future. So I deprecated the prop to have customer use ClusterSnapshotCredentials when creating a cluster from snapshot and setting credentials. This class allows you to reference a full existing secret, or it will generate a new secret for you based on your login credentials passed as a secret value.
Sidenote - I believe this latter functionality (generating a secret based on login credentials) in my PR is bugged at the moment, or at the least poorly documented. The problem is that the fromPassword() method doesn't describe that the user should probably also have a username field in their passed SecretValue. I originally wanted to set the secretStringValue of the generated secret to contain the username which is passed in directly through CDK code, but I couldn't figure out how to properly set the eventual SecretString field to contain anything other than the customer passed SecretValue (other than with sloppy escape hatches).
So, long way to answer that I want this to be something completely different. wdyt?
There was a problem hiding this comment.
Isn't this a case where a breaking change might be acceptable? The current credentials prop is not usable as it does not set the password of a cluster created from a snapshot, moreover it doesn't work with rotation. So no one is using this to set a password?
There was a problem hiding this comment.
Is it not possible to use the existing SnapshotCredentials class here?
There was a problem hiding this comment.
So no one is using this to set a password?
Correction: it is maybe used with secrets containing the snapshot password and that need to benefit from the attachment.
There was a problem hiding this comment.
RDS is considered stable, so we can't make a breaking change. You can use Credentials.fromSecret() to use an existing secret that you know works, and there could be users out there doing that. As far as I can tell though, all the other methods on the Credentials class are broken (fromPassword ends up doing nothing as far as I can tell)
I tried using the existing SnapshotCredentials class as well, but that got a bit sloppy with the way it's correctly implemented for DatabaseInstanceFromSnapshot. Ends up being safest for the user to not make mistakes with a new class
There was a problem hiding this comment.
I think it should be possible to do this with existing SnapshotCredentials class, I will make some tests.
I see that with the new class you're creating a secret that is not a JSON but a string with the password. This will not work with attachment or rotation.
There was a problem hiding this comment.
I do think it's possible, but I personally wasn't a fan of how the documentation of the methods would have to have two different definitions depending on if the method is being used for an instance or cluster, and I was also would have rather just not let the customer be able to access the generate methods on the SnapshotCredentials class.
There was a problem hiding this comment.
Do you think it would still be better to use the SnapshotCredentials class?
There was a problem hiding this comment.
I wasn't able to figure out how to create a secret with JSON - I feel like I'm missing something simple but that's ideally what I'd like to do so that the user can pass in the username directly through CDK
#20504) Deprecate `credentials` and explain how it is broken. Replace it with `snapshotCredentials` that offer the expected behavior. Fixes #20434 Closes #20473 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
fixes #20434
ClusterSnapshotCredentialsto distinguish clusters created from snapshot and instances created from snapshotDBClusterFromSnapshot.credentialsandServerlessClusterFromSnapshot.credentialsto use new classAll Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license