Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cdk-lib(aws-secretsmanager): Update the SecretsManagerRDSMySQLRotationMultiUser rotation Lambda function so it can be deployed with the latest code #32181

Open
2 tasks
Ghy7wfR4vm opened this issue Nov 19, 2024 · 3 comments
Open
2 tasks

aws-cdk-lib(aws-secretsmanager): Update the SecretsManagerRDSMySQLRotationMultiUser rotation Lambda function so it can be deployed with the latest code #32181

Ghy7wfR4vm opened this issue Nov 19, 2024 · 3 comments
Labels
aws-cdk-lib Related to the aws-cdk-lib package effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@Ghy7wfR4vm
Copy link

Ghy7wfR4vm commented Nov 19, 2024
edited
Loading

Describe the feature

Summary

Using AWS CDK, I want to deploy the secret manager SecretsManagerRDSMySQLRotationMultiUser rotation Lambda function with the following latest GitHub code content.
https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRDSMySQLRotationMultiUser/lambda_function.py

However, I confirmed that currently, when deployed via AWS CDK, the rotation Lambda function is deployed with the following old code content.
https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/13a7a467dfa7643438d9a6e61eb185695fe2229d/SecretsManagerRDSMySQLRotationMultiUser/lambda_function.py

About the cause

It seems that the issue is caused by the semantic version of the AWS SAM Managed application SecretsManagerRDSMySQLRotationMultiUser used in CDK is old.

CDK is hard coded to be 1.1.367, but the latest one appears to be newer than 1.1.500.

aws-cdk/packages/aws-cdk-lib/aws-secretsmanager/lib/secret-rotation.ts

Lines 44 to 46 in 01f2dcd

public static readonly MYSQL_ROTATION_MULTI_USER = new SecretRotationApplication('SecretsManagerRDSMySQLRotationMultiUser', '1.1.367', {
isMultiUser: true,
});

(I am not exactly sure about the latest version)

Use Case

In the latest code content of SecretsManagerRDSMySQLRotationMultiUser, we can set the username character limit with environment variables.

https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/92f00b3e3b32df58a8a7c230773335f5846c74fd/SecretsManagerRDSMySQLRotationMultiUser/lambda_function.py#L120-L121

        # Get username character limit from environment variable
        username_limit = int(os.environ.get('USERNAME_CHARACTER_LIMIT', '16'))

On the other hand, the old code does not allow arbitrary character limits for the username.

Proposed Solution

Update version 1.1.367 to newer than 1.1.500.

aws-cdk/packages/aws-cdk-lib/aws-secretsmanager/lib/secret-rotation.ts

Lines 44 to 46 in 01f2dcd

public static readonly MYSQL_ROTATION_MULTI_USER = new SecretRotationApplication('SecretsManagerRDSMySQLRotationMultiUser', '1.1.367', {
isMultiUser: true,
});

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.167.1 (build d681b12)

Environment details (OS name and version, etc.)

All
@Ghy7wfR4vm Ghy7wfR4vm added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 19, 2024
@github-actions github-actions bot added the aws-cdk-lib Related to the aws-cdk-lib package label Nov 19, 2024
@ashishdhingra ashishdhingra self-assigned this Nov 19, 2024
@ashishdhingra ashishdhingra added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 19, 2024
@Ghy7wfR4vm
Copy link
Author

Workaround

A rotating Lambda function with the latest code can be deployed by directly specifying the new version 1.1.502.

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.SecretRotationApplication.html#static-mysql_rotation_multi_user

new secretsmanager.SecretRotation(this, 'SecretRotation', {
  application: secretsmanager.SecretRotationApplication.MYSQL_ROTATION_MULTI_USER,
  secret: myUserSecret, // The secret that will be rotated
  masterSecret: myMasterSecret, // The secret used for the rotation
  target: myDatabase,
  vpc: myVpc,
});


new secretsmanager.SecretRotation(this, 'SecretRotation', {
  application: new secretsmanager.SecretRotationApplication("SecretsManagerRDSMySQLRotationMultiUser", "1.1.502"),
  secret: myUserSecret, // The secret that will be rotated
  masterSecret: myMasterSecret, // The secret used for the rotation
  target: myDatabase,
  vpc: myVpc,
});

@ashishdhingra
Copy link
Contributor

ashishdhingra commented Nov 20, 2024
edited
Loading

@Ghy7wfR4vm Good afternoon. Could you please point me to documentation/resource which mentions version 1.1.502 and how the semantic versioning maps to code that is being deployed?

@ashishdhingra ashishdhingra added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Nov 20, 2024
@Ghy7wfR4vm
Copy link
Author

@ashishdhingra Good afternoon.

I confirmed that when I try to deploy the following SecretsManagerRdsMysqlRotationMultiUser application, it is deployed with semanticVersion: 1.1.503.
So I think the latest SemanticVersion is 1.1.503.
https://serverlessrepo.aws.amazon.com/applications/us-east-1/297356227824/SecretsManagerRDSMySQLRotationMultiUser

Also, when I created a CDK project with TypeScript, I checked the following description in <mycdkproject_directory>/node_modules/aws-cdk-lib/aws-secretsmanager/lib/secret-rotation.js.

SecretRotationApplication.MYSQL_ROTATION_MULTI_USER=new SecretRotationApplication("SecretsManagerRDSMySQLRotationMultiUser","1.1.367",{isMultiUser:!0})

When “1.1.367" in this file is changed to “1.1.503" and deploy with the following code, the rotation Lambda function will be deployed in a state where the latest code content is reflected.

new secretsmanager.SecretRotation(this, 'SecretRotation', {
  application: secretsmanager.SecretRotationApplication.MYSQL_ROTATION_MULTI_USER,
  secret: myUserSecret, // The secret that will be rotated
  masterSecret: myMasterSecret, // The secret used for the rotation
  target: myDatabase,
  vpc: myVpc,
});

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Nov 22, 2024
@github-actions github-actions bot mentioned this issue Dec 1, 2024
Open
@ashishdhingra ashishdhingra added effort/small Small work item – less than a day of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Dec 3, 2024
@ashishdhingra ashishdhingra removed their assignment Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aws-cdk-lib Related to the aws-cdk-lib package effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ashishdhingra @Ghy7wfR4vm