(aws_docdb): addRotationSingleUser() not consistent with aws_rds.Cluster.addRotationSingleUser() #17347
Description
What is the problem?
https://docs.aws.amazon.com/cdk/api/latest/docs/aws-rds-readme.html#rotating-credentials describes the aws_rds.Cluster.addRotationSinglerUser(), as implemented by aws_docdb there is no support for excludeCharacters. And sure enough, I went to update a stack containing a
const cluster = aws_docdb.DatabaseCluster(...);
cluster.addRotationSingleUser();
and got
The parameter MasterUserPassword is not a valid password. Only printable ASCII characters besides '/', '@', '"', ' ' may be used. (Service: AmazonRDS; Status Code:
400; Error Code: InvalidParameterValue; Request ID: 38bc6735-286e-41f2-89d4-3d2c8cb78ef9; Proxy: null)
Reproduction Steps
I'm not sure how to reliably repro this one. The problem, I think, is that the secret rotator generates an illegal password. The deeper problem is that the secret rotator doesn't follow the good example in aws_rds and allow for configurable excludeCharacters, so there's no simple way to fix this. This might be the root cause of #17288 (I'm imagining if the rotator generates an illegal password and DocDB refuses to accept it).
What did you expect to happen?
I expect to never have to think about the (unfortunately named) masterUser's password. The rotation should Just Work.
What actually happened?
First try: (pulled from the CloudFormation console)
The parameter MasterUserPassword is not a valid password. Only printable ASCII characters besides '/', '@', '"', ' ' may be used. (Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterValue; Request ID: 38bc6735-286e-41f2-89d4-3d2c8cb78ef9; Proxy: null)
Second try:
❯ npx cdk deploy --require-approval never Whiteboard
Deploying to "euDev" in "eu-central-1".
defaultRegion: "eu-central-1"
Whiteboard: deploying...
[0%] start: Publishing 5cc75ebf91260fff71aff7bfd82508a3d015ff54fefac979088541de57bb66ad:414375883647-eu-central-1
[100%] success: Published 5cc75ebf91260fff71aff7bfd82508a3d015ff54fefac979088541de57bb66ad:414375883647-eu-central-1
Whiteboard: creating CloudFormation changeset...
❌ Whiteboard failed: Error [ValidationError]: Stack:arn:aws:cloudformation:eu-central-1:414375883647:stack/Whiteboard/ee1bf3f0-3d9a-11ec-9fae-021733604472 is in UPDATE_ROLLBACK_FAILED state and can not be updated.
at Request.extractError (/Users/ahammond/Documents/ClickUp/whiteboard-cdk/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/Users/ahammond/Documents/ClickUp/whiteboard-cdk/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/Users/ahammond/Documents/ClickUp/whiteboard-cdk/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/Users/ahammond/Documents/ClickUp/whiteboard-cdk/node_modules/aws-sdk/lib/request.js:686:14)
at Request.transition (/Users/ahammond/Documents/ClickUp/whiteboard-cdk/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/Users/ahammond/Documents/ClickUp/whiteboard-cdk/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /Users/ahammond/Documents/ClickUp/whiteboard-cdk/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/Users/ahammond/Documents/ClickUp/whiteboard-cdk/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/Users/ahammond/Documents/ClickUp/whiteboard-cdk/node_modules/aws-sdk/lib/request.js:688:12)
at Request.callListeners (/Users/ahammond/Documents/ClickUp/whiteboard-cdk/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
code: 'ValidationError',
time: 2021-11-05T01:17:48.814Z,
requestId: '8ec0b437-4a02-41df-8637-5e698c28e3b5',
statusCode: 400,
retryable: false,
retryDelay: 30.455530850638013
}
Stack:arn:aws:cloudformation:eu-central-1:414375883647:stack/Whiteboard/ee1bf3f0-3d9a-11ec-9fae-021733604472 is in UPDATE_ROLLBACK_FAILED state and can not be updated.
CDK CLI Version
2.0.0-rc.27 (build 435e6f6)
Framework Version
2.0.0-rc.27 (build 435e6f6)
Node.js Version
v14.17.5
OS
MacOS
Language
Typescript
Language Version
4.4.4
Other information
No response