fix(redshift): Fix Redshift User Secret Multi-User Rotation #28856
Conversation
Fixes Redshift User Secret Multi-User Rotation for new Users by including `masterarn` in the Secret's Serialized JSON Object Text. Note: This doesn't affect existing users (nor fixes roation for them) since the secret string template is only used when the secret is first created. For those existing secrets, the secret text will need to be updated to include `masterarn` using the GetSecretValue and UpdateSecret SecretManager APIs. closes aws#28852 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
github-actions
bot
added
bug
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
aws-cdk-automation
added
the
pr/needs-community-review
There was a problem hiding this comment.
Thanks 👍
Looks good overall, I left a couple of comments on the implementation.
Also, can you please update the title to describe the bug (not the solution)?
|
|
||
| beforeEach(() => { | ||
| stack = new cdk.Stack(); | ||
| vpc = new ec2.Vpc(stack, 'VPC'); | ||
| cluster = new redshift.Cluster(stack, 'Cluster', { | ||
| const clusterImpl = new redshift.Cluster(stack, 'Cluster', { |
There was a problem hiding this comment.
Why can't we use the global variable? 🤔
There was a problem hiding this comment.
cluster is ICluster which does not have a .secret property. I figured that the rest of the tests wanted to continue to use the ICluster interface so I have this awkward code that has both an ICluster global variable and a Cluster local variable pointing to the same object but different types.
https://docs.aws.amazon.com/cdk/api/v2/docs/@aws-cdk_aws-redshift-alpha.ICluster.html
https://github.com/aws/aws-cdk/blob/v2.122.0/packages/%40aws-cdk/aws-redshift-alpha/lib/cluster.ts
There was a problem hiding this comment.
Tests are running successfully if we change the type declaration:
let cluster: redshift.Cluster;I think it should be safe to do so to avoid declaring the two variables on different scopes.
| @@ -153,6 +153,7 @@ export class User extends UserBase { | |||
| const secret = new DatabaseSecret(this, 'Secret', { | |||
| username, | |||
| encryptionKey: props.encryptionKey, | |||
| masterSecret: props.adminUser, | |||
There was a problem hiding this comment.
Not sure about this.
Shouldn't we simply pass a DatabaseSecret with masterSecret set to the addRotationMultiUser method?
It seems like we might be assigning unnecessary permissions to the user here.
Also, I think we should validate that the secret for addRotationMultiUser has the required masterSecret value set here.
There was a problem hiding this comment.
Absolutely! I was having the same conversation with a teammate this morning about that. The secret itself shouldn't need to encode the masterSecret reference especially since there is nothing secret about that reference (nor anything bad that could happen if an incorrect or different arn was set - the rotation lambda would just fetch wrong cluster admin credentials and fail to make the update!). Unfortunately, I think we may be bound by the implementation of addRotationMultiUser and the redshift multi-user rotation lambda secrets manager provides which expects masterarn to be encoded in the secret.
Re assigning unnecessary permissions, I see your point about sending masterSecret into DatabaseSecret but at impl time its just encoding the master secret ARN w/o additional permissions. Its the rotation lambda that has permission to the masterSecret and secret to perform the rotation.
On the validation, I don't know if we can perform that validation at build time since options.secret is a reference to ISecret and not DatbaseSecret :/ - thoughts?
There was a problem hiding this comment.
Makes sense and I agree with your analysis of the current implementation.
Thanks for the detailed follow-up 👍
On validation, we could expose the masterSecret property publicly in DatabaseSecret and perform a type-check in addRotationMultiUser for the secret.
I think it might be worth adding to provide clearer feedback to users invoking the method without providing the necessary parameters.
aws-cdk-automation
removed
the
pr/needs-community-review
Thank you and will do! |
|
|
||
| beforeEach(() => { | ||
| stack = new cdk.Stack(); | ||
| vpc = new ec2.Vpc(stack, 'VPC'); | ||
| cluster = new redshift.Cluster(stack, 'Cluster', { | ||
| const clusterImpl = new redshift.Cluster(stack, 'Cluster', { |
There was a problem hiding this comment.
Tests are running successfully if we change the type declaration:
let cluster: redshift.Cluster;I think it should be safe to do so to avoid declaring the two variables on different scopes.
| @@ -153,6 +153,7 @@ export class User extends UserBase { | |||
| const secret = new DatabaseSecret(this, 'Secret', { | |||
| username, | |||
| encryptionKey: props.encryptionKey, | |||
| masterSecret: props.adminUser, | |||
There was a problem hiding this comment.
Makes sense and I agree with your analysis of the current implementation.
Thanks for the detailed follow-up 👍
On validation, we could expose the masterSecret property publicly in DatabaseSecret and perform a type-check in addRotationMultiUser for the secret.
I think it might be worth adding to provide clearer feedback to users invoking the method without providing the necessary parameters.
|
@penniman26 This is a great change! Thank you for your patience as get to reviewing PRs. I'll merge this one once the changes from @lpizzinidev have been addressed. |
|
This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
|
This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error. |
aws-cdk-automation
added
the
closed-for-staleness
|
Comments on closed issues and PRs are hard for our team to see. |
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
|
The pull request linter fails with the following errors: PRs must pass status checks before we can provide a meaningful review. If you would like to request an exemption from the status checks or clarification on feedback, please leave a comment on this PR containing |
Fixes Redshift User Secret Multi-User Rotation for new Users by including
masterarnin the Secret's Serialized JSON Object Text.Note: This doesn't affect existing users (nor fixes roation for them) since the secret string template is only used when the secret is first created. For those existing secrets, the secret text will need to be updated to include
masterarnusing the GetSecretValue and UpdateSecret SecretManager APIs.Closes #28852
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license