Aws-cdk: Secrets Manager - DocumentDB Construct

Created on 23 Aug 2019  路  11Comments  路  Source: aws/aws-cdk

:question: General Issue

Secret's value is not passed into a construct for DocumentDB, rather the whole SecretString is passed instead.

The Question

How does one resolve a SecretString from SecretsManager into a construct for DocumentDB?
Is this possible?

It passes : {resolve:secretsmanager:arn:aws:secretsmanager:us-east-2:****secret:cdk/docdb-****:SecretString:password::} but not the actual value

Code:

    // Get Secret Values for Username and Password
    const secret = sm.Secret.fromSecretAttributes(this, 'cdk/docdb', {
      secretArn: '',
    });

    const credentials = {
      username : secret.secretValueFromJson('username'),
      password : secret.secretValueFromJson('password') 
    };

.....

  // Create documentdb cluster
    const sfDocCluster = new docdb.CfnDBCluster(
      this,
      "StorefrontDocdbCluster",
      {
        storageEncrypted: true,
        availabilityZones: vpc.availabilityZones.splice(3),
        dbClusterIdentifier: "StorefrontDocdbCluster",
        masterUsername: credentials.username,
        masterUserPassword: credentials.password,
        vpcSecurityGroupIds: [sfSecurityGroup.securityGroupName],
        dbSubnetGroupName: sfSubnetGroup.dbSubnetGroupName,
        dbClusterParameterGroupName: sfDocParamGroup.name,
        port
      }
    );

Console Result:

StorefrontDocdbCluster Property validation failure: 

[Length of value {{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-2:****secret:cdk/docdb-****:SecretString:password::}}} for property {/MasterUserPassword} is greater than maximum allowed length {41}, 

Length of value {{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-2:****:secret:cdk/docdb-****:SecretString:username::}}} for property {/MasterUsername} is greater than maximum allowed length {63}]

Environment

  • CDK CLI Version: 1.5
  • Module Version:
  • OS: OSX Mojave
  • Language: TypeScript

Other information

@aws-cdaws-secretsmanager needs-cfn
Source
picture jeffcorpuz

All 11 comments

It's correct that it passes the {{resolve...}} string see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager

Using the secretsmanager dynamic reference guarantees that neither Secrets Manager nor CloudFormation logs or persists any resolved secret value.

This is an issue with CloudFormation itself and how it resolves/validates username and password for a AWS::DocDB::DBCluster, see https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/94 and https://forums.aws.amazon.com/thread.jspa?messageID=891456#891456

jogold picture jogold on 23 Aug 2019

Thanks @jogold.

Okay so it is actually passing the correct secretstring but so for this particular use case it is not possible at this moment.

jeffcorpuz picture jeffcorpuz on 23 Aug 2019

for this particular use case it is not possible at this moment.

Exactly. This can only be fixed in CloudFormation not in the CDK.

jogold picture jogold on 23 Aug 2019

Am I to assume there are other use cases in which CF will not resolve secrets as well? Is there a list of said issues?

jeffcorpuz picture jeffcorpuz on 23 Aug 2019

I don't know, the documentation says:

The secretsmanager dynamic reference can be used in all resource properties.

But apparently there are some bugs here and there.

jogold picture jogold on 23 Aug 2019
😕2

@jogold - which documentation is claiming that?

RomainMuller picture RomainMuller on 26 Aug 2019

@RomainMuller See Important note here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager

image

jogold picture jogold on 26 Aug 2019

@jeffcorpuz I'm curious, can you confirm the contents of your CFN template?

In your OP, you posted that the template contains {resolve:secretsmanager:arn:aws:secretsmanager:us-east-2:****secret:cdk/docdb-****:SecretString:password::}, and the error message contains {{{.

It should be two curly braces ({{) so I'm curious if that's actually what you're seeing in your template.

In the mean time, treating this as a CloudFormation bug. You can report it here: https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap

rix0rrr picture rix0rrr on 17 Sep 2019

Hi @rix0rrr thanks, will treat it as a CF bug

jeffcorpuz picture jeffcorpuz on 23 Sep 2019

Hi @jeffcorpuz,

Have you created the CloudFormation bug? Where can we track it?

Thank you in advance.

hervenivon picture hervenivon on 18 Oct 2019

This is an issue with CloudFormation itself and how it resolves/validates username and password for a AWS::DocDB::DBCluster, see aws-cloudformation/aws-cloudformation-coverage-roadmap#94 and https://forums.aws.amazon.com/thread.jspa?messageID=891456#891456

jogold picture jogold on 18 Oct 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ababra picture ababra  路  3Comments
kawamoto picture kawamoto  路  3Comments
mirazmamun picture mirazmamun  路  3Comments
artyom-melnikov picture artyom-melnikov  路  3Comments
pepastach picture pepastach  路  3Comments