Aws-cdk: Create Secret Rotation with CfnDBCluster

Something along those lines should do it:

const target = new ec2.Connections({
  defaultPort: ec2.Port.tcp(5432),
  securityGroups: [yourClusterSecurityGroup]
});

new secretsmanager.SecretRotation(this, 'SecretRotation', {
  application: secretsmanager.SecretRotationApplication.POSTGRES_ROTATION_SINGLE_USER,
  secret: yourMasterSecret, // It needs to be "attached" to your cluster
  target,
  vpc: yourVpc
});

Hi @thekevinbrown, thanks for opening an issue. Did @jogold 's solution work for you?

@SomayaB kind of, but I'm still stuck.

I've got the master secret for the cluster created with rotation, but I'm trying to create another user account and I just can't seem to figure out the magic incantation I need.

Here's what I've got:

// Create a rotating secret we can use to access the database.
const secret = new DatabaseSecret(construct, `lambda-user`, {
    username: 'consumer-api',
});

secret.attach(database);
secret.grantRead(consumerApi);

consumerApi is an instance of lambda.Function and database is a modified version of this because of #929.

I can fetch the secret in my lambda, but then when I try to connect to the database I get:

error: password authentication failed for user "consumer-api"

Does secret.attach() not create the user in the database? How do I do that?

Ah, that explains it:

Note: This user must be created manually in the database using the master credentials. The rotation will start as soon as this user exists.

quoted text from here

I'll see about adding this user in my schema migration scripts.