Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_rds: add support for RotateImmediatelyOnUpdate to secret rotation #25365

Closed
2 tasks
rittneje opened this issue Apr 28, 2023 · 4 comments · Fixed by #25652
Closed
2 tasks

aws_rds: add support for RotateImmediatelyOnUpdate to secret rotation #25365

rittneje opened this issue Apr 28, 2023 · 4 comments · Fixed by #25652
Assignees
@colifran
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@rittneje
Copy link

Describe the feature

In CloudFormation, AWS::SecretsManager::RotationSchedule contains an optional property RotateImmediatelyOnUpdate, which controls whether the secret gets rotated as part of the stack update.

When creating a rotation schedule via add_rotation_single_user in CDK, there is no way to set this property, so CloudFormation ends up defaulting to true.

Add an optional parameter to add_rotation_single_user to control this property. Probably should be added to add_rotation_multi_user as well.

Use Case

We don't want the secret to rotate immediately.

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.60.0

Environment details (OS name and version, etc.)

Alpine
@rittneje rittneje added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Apr 28, 2023
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Apr 28, 2023
@khushail
Copy link
Contributor

Hi @rittneje , thanks for reaching out. since Cloudformation provides the RotateImmediatelyOnUpdate property, addition of parameter like add_rotation_single_user or add_rotation_multi_user might be helpful.

However you could use Escape hatches for now, to set RotateImmediatelyOnUpdate to false. I am marking this feature request as P2 till it gets worked upon.

@khushail khushail added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Apr 28, 2023
@pahud
Copy link
Contributor

pahud commented Apr 28, 2023
edited
Loading

Hi @rittneje

addRotationSingleUser() literally instantiate SecretRotation class, in which the secret addRotateSchedule() here.

addRotationSchedule() accepts RotationScheduleOptions which is defined here.

So I believe we should add RotateImmediatelyOnUpdate into the RotationScheduleOptions. Before that, Escape hatches as mentioned by @khushail is a quick hack but we definitely welcome PR for it.

@colifran colifran self-assigned this May 18, 2023
@colifran colifran mentioned this issue May 19, 2023
Merged
@mergify mergify bot closed this as completed in #25652 May 23, 2023
mergify bot pushed a commit that referenced this issue May 23, 2023
@colifran
feat(secretsmanager): add support for rotateImmediatelyOnUpdate for s…
cdafcc5 
…ecret rotation schedule (#25652)

When adding a rotation schedule to a secret, you can specify whether or not the secret should be rotated immediately. This is optional, and by default, the secret will be rotated immediately if rotateImmediatelyOnUpdate is undefined. This PR exposes the rotateImmediatelyOnUpdate property enabling the user to configure this as false if they do not want the secret to be rotated immediately. Configuring this property as being explicitly true will result in the secret being rotated immediately, which is the default behavior.

Closes #25365

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@rittneje
Copy link
Author

@colifran You did not actually implement this feature request. You only added support into aws_secretsmanager.RotationSchedule. But the need is to add support to aws_rds.DatabaseCluster.add_rotation_single_user.

@rittneje rittneje mentioned this issue Jun 23, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@colifran colifran

Labels
@aws-cdk/aws-rds Related to Amazon Relational Database effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
4 participants
@pahud @rittneje @khushail @colifran