From de23d3e35319a0ee1aa40f12238134320354ef06 Mon Sep 17 00:00:00 2001 From: peterwoodworth Date: Thu, 19 May 2022 16:36:47 -0700 Subject: [PATCH 1/6] docs: explain SnapshotCredentials --- packages/@aws-cdk/aws-rds/README.md | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-rds/README.md b/packages/@aws-cdk/aws-rds/README.md index dcf365bb2eb8d..fd3b74c0f249d 100644 --- a/packages/@aws-cdk/aws-rds/README.md +++ b/packages/@aws-cdk/aws-rds/README.md @@ -185,7 +185,7 @@ const rule = instance.onEvent('InstanceEvent', { target: new targets.LambdaFunct ## Login credentials -By default, database instances and clusters will have `admin` user with an auto-generated password. +By default, database instances and clusters (with the exception of `DatabaseInstanceFromSnapshot` and ``ServerlessClusterFromSnapshot`) will have `admin` user with an auto-generated password. An alternative username (and password) may be specified for the admin user instead of the default. The following examples use a `DatabaseInstance`, but the same usage is applicable to `DatabaseCluster`. @@ -232,6 +232,26 @@ new rds.DatabaseInstance(this, 'InstanceWithCustomizedSecret', { }); ``` +### Snapshot credentials + +As noted above, Databases created with `DatabaseInstanceFromSnapshot` or `ServerlessClusterFromSnapshot` will not create user and auto-generated password by default because it's not possible to change the master username. Instead, they will use the existing username and password from the snapshot. You can still generate a new password - to generate a secret similarly to the other constructs, pass in credentials with `fromGeneratedSecret()` or `fromGeneratedPassword()`. + +```ts +declare const vpc: ec2.Vpc; +const engine = rds.DatabaseInstanceEngine.postgres({ version: rds.PostgresEngineVersion.VER_12_3 }); +const myKey = new kms.Key(this, 'MyKey'); + +new rds.DatabaseInstanceFromSnapshot(this, 'InstanceFromSnapshotWithCustomizedSecret', { + engine, + vpc, + credentials: rds.SnapshotCredentials.fromGeneratedSecret('postgres', { + encryptionKey: myKey, + excludeCharacters: '!&*^#@()', + replicaRegions: [{ region: 'eu-west-1' }, { region: 'eu-west-2' }], + }), +}); +``` + ## Connecting To control who can access the cluster or instance, use the `.connections` attribute. RDS databases have From 2038382213da82d3598f289993fbfa6f2ee3fefa Mon Sep 17 00:00:00 2001 From: peterwoodworth Date: Thu, 19 May 2022 16:38:31 -0700 Subject: [PATCH 2/6] docs: explain SnapshotCredentials --- packages/@aws-cdk/aws-rds/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-rds/README.md b/packages/@aws-cdk/aws-rds/README.md index fd3b74c0f249d..876575b8eaeb4 100644 --- a/packages/@aws-cdk/aws-rds/README.md +++ b/packages/@aws-cdk/aws-rds/README.md @@ -234,7 +234,7 @@ new rds.DatabaseInstance(this, 'InstanceWithCustomizedSecret', { ### Snapshot credentials -As noted above, Databases created with `DatabaseInstanceFromSnapshot` or `ServerlessClusterFromSnapshot` will not create user and auto-generated password by default because it's not possible to change the master username. Instead, they will use the existing username and password from the snapshot. You can still generate a new password - to generate a secret similarly to the other constructs, pass in credentials with `fromGeneratedSecret()` or `fromGeneratedPassword()`. +As noted above, Databases created with `DatabaseInstanceFromSnapshot` or `ServerlessClusterFromSnapshot` will not create user and auto-generated password by default because it's not possible to change the master username for a snapshot. Instead, they will use the existing username and password from the snapshot. You can still generate a new password - to generate a secret similarly to the other constructs, pass in credentials with `fromGeneratedSecret()` or `fromGeneratedPassword()`. ```ts declare const vpc: ec2.Vpc; From e5025bbb1bdd0dc2c1359b013683352bd275fd1e Mon Sep 17 00:00:00 2001 From: peterwoodworth Date: Thu, 19 May 2022 17:04:38 -0700 Subject: [PATCH 3/6] docs: explain SnapshotCredentials --- packages/@aws-cdk/aws-rds/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/@aws-cdk/aws-rds/README.md b/packages/@aws-cdk/aws-rds/README.md index 876575b8eaeb4..8ebb105d49ab8 100644 --- a/packages/@aws-cdk/aws-rds/README.md +++ b/packages/@aws-cdk/aws-rds/README.md @@ -244,6 +244,7 @@ const myKey = new kms.Key(this, 'MyKey'); new rds.DatabaseInstanceFromSnapshot(this, 'InstanceFromSnapshotWithCustomizedSecret', { engine, vpc, + snapshotIdentifier: 'mySnapshot', credentials: rds.SnapshotCredentials.fromGeneratedSecret('postgres', { encryptionKey: myKey, excludeCharacters: '!&*^#@()', From fa9ae91f11bd0f9e479a7be2c4500b66d119678e Mon Sep 17 00:00:00 2001 From: peterwoodworth Date: Thu, 19 May 2022 17:05:35 -0700 Subject: [PATCH 4/6] docs: explain SnapshotCredentials --- packages/@aws-cdk/aws-rds/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-rds/README.md b/packages/@aws-cdk/aws-rds/README.md index 8ebb105d49ab8..aa472b093533b 100644 --- a/packages/@aws-cdk/aws-rds/README.md +++ b/packages/@aws-cdk/aws-rds/README.md @@ -245,7 +245,7 @@ new rds.DatabaseInstanceFromSnapshot(this, 'InstanceFromSnapshotWithCustomizedSe engine, vpc, snapshotIdentifier: 'mySnapshot', - credentials: rds.SnapshotCredentials.fromGeneratedSecret('postgres', { + credentials: rds.SnapshotCredentials.fromGeneratedSecret('username', { encryptionKey: myKey, excludeCharacters: '!&*^#@()', replicaRegions: [{ region: 'eu-west-1' }, { region: 'eu-west-2' }], From 25b59c4730d8832e34449d9a9ab5b5853c96f1da Mon Sep 17 00:00:00 2001 From: peterwoodworth Date: Thu, 19 May 2022 17:30:02 -0700 Subject: [PATCH 5/6] docs: explain SnapshotCredentials --- packages/@aws-cdk/aws-rds/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-rds/README.md b/packages/@aws-cdk/aws-rds/README.md index aa472b093533b..76290625b3d90 100644 --- a/packages/@aws-cdk/aws-rds/README.md +++ b/packages/@aws-cdk/aws-rds/README.md @@ -185,7 +185,7 @@ const rule = instance.onEvent('InstanceEvent', { target: new targets.LambdaFunct ## Login credentials -By default, database instances and clusters (with the exception of `DatabaseInstanceFromSnapshot` and ``ServerlessClusterFromSnapshot`) will have `admin` user with an auto-generated password. +By default, database instances and clusters (with the exception of `DatabaseInstanceFromSnapshot` and `ServerlessClusterFromSnapshot`) will have `admin` user with an auto-generated password. An alternative username (and password) may be specified for the admin user instead of the default. The following examples use a `DatabaseInstance`, but the same usage is applicable to `DatabaseCluster`. From 6563d4e8d0e1ffcb85a2b0c95c1231a81e625dbf Mon Sep 17 00:00:00 2001 From: peterwoodworth Date: Thu, 19 May 2022 17:42:17 -0700 Subject: [PATCH 6/6] docs: explain SnapshotCredentials