Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-rds): Cannot change removal policy of DatabaseInstance's admin secret #17728

Closed
mskrip opened this issue Nov 26, 2021 · 7 comments · Fixed by #17746
Closed

(aws-rds): Cannot change removal policy of DatabaseInstance's admin secret #17728

mskrip opened this issue Nov 26, 2021 · 7 comments · Fixed by #17746
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/small Small work item – less than a day of effort feature/coverage-gap Gaps in CloudFormation coverage by L2 constructs feature-request A feature should be added or improved. p2

Comments

@mskrip
Copy link
Contributor

mskrip commented Nov 26, 2021

What is the problem?

It's not possible to change the default DatabaseInstance.secret removal policy. The instance of the secret does have a apply_removal_policy method bound to it (I can see it when printing dir(secret)), but calling it makes no difference.

Reproduction Steps

Create a rds.DatabaseInstance and the master secret will have a default removal policy DELETE with no way to change it (even if changing the removal policy of the instance).

What did you expect to happen?

I would expect, that calling rds_instance.secret.apply_removal_policy would apply the removal policy.

What actually happened?

It doesn't

CDK CLI Version

1.134.0 (build dd5e12d)

Framework Version

1.134.0

Node.js Version

v16.12.0

OS

Arch Linux 5.15.4-arch1-1

Language

Python

Language Version

3.9.7

Other information

No response
@mskrip mskrip added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 26, 2021
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Nov 26, 2021
@peterwoodworth
Copy link
Contributor

I believe this is because the secret is declared as an ISecret, which doesn't have the applyRemovalPolicy() function. I'm not sure if this is something that we can change

To work around this and apply the removal policy you want to the secret, you can use an escape hatch!

Here's an example for TypeScript, let me know if you need one for Python.

    const db = new DatabaseInstance(this, 'db', {
      vpc: vpc,
      engine: dsb.DatabaseInstanceEngine.postgres({version: dsb.PostgresEngineVersion.VER_13_4})
    });

    const secret = db.node.children[2] as DatabaseSecret
    secret.applyRemovalPolicy(RemovalPolicy.RETAIN)

@peterwoodworth peterwoodworth changed the title (@aws-cdk/aws-rds): Cannot change removal policy of DatabaseInstance's admin secret (aws-rds): Cannot change removal policy of DatabaseInstance's admin secret Nov 26, 2021
@peterwoodworth peterwoodworth removed the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Nov 26, 2021
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Nov 26, 2021
@skinny85
Copy link
Contributor

Hey @mskrip,

thanks for opening the issue. Looks like the Resource class already has applyRemovalPolicy() method, so this should just be a matter of adding that same method to the IResource interface.

PRs are very welcome! 🙂

Thanks,
Adam

@skinny85 skinny85 added @aws-cdk/core Related to core CDK functionality effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md feature-request A feature should be added or improved. feature/enhancement A new API to make things easier or more intuitive. A catch-all for general feature requests. and removed bug This issue is a bug. @aws-cdk/aws-rds Related to Amazon Relational Database needs-triage This issue or PR still needs to be triaged. labels Nov 29, 2021
@skinny85 skinny85 removed their assignment Nov 29, 2021
@mskrip mskrip mentioned this issue Nov 29, 2021
Merged
@mergify mergify bot closed this as completed in #17746 Dec 6, 2021
mergify bot pushed a commit that referenced this issue Dec 6, 2021
@mskrip
feat(core): add applyRemovalPolicy to IResource (#17746)

Verified

This commit was signed with the committer’s verified signature.
yyx990803 Evan You
GPG key ID: 00E9AB7A6704CE0A
Verified
Learn about vigilant mode
d64057f 
The motivation behind this change is in both the linked issue and the added test case: change removal policy of a child resource with an interface type.

Thanks @skinny85 for pointing me in the right direction.

Closes #17728

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Dec 6, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@mskrip
Copy link
Contributor Author

mskrip commented Dec 17, 2021

@skinny85 Unfortunately, the #17746 did not really fix the underlying issue here, since rds_instance.secret is not the Secret resource but SecretTargetAttachment. Therefore, I still have to use the escape hatch here.

@skinny85
Copy link
Contributor

That's a fair point @mskrip. I'm re-opening this one.

I'm wondering what should be correct behavior be here? Should calling applyRemovalPolicy() on the SecretTargetAttachment also change the retention policy of the Secret it's pointing to?

@skinny85 skinny85 reopened this Dec 17, 2021
@skinny85 skinny85 added @aws-cdk/aws-rds Related to Amazon Relational Database and removed @aws-cdk/core Related to core CDK functionality labels Dec 17, 2021
@skinny85 skinny85 added feature/coverage-gap Gaps in CloudFormation coverage by L2 constructs and removed good first issue Related to contributions. See CONTRIBUTING.md feature/enhancement A new API to make things easier or more intuitive. A catch-all for general feature requests. labels Dec 17, 2021
@mskrip
Copy link
Contributor Author

mskrip commented Dec 20, 2021

@skinny85 Yes, that makes sense. Maybe it would be useful if SecretTargetAttachment had a reference to the Secret resource it's attaching so the policies can be applied explicitly. But that might be too much of a change to the interface so I'm not sure.

TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@mskrip @TikiTDO
feat(core): add applyRemovalPolicy to IResource (aws#17746)
b158bee 
The motivation behind this change is in both the linked issue and the added test case: change removal policy of a child resource with an interface type.

Thanks @skinny85 for pointing me in the right direction.

Closes aws#17728

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Dec 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/small Small work item – less than a day of effort feature/coverage-gap Gaps in CloudFormation coverage by L2 constructs feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(core): add applyRemovalPolicy to IResource
4 participants
@skinny85 @rix0rrr @mskrip @peterwoodworth