Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-rds): grantConnect fails if Instance has secret and user not specified #26603

Closed
amrit073 opened this issue Aug 2, 2023 · 2 comments · Fixed by #26647
Closed

(aws-rds): grantConnect fails if Instance has secret and user not specified #26603

amrit073 opened this issue Aug 2, 2023 · 2 comments · Fixed by #26647
Labels
@aws-cdk/aws-lambda-nodejs bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1

Comments

@amrit073
Copy link

amrit073 commented Aug 2, 2023
edited
Loading

I am trying to give a lambda function made using cdk.aws_lambda_nodejs.NodejsFunction.
if I do

dbInstance.grantConnect(converterLambdaFunc);

While bootstrapping, it fails saying

Using a SecretValue here risks exposing your secret. Only pass SecretValues to constructs that accept a SecretValue property, or call AWS Secrets Manager directly in your runtime code

Expected Behavior

It should have bootstrapped successfully, allowing connection from lambda to rds.

Current Behavior

Error: Resolution error: Resolution error: Resolution error: Resolution error: Synthing a secret value to Resources/${Token[SmplDynamicStack-dev.pdfconverterlambda.Servic
eRole.DefaultPolicy.Resource.LogicalID.839]}/Properties/policyDocument/Statement/0/Resource. Using a SecretValue here risks exposing your secret. Only pass SecretValues t
o constructs that accept a SecretValue property, or call AWS Secrets Manager directly in your runtime code. Call 'secretValue.unsafeUnwrap()' if you understand and accept
 the risks..
Object creation stack:
  at stack traces disabled.
Object creation stack:
  at stack traces disabled..
    at SecretValue.resolve (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/secret-value.js:1:3801)
    at RememberingTokenResolver.resolveToken (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/resolvable.js:1:1238)
    at RememberingTokenResolver.resolveToken (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:3924)
    at resolve (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:2510)
    at Object.resolve [as mapToken] (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:892)
    at TokenizedStringFragments.mapTokens (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/string-fragments.js:1:1365)
    at RememberingTokenResolver.resolveString (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/resolvable.js:4:358)
    at RememberingTokenResolver.resolveString (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:4000)
    at resolve (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:1816)
    at Object.resolve (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:892)

Reproduction Steps

to reproduce, make a rds instance:

const dbInstance = new rds.DatabaseInstance(this, "db-instance", {
      vpc,
      vpcSubnets: {
        subnetType: ec2.SubnetType.PUBLIC,
      },
      engine: rds.DatabaseInstanceEngine.postgres({
        version: rds.PostgresEngineVersion.VER_14,
      }),
      instanceType: ec2.InstanceType.of(
        ec2.InstanceClass.T3,
        ec2.InstanceSize.MICRO
      ),
      credentials: rds.Credentials.fromGeneratedSecret("dbuser"),
      multiAz: false,
      deletionProtection: false,
      databaseName: DB_NAME,
      publiclyAccessible: false,
      backupRetention: cdk.Duration.days(0),
    });

make a nodejs lambda function:

    const nodeJsFunctionProps = {
      runtime: Runtime.NODEJS_18_X,
      timeout: cdk.Duration.minutes(3), 
      memorySize: 256,
    };
    const converterLambdaFunc = new NodejsFunction(this, "testfunc", {
      entry: path.join(__dirname, "../functions/converter.js"),
      ...nodeJsFunctionProps,
      functionName: 'testfunction',
    });

grant connect to lambda :

dbInstance.grantConnect(converterLambdaFunc);

run

npm run build
cdk bootstrap

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.89.0 (build 2ad6683)

Framework Version

No response

Node.js Version

v18.12.1

OS

Arch Linux

Language

Typescript

Language Version

tsc - version 4.8.4

Other information

No response
@amrit073 amrit073 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 2, 2023
@peterwoodworth
Copy link
Contributor

cdk bootstrap is unrelated here just FYI. If you're trying to deploy the stack you want cdk deploy. Regardless, the same error will show since the app will run into this error on synth time

I'm able to reproduce the error with your snippet, thanks for sharing the helpful repro steps! It appears to me that this PR didn't include a test to account for the case where dbUser is not passed in when grantConnect() is called. Doing this will require us to use unsafeUnwrap() I believe

@peterwoodworth peterwoodworth added good first issue Related to contributions. See CONTRIBUTING.md p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Aug 3, 2023
@peterwoodworth peterwoodworth changed the title (aws-rds, aws-lambda-nodejs): Cannot grant connection to lambda (aws-rds): grantConnect fails if Instance has secret and user not specified Aug 3, 2023
@lpizzinidev lpizzinidev mentioned this issue Aug 5, 2023
Merged
mergify bot added a commit to lpizzinidev/aws-cdk that referenced this issue Aug 8, 2023
@mergify
Merge branch 'main' into awsgh-26603
08c5a35
@mergify mergify bot closed this as completed in #26647 Aug 8, 2023
mergify bot pushed a commit that referenced this issue Aug 8, 2023
@lpizzinidev
fix(rds): grantConnect fails to deploy when no user is specified fo…
112b861 
…r instances with secret credentials (#26647)

Calling `grantConnect` on instances with secret credentials not specifying the user was causing the deploy to fail because the secret was not resolved.
This fix solves the bug.

Closes #26603.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Aug 8, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Sep 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-lambda-nodejs bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1
Projects
None yet
Milestone
No milestone
2 participants
@peterwoodworth @amrit073