Skip to content

Commit

Permalink
feat(redshift): expose user.secret as property (#17520) (#20078)
Browse files Browse the repository at this point in the history
This change will expose Redshift User.secret as property and close #17520
----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
Ahmed-Hussein93 authored Apr 27, 2022
1 parent 82aec9d commit 8da006a
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 18 deletions.
39 changes: 21 additions & 18 deletions packages/@aws-cdk/aws-redshift/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,24 +60,6 @@ The endpoint to access your database cluster will be available as the `.clusterE
cluster.clusterEndpoint.socketAddress; // "HOSTNAME:PORT"
```

## Rotating credentials

When the master password is generated and stored in AWS Secrets Manager, it can be rotated automatically:

```ts fixture=cluster
cluster.addRotationSingleUser(); // Will rotate automatically after 30 days
```

The multi user rotation scheme is also available:

```ts fixture=cluster
import * as secretsmanager from '@aws-cdk/aws-secretsmanager';

cluster.addRotationMultiUser('MyUser', {
secret: secretsmanager.Secret.fromSecretNameV2(this, 'Imported Secret', 'my-secret'),
});
```

## Database Resources

This module allows for the creation of non-CloudFormation database resources such as users
Expand Down Expand Up @@ -273,3 +255,24 @@ call to `grant` but the user does not have the specified permission.

Note that this does not occur when duplicate privileges are granted within the same
application, as such privileges are de-duplicated before any SQL query is submitted.

## Rotating credentials

When the master password is generated and stored in AWS Secrets Manager, it can be rotated automatically:

```ts fixture=cluster
cluster.addRotationSingleUser(); // Will rotate automatically after 30 days
```

The multi user rotation scheme is also available:

```ts fixture=cluster

const user = new User(this, 'User', {
cluster: cluster,
databaseName: 'databaseName',
});
cluster.addRotationMultiUser('MultiUserRotation', {
secret: user.secret,
});
```
8 changes: 8 additions & 0 deletions packages/@aws-cdk/aws-redshift/lib/user.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import * as kms from '@aws-cdk/aws-kms';
import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
import * as cdk from '@aws-cdk/core';
import { Construct } from 'constructs';
import { ICluster } from './cluster';
Expand Down Expand Up @@ -137,6 +138,12 @@ export class User extends UserBase {
readonly databaseName: string;
protected databaseProps: DatabaseOptions;

/**
* The Secrets Manager secret of the user.
* @attribute
*/
public readonly secret: secretsmanager.ISecret;

private resource: DatabaseQuery<UserHandlerProps>;

constructor(scope: Construct, id: string, props: UserProps) {
Expand Down Expand Up @@ -165,6 +172,7 @@ export class User extends UserBase {
attachedSecret.grantRead(this.resource);

this.username = this.resource.getAttString('username');
this.secret = secret;
}

/**
Expand Down
8 changes: 8 additions & 0 deletions packages/@aws-cdk/aws-redshift/test/user.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,14 @@ describe('cluster user', () => {
});
});

it('secret property is exposed', () => {
const user = new redshift.User(stack, 'User', databaseOptions);

expect(stack.resolve(user.secret.secretArn)).toStrictEqual({
Ref: 'UserSecretE2C04A69',
});
});

it('uses username when provided', () => {
const username = 'username';

Expand Down

0 comments on commit 8da006a

Please sign in to comment.