Skip to content

feat(rds): add urlSafePassword option to DatabaseSecret for URL parser compatibility#35211

Open
pahud wants to merge 5 commits intoaws:mainfrom
pahud:fix-35175-rds-url-safe-password
Open

feat(rds): add urlSafePassword option to DatabaseSecret for URL parser compatibility#35211
pahud wants to merge 5 commits intoaws:mainfrom
pahud:fix-35175-rds-url-safe-password

Conversation

@pahud
Copy link
Copy Markdown
Contributor

@pahud pahud commented Aug 11, 2025
edited
Loading

Issue # (if applicable)

Closes #35175.

Reason for this change

Go applications using net/url parser fail when parsing database connection URLs containing RDS-generated passwords with caret (^) characters. The error net/url: invalid userinfo prevents Go developers from using CDK-generated RDS passwords in connection URLs, forcing them to manually generate passwords or work around the issue.

This change adds an optional urlSafePassword property to DatabaseSecret and related credential interfaces, allowing developers to generate passwords that are compatible with URL parsers by excluding characters that cause parsing issues.

Description of changes

This implementation adds URL-safe password generation capability to the AWS RDS module:

  • New urlSafePassword property: Added optional boolean property to DatabaseSecretProps, CredentialsBaseOptions, CredentialsFromUsernameOptions, SnapshotCredentialsFromGeneratedPasswordOptions, Credentials, and SnapshotCredentials interfaces
  • URL-safe character exclusion: Created URL_SAFE_PASSWORD_EXCLUDE_CHARS constant that extends the default exclusion set with the caret (^) character
  • Conditional exclusion logic: Enhanced DatabaseSecret constructor and SnapshotCredentials.fromGeneratedSecret() method to use URL-safe exclusions when urlSafePassword: true
  • Precedence rules: Explicit excludeCharacters parameter takes precedence over urlSafePassword option for maximum user control
  • Hash integration: Included urlSafePassword in logical ID hash calculation for proper secret replacement when replaceOnPasswordCriteriaChanges: true
  • Comprehensive integration: Extended renderCredentials() and renderSnapshotCredentials() functions to propagate the option through all credential creation paths
  • Full snapshot support: Fixed SnapshotCredentials.fromGeneratedSecret() to properly handle urlSafePassword option by implementing the same exclusion logic as DatabaseSecret

Design decisions made:

  • Follows the established pattern from issue Make ExcludeCharacters configurable for aws-rds masterSecret #7911 (configurable exclusions) for consistency
  • Purely additive optional feature to maintain complete backward compatibility
  • Explicit parameter precedence (excludeCharacters overrides urlSafePassword) for predictable behavior
  • Minimal character set extension (only adds ^) to maintain password entropy while solving the specific URL parsing issue
  • Consistent implementation across both DatabaseSecret and SnapshotCredentials for unified behavior

Alternatives considered and rejected:

  • Changing default exclusion behavior: Rejected due to breaking change implications
  • Adding multiple URL-safe options: Rejected for API simplicity, single boolean covers the primary use case
  • Excluding additional URL-problematic characters: Rejected to minimize impact on password entropy

Describe any new or updated permissions being added

N/A - This change only affects password generation character exclusions and does not require any new IAM permissions or resource access patterns.

Description of how you validated changes

Unit tests: Added 7 comprehensive unit tests covering all functionality:

  • Basic URL-safe password functionality with CloudFormation template validation for DatabaseSecret
  • Caret character exclusion verification in generated ExcludeCharacters property
  • Precedence rules testing (explicit excludeCharacters overrides urlSafePassword)
  • Logical ID changes with replaceOnPasswordCriteriaChanges integration
  • Master secret integration scenarios
  • NEW: SnapshotCredentials.fromGeneratedSecret() with urlSafePassword for database instances from snapshots
  • NEW: SnapshotCredentials.fromGeneratedSecret() with urlSafePassword for database clusters from snapshots

Integration tests: Verified existing integration tests continue to pass. No new integration tests required as the feature follows established patterns and existing tests validate the password generation pipeline.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@pahud
feat(aws-rds): add urlSafePassword option to DatabaseSecret for URL p…
e2d394a 
…arser compatibility

Add optional urlSafePassword property to DatabaseSecret and related credential interfaces
to generate passwords compatible with URL parsers by excluding problematic characters.

- Add urlSafePassword option to DatabaseSecretProps, CredentialsBaseOptions, Credentials, and SnapshotCredentials
- Create URL_SAFE_PASSWORD_EXCLUDE_CHARS constant that excludes caret (^) character
- Implement conditional exclusion logic in DatabaseSecret constructor
- Ensure explicit excludeCharacters takes precedence over urlSafePasswor
@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p2 labels Aug 11, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team August 11, 2025 23:46
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Aug 11, 2025
aws-cdk-automation
aws-cdk-automation requested changes Aug 11, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter fails with the following errors:

❌ Features must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

@pahud pahud changed the title feat(aws-rds): add urlSafePassword option to DatabaseSecret for URL parser compatibility feat(rds): add urlSafePassword option to DatabaseSecret for URL parser compatibility Aug 11, 2025
@pahud
Copy link
Copy Markdown
Contributor Author

pahud commented Aug 11, 2025

Exemption Request

Integration tests: Verified existing integration tests continue to pass. No new integration tests required as the feature follows established patterns and existing tests validate the password generation pipeline.

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Aug 11, 2025
@pahud pahud marked this pull request as ready for review August 14, 2025 15:39
@github-actions github-actions bot mentioned this pull request Sep 1, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p2 pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

aws-rds: Exclude caret (^) from allowed password pattern

3 participants

@pahud @aws-cdk-automation @Abogical