Skip to content

feat(rds): support native Secrets Manager integration for RDS Cluster and Instance #35734

Open
mazyu36 wants to merge 9 commits intoaws:mainfrom
mazyu36:feature/rds-secrets
Open

feat(rds): support native Secrets Manager integration for RDS Cluster and Instance #35734
mazyu36 wants to merge 9 commits intoaws:mainfrom
mazyu36:feature/rds-secrets

Conversation

@mazyu36
Copy link
Copy Markdown
Contributor

@mazyu36 mazyu36 commented Oct 14, 2025
edited
Loading

Issue # (if applicable)

Closes #29239.

Reason for this change

Implements the manageMasterUserPassword property for RDS clusters and instances, enabling RDS native integration with AWS Secrets Manager for automatic master user password management.

Description of changes

Added manageMasterUserPassword property to rds.Cluster and rds.Instance.

Describe any new or updated permissions being added

N/A

Description of how you validated changes

Add unit tests and integ test.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team October 14, 2025 08:40
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Oct 14, 2025
@mazyu36 mazyu36 marked this pull request as ready for review October 14, 2025 14:30
@mazyu36 mazyu36 changed the title feat(rds): support native Secrets Manager integration for RDS Cluster and Instance feat(rds): support native Secrets Manager integration for RDS Cluster and Instance Oct 15, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 15, 2025
@mazyu36 mazyu36 mentioned this pull request Oct 30, 2025
Closed
2 tasks
@github-actions github-actions bot mentioned this pull request Nov 1, 2025
Open
@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Jan 7, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 20, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ✅SkippedFailed
Security Guardian Results96 ran96 passed
TestResult
No test annotations available

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 20, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ✅SkippedFailed
Security Guardian Results with resolved templates96 ran96 passed
TestResult
No test annotations available

vishaalmehrishi
vishaalmehrishi reviewed Apr 1, 2026
View reviewed changes
packages/aws-cdk-lib/aws-rds/README.md Outdated
writer: rds.ClusterInstance.serverlessV2('writer'),
vpc,
manageMasterUserPassword: true,
credentials: {
Copy link
Copy Markdown
Contributor

@vishaalmehrishi vishaalmehrishi Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rest of the RDS README uses Credentials.fromUsername() for credential creation. Using a plain object literal here works but is inconsistent with the established pattern. Consider:

credentials: rds.Credentials.fromUsername('admin', {
  encryptionKey: kmsKey,
}),

Copy link
Copy Markdown
Contributor Author

@mazyu36 mazyu36 Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Updated to use Credentials.fromUsername() for consistency.

vishaalmehrishi
vishaalmehrishi reviewed Apr 1, 2026
View reviewed changes
packages/aws-cdk-lib/aws-rds/lib/cluster.ts
* When enabled, RDS generates and manages the master user password in Secrets Manager.
* Cannot be used together with credentials containing a password.
*
* @default false
Copy link
Copy Markdown
Contributor

@vishaalmehrishi vishaalmehrishi Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add manageMasterUserPassword to DatabaseClusterFromSnapshotProps as well. Per the AWS RDS docs, ManageMasterUserPassword is supported when restoring from snapshots. Customers migrating existing databases to RDS-managed passwords would benefit.

Copy link
Copy Markdown
Contributor Author

@mazyu36 mazyu36 Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added manageMasterUserPassword to DatabaseClusterFromSnapshotProps with tests.

vishaalmehrishi
vishaalmehrishi reviewed Apr 1, 2026
View reviewed changes
packages/aws-cdk-lib/aws-rds/lib/cluster.ts
addConstructMetadata(this, props);

const credentials = renderCredentials(this, props.engine, props.credentials);
const secret = credentials.secret;
Copy link
Copy Markdown
Contributor

@vishaalmehrishi vishaalmehrishi Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This validation block is duplicated identically in instance.ts (lines 1367-1384). If a new credential property is added in the future, both locations must be updated.

Consider extracting a shared helper alongside renderCredentials:

function validateManagedPasswordCredentials(scope: Construct, credentials?: Credentials): void {
  const unsupportedProps = [
    credentials?.excludeCharacters && 'excludeCharacters',
    credentials?.password && 'password',
    credentials?.replicaRegions && 'replicaRegions',
    credentials?.secret && 'secret',
    credentials?.secretName && 'secretName',
    credentials?.usernameAsString && 'usernameAsString',
  ].filter(Boolean);
  if (unsupportedProps.length > 0) {
    throw new ValidationError(
      `When manageMasterUserPassword is enabled, only 'username' and 'encryptionKey' are allowed. Found: ${unsupportedProps.join(', ')}.`,
      scope,
    );
  }
}

Copy link
Copy Markdown
Contributor Author

@mazyu36 mazyu36 Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extracted validateManagedPasswordCredentials() to private/util.ts and replaced both inline blocks.

vishaalmehrishi
vishaalmehrishi reviewed Apr 1, 2026
View reviewed changes
packages/aws-cdk-lib/aws-rds/test/cluster.test.ts
vpc,
writer: ClusterInstance.serverlessV2('writer'),
manageMasterUserPassword: true,
credentials: {
Copy link
Copy Markdown
Contributor

@vishaalmehrishi vishaalmehrishi Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test passes credentials as a plain object { username: 'testuser', encryptionKey: kmsKey }. Since most users will use Credentials.fromUsername(), consider adding a test (or changing this one) to verify that path works correctly with manageMasterUserPassword. The fromUsername method has internal logic that could interact differently.

Copy link
Copy Markdown
Contributor Author

@mazyu36 mazyu36 Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a test using Credentials.fromUsername() with manageMasterUserPassword.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Apr 1, 2026
@vishaalmehrishi vishaalmehrishi self-assigned this Apr 1, 2026
@mazyu36
fix(rds): address PR review comments for manageMasterUserPassword
ca7a3e7 
- Use Credentials.fromUsername() in README examples for consistency
- Extract shared validateManagedPasswordCredentials helper to private/util.ts
- Add manageMasterUserPassword support to DatabaseClusterFromSnapshotProps
- Add tests for Credentials.fromUsername() and DatabaseClusterFromSnapshot
@mergify mergify bot dismissed vishaalmehrishi’s stale review April 2, 2026 13:43

Pull request has been modified.

@pahud pahud mentioned this pull request Apr 2, 2026
Open
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Apr 3, 2026
@mazyu36 mazyu36 requested a review from vishaalmehrishi April 3, 2026 03:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vishaalmehrishi vishaalmehrishi Awaiting requested review from vishaalmehrishi

At least 1 approving review is required to merge this pull request.

Assignees

@vishaalmehrishi vishaalmehrishi

Labels

distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AWS::RDS::DBCluster Password management with Amazon Aurora and AWS Secrets Manager

3 participants

@mazyu36 @vishaalmehrishi @aws-cdk-automation