Search code examples
amazon-web-servicesterraformaws-cloudformationaws-cdkaws-documentdb

How to pass AWS Secret to Elastic Document DB Cluster using CDK/ Terraform/ Cloudformation

I am trying to create a Elastic Document DB cluster using AWS CDK. This is the L1 resource to achieve the same (sadly there is no L2 construct for Elastic doc db).

There is a property authType which accepts either PLAIN_TEXT or SECRET_ARN as values. The documentation doesn't clarify what it means. Neither is the Cloudformation documentation clear. I am assuming that when the value is set to PLAIN_TEXT, we have to hardcode our password in our CDK code under the adminUserPassword field (which is not secure). So how to use the SECRET_ARN value? Where do I create and pass my AWS Secret?

The CDK documentation states that adminUserPassword is an optional field while the Cloud formation documentation states that it is a conditional field. But when I omit this field (regardless of the value of authType), Cloudformation throws an error that this field is missing.

This is what I tried

const secret = new cdk.aws_secretsmanager.Secret(this, 'DocDbSecret', {
      description: "Secret for docDb cluster",
      secretName: "docDbSecret", 
    });


    const elasticCluster = new aws_docdbelastic.CfnCluster(this, 'elasticCluster', {
        adminUserName: 'myAdmin',
        adminUserPassword: secret.secretArn, // Should we pass secret here? if yes how?
        authType: 'SECRET_ARN',
        clusterName: 'myCluster',
        shardCapacity: 2,
        shardCount: 2,
    });

The terraform resource also has the same confusion...

Solution

  • We have to pass the ARN of the secret in the adminUserPassword field.

    Though, the password for doc db cluster has some conditions which should be specified when generating the secret.

    • Auth type will be SECRET_ARN.

    • adminUserPassword will be secret.secretArn

    • Secret

    should not contain @"/

    /**
 * Create a new secret
 * https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html
 */
const secret = new secretsmanager.Secret(this, 'docDbSecret', {
  description: "Description",
  secretName: "docDbSecret",
  generateSecretString: {
    // Don't include / @ "
    excludeCharacters: '/@"',
  }
});


const elasticCluster = new aws_docdbelastic.CfnCluster(this, 'elasticCluster', {
    adminUserName: 'myAdmin',
    adminUserPassword: secret.secretArn, 
    authType: 'SECRET_ARN',
    clusterName: 'myCluster',
    shardCapacity: 2,
    shardCount: 2,
});