I've been unable to synth my cdk stack. I need to instantiate a Postgres RDS database instance. I've attempted to add a single user and secrete rotation schedule to no avail. Do you have any ideas of what is required to achieve a secret rotation? The error message received when trying to synth the stack:
[Error at /usecase-1-stack/test-uc1-pgdb/Secret/Resource] AwsSolutions-SMG4: The secret does not have automatic rotation scheduled. AWS Secrets Manager can be configured to automatically rotate the secret for a secured service or database.
and cdk code below:
from aws_cdk import aws_rds as rds
from aws_cdk import aws_secretsmanager as sm
from aws_cdk import aws_ec2 as ec2
curated_rds = rds.DatabaseInstance(
self,
f"{env_id}-uc1-pgdb",
database_name=curated_db_name,
engine=rds.DatabaseInstanceEngine.postgres(
version=rds.PostgresEngineVersion.VER_14_10
),
port=curated_db_port,
instance_type=ec2.InstanceType.of(
ec2.InstanceClass.STANDARD5, ec2.InstanceSize.LARGE
),
credentials=rds.Credentials.from_generated_secret(
"admin",
encryption_key=data_key,
secret_name=f"{env_id}-uc1-pgdb-admin",
),
vpc=data_vpc,
vpc_subnets=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
security_groups=[curated_rds_security_group],
storage_encrypted=True,
storage_encryption_key=data_key,
auto_minor_version_upgrade=True,
deletion_protection=True,
multi_az=True,
publicly_accessible=False,
enable_performance_insights=True,
)
# curated_rds.add_rotation_single_user(automatically_after=Duration.days(30))
curated_rds.secret.add_rotation_schedule("RotationSchedule", hosted_rotation=sm.HostedRotation.postgre_sql_single_user(), automatically_after=Duration.days(7))
The cdk-nag error resulted from a bug.
The secrets rotation was set but non-compliant even if rotation is configured. I was working under version v2.116 for aws-cdk-lib, and updating to 2.129.0 resolved the issue SMG4.