Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_amazonmq: SecretValue is an IResovable, but it is rejected as an element of the users array #27775

Closed
acosta-edgar opened this issue Oct 31, 2023 · 2 comments
Closed

aws_amazonmq: SecretValue is an IResovable, but it is rejected as an element of the users array #27775

acosta-edgar opened this issue Oct 31, 2023 · 2 comments
Labels
@aws-cdk/aws-amazonmq Related to Amazon MQ service @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@acosta-edgar
Copy link

Describe the bug

in aws_amazonmq, construct cfnBroker, the users property is supposed to accept an array of IResovable, however, it does not accept in the Array a SecretValue, which implements the IResolvable interface.

Expected Behavior

putting a Secret value in the array of users should resolve later on.

Current Behavior

CDK throws a resolution error like this

Resolution error: Synthing a secret value to Resources/${Token[MyStack.AmazonMQ.rabbitmq.LogicalID.299]}/Properties/users/0. Using a SecretValue here risks exposing your secret. Only pass SecretValues to constructs that accept a SecretValue property, or call AWS Secrets Manager directly in your runtime code. Call 'secretValue.unsafeUnwrap()' if you understand and accept the risks.

Reproduction Steps

instantiate a new CfnBroker passing a secret value to the users array. e.g.

let mqProps = {
            autoMinorVersionUpgrade: false,
            brokerName: 'rabbitmq-broker',
            deploymentMode: 'SINGLE_INSTANCE',
            engineType: 'RABBITMQ',
            engineVersion: '3.11.20', 
            hostInstanceType: 'mq.t3.micro',
            publiclyAccessible: false,
            maintenanceWindowStartTime: {
                dayOfWeek: 'Saturday',
                timeOfDay: '22:00',
                timeZone: 'America/Montreal',
            },
            securityGroupIds: [amazonmqSecurityGroup.securityGroupId],
            subnetIds: vpc.vpc.selectSubnets({ 
                subnetType: ec2.SubnetType.PRIVATE_ISOLATED
              }).subnetIds,
            users: [
                cdk.SecretValue.secretsManager(secretName) //<------
            ],
            logs: {
                audit: false,
                general: true,
            }
        };

        const cfnBroker = new mq.CfnBroker(this, 'rabbitmq', mqProps);

Possible Solution

No response

Additional Information/Context

Using Typescript CDK 2.103.1 and also tried with older versions. As well of other versions of node.

CDK CLI Version

2.103.1

Framework Version

No response

Node.js Version

21.1.0

OS

MacOS

Language

TypeScript

Language Version

5.0.4

Other information

No response
@acosta-edgar acosta-edgar added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 31, 2023
@github-actions github-actions bot added the @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager label Oct 31, 2023
@acosta-edgar acosta-edgar changed the title (module name): (short issue description) aws_amazonmq: SecretValue is an IResovable, but it is rejected as an element of the users array Oct 31, 2023
@github-actions github-actions bot added the @aws-cdk/aws-amazonmq Related to Amazon MQ service label Oct 31, 2023
@pahud
Copy link
Contributor

pahud commented Oct 31, 2023

I guess this is protected by this feature flag

@aws-cdk/core:checkSecretUsage

check this out:

aws-cdk/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md

Line 517 in f9ee5e6

### @aws-cdk/core:checkSecretUsage

aws-cdk/packages/aws-cdk-lib/core/test/secret-value.test.ts

Lines 34 to 44 in f9ee5e6

test('secret resolution fails if feature flag is switched on, secret can be unwrapped', () => {
const app = new App({
context: { '@aws-cdk/core:checkSecretUsage': true },
});
const stack = new Stack(app, 'Stack');
// WHEN
const v = SecretValue.unsafePlainText('s3cr3t');
// THEN
expect(() => stack.resolve(v)).toThrow(/Using a SecretValue here risks exposing your secret/);

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Oct 31, 2023
@github-actions github-actions bot mentioned this issue Nov 1, 2023
Closed
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 2, 2023

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Nov 2, 2023
@github-actions github-actions bot closed this as completed Nov 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-amazonmq Related to Amazon MQ service @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @acosta-edgar