如何在 AWS CDK 中复制和修改密钥

Question

I have a CDK app in python that creates an Postgres RDS database. I let the DatabaseCluster generate a secret for the database admin user. I would like to take that secret and create 2 other secrets with everything the same except the endpoint (one for RDS proxy and one to use the read replica). I'm not sure how I would do that, and do it securely without exposing the original password in Cloudformation.

from aws_cdk import core as cdk
from aws_cdk.aws_ec2 import InstanceType, IVpc, Peer, Port, SecurityGroup, SubnetSelection, SubnetType
from aws_cdk.aws_rds import AuroraPostgresEngineVersion, Credentials, DatabaseCluster, DatabaseClusterEngine, InstanceProps

class AuroraPostgresRdsModule(cdk.Construct):
    def __init__(self, scope: cdk.Construct, construct_id: str, vpc: IVpc, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        self.rds = DatabaseCluster(
            self,
            "rds",
            engine=DatabaseClusterEngine.aurora_postgres(version=AuroraPostgresEngineVersion.VER_11_9),
            instance_props=InstanceProps(vpc=vpc),
            instances=2,
            default_database_name="test"
        )

        self.rds_proxy = self.rds.add_proxy(
            "rds-proxy",
            secrets=[self.rds.secret],
            vpc=vpc
        )
        
        # How to do this???
        # self.proxy_secret = self.rds.secret.copy(updates={"host": self.rds_proxy.endpoint})
        # self.replica_secret = self.rds.secret.copy(updates={"host": self.rds.cluster_read_endpoint})

Answer 1

One way is to define the secret on its own first and then pass it to your other resources. You could also specify credentials for other resources based your secret's values, eg secret_value_from_json("username").to_string() and secret_value_from_json("password") .

See: https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_secretsmanager/README.html