Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-glue-alpha): Unable to use secret that has been imported using aws_cdk.Fn.import_value() with glue connection #30291

Open
PekonenIlmari opened this issue May 21, 2024 · 2 comments
Open

(aws-glue-alpha): Unable to use secret that has been imported using aws_cdk.Fn.import_value() with glue connection #30291

PekonenIlmari opened this issue May 21, 2024 · 2 comments
Labels
@aws-cdk/aws-glue Related to AWS Glue bug This issue is a bug. effort/medium Medium work item – several days of effort p3

Comments

@PekonenIlmari
Copy link

PekonenIlmari commented May 21, 2024
edited
Loading

Describe the bug

When importing secret using aws_secretsmanager.Secret.from_secret_complete_arn() and populating the secret_complete_arn with the arn value that has been exported using CfnOutput from other stack, it is not possible to use this secret with aws_glue_alpha.Connection.

This problem only occurs when you are trying to import secret using the arn from import_value, if the arn is harcoded everything works as supposed.

Expected Behavior

This is the expected behaviour when trying to change SECRET_ID with secret.secret_name from secret imported with harcoded arn. This also populates the secret name in the console.

CDK change set:

[~] AWS::Glue::Connection pipelines/test-pipeline/dev/glue_assets/OracleConnection OracleConnectionXXXXXXXX may be replaced
 └─ [~] ConnectionInput (may cause replacement)
     └─ [~] .ConnectionProperties:
         └─ [~] .SECRET_ID:
             └─ @@ -1,13 +1,1 @@
                [-] "oldsecret"
                [+] "newsecret"

Current Behavior

This is the behaviour when trying to change SECRET_ID with secret.secret_name from secret imported with aws_cdk.Fn.import_value() arn. This doesn't populate the secret name in console.

CDK change set:

[~] AWS::Glue::Connection pipelines/test-pipeline/dev/glue_assets/OracleConnection OracleConnectionXXXXXXXX may be replaced
 └─ [~] ConnectionInput (may cause replacement)
     └─ [~] .ConnectionProperties:
         └─ [~] .SECRET_ID:
             └─ @@ -1,13 +1,1 @@
                [-] "oldsecret"
                [+] {
                [+]   "Fn::Select": [
                [+]     6,
                [+]     {
                [+]       "Fn::Split": [
                [+]         ":",
                [+]         {
                [+]           "Fn::ImportValue": "newsecret"
                [+]         }
                [+]       ]
                [+]     }
                [+]   ]
                [+] }

Reproduction Steps

Create secret in a Stack and export it using CfnOutput

secret = sm.Secret(
            self,
            TestSecret
            secret_name="newsecret",
)

CfnOutput(
    self,
    "SecretOutput",
    value=secret.secret_full_arn,
    export_name="newsecret"
)

import value in other Stack using `aws_cdk.Fn.import_value()' and create a connection

secret_value = aws_cdk.Fn.import_value("newsecret")

glue_alpha.Connection(
            self,
            id,
            connection_name=connection_name,
            type=glue_alpha.ConnectionType.JDBC,
            subnet=subnet,
            security_groups=security_groups,
            properties={
                "JDBC_CONNECTION_URL": connection_url,
                "SECRET_ID": secret_value.secret_name,
            },
)

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.138.0

Framework Version

No response

Node.js Version

20.11.0

OS

MacOS

Language

Python

Language Version

No response

Other information

No response
@PekonenIlmari PekonenIlmari added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 21, 2024
@github-actions github-actions bot added the @aws-cdk/aws-glue Related to AWS Glue label May 21, 2024
@pahud
Copy link
Contributor

pahud commented May 21, 2024

Please note when your consumer stack has imported the value from an exported stack, you won't be allowed to update that exported resource as it has been consumed. This is a limitation of cloudformation.

secret_value = aws_cdk.Fn.import_value("newsecret")

glue_alpha.Connection(
            self,
            id,
            connection_name=connection_name,
            type=glue_alpha.ConnectionType.JDBC,
            subnet=subnet,
            security_groups=security_groups,
            properties={
                "JDBC_CONNECTION_URL": connection_url,
                "SECRET_ID": secret_value.secret_name,
            },
)

Given above, were you trying to update the secret from another stack? What is the error messages?

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels May 21, 2024
@PekonenIlmari
Copy link
Author

PekonenIlmari commented May 22, 2024
edited
Loading

I was trying to update the value of SECRET_ID for connection properties and not the secret value itself. The problem is that when trying to extract the secret_name from this imported value the secret_name isn't updated on AWS side (value under AWS Secret). There is no error message at any point.

image

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label May 22, 2024
This was referenced May 27, 2024
Closed
Closed
@pahud pahud added p3 and removed p2 labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-glue Related to AWS Glue bug This issue is a bug. effort/medium Medium work item – several days of effort p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @PekonenIlmari