aws-docdbelastic: No parameter to pass Secret ARN

[Exter-dg]

Describe the bug

I am trying to create an elastic document db cluster using CDK. This is the construct for the same - https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_docdbelastic.CfnCluster.html#shardcount.

It mentions that authType should be either SECRET_ARN or PLAIN_TEXT. It doesn't clarify what does it mean, neither does the cloud formation documentation. I assumed that Plain_text is supposed to be used when I pass my password as plain text in the adminUserPassword property.

How does SECRET_ARN work? If my authType is SECRET_ARN, where do I pass my secret ARN and how do I create it? Do I pass the arn in the adminUserPassword field only? or do I pass the secret name? In either case, the adminUserPassword has a character limit of 100 characters.

Also, even though adminUserPassword is mentioned as a optional field in the cdk documentation and a conditional field in the cloud formation documentation, when I don't pass it, it throws an error.

Expected Behavior

There should be a property to send secret arn

Current Behavior

Only password property present.

Reproduction Steps

const secret = new cdk.aws_secretsmanager.Secret(this, 'DocDbSecret', {
      description: "Secret for docDb cluster",
      secretName: "docDbSecret", 
    });


    const elasticCluster = new aws_docdbelastic.CfnCluster(this, 'elasticCluster', {
        adminUserName: 'myAdmin',
        adminUserPassword: secret.secretArn, // Should we pass secret here? if yes how?
        authType: 'SECRET_ARN',
        clusterName: 'myCluster',
        shardCapacity: 2,
        shardCount: 2,
    });

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.108.1

Framework Version

No response

Node.js Version

v20.8.0

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

I checked the following links but unfortunately I can't find detailed document about the usage.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdbelastic-cluster.html#cfn-docdbelastic-cluster-authtype

https://docs.aws.amazon.com/documentdb/latest/developerguide/API_elastic_CreateCluster.html#documentdb-elastic_CreateCluster-request-authType

I would suggest you create a username / password in AWS Secrets Manager Secret and pass the secret ARN to this property.

Also, I will submit an internal ticket to the relevant team to improve the document.

Let me know if it works for you. Thank you.

[Exter-dg]

I would suggest you create a username / password in AWS Secrets Manager Secret and pass the secret ARN to this property.

To which property should I pass the ARN into? authType? If I omit adminUserPassword, it throws a property missing error

const secret = new cdk.aws_secretsmanager.Secret(this, 'DocDbSecret', {
      description: "Secret for docDb cluster",
      secretName: "docDbSecret", 
      generateSecretString: {
        excludeCharacters: '"@\/'
      }
    });

 const elasticCluster = new docdbelastic.CfnCluster(this, 'elasticCluster', {
      adminUserName: 'academyadmin',
      authType: secret.secretArn,
      clusterName: 'academy-ana-test',
      shardCapacity: 2,
      shardCount: 2,
  });

This throws an error
Resource handler returned message: "Invalid request provided: required key [AdminUserPassword] not found" (RequestToken: 86ab45e3-a2eb-decc-f6a1-8adc 279b74be, HandlerErrorCode: InvalidRequest)

[ssenchenko]

TLDR; Your own example in the ticket description should work.

Have you tried it?

Explanation and possible pitfalls

CDK classes which starts with Cfn* mirror CloudFormation resources.

In a CloudFormation template you would do something like

Resources:	
  SecretAdminUserPassword:
    Type: AWS::SecretsManager::Secret
    Properties:
      # I advise against putting it in your CloudFormation template or CDK code like that
      # here it's for example purposes only 
      SecretString: 'dbadmin123' 

  MyClaster:
    Type: AWS::DocDBElastic::Cluster
    Properties:
      AdminUserName: "ClasterAdmin"
      AdminUserPassword: !Ref SecretAdminUserPassword
      AuthType: SECRET_ARN
      ...

In CDK if you're using aws_secretsmanager.Secret construct, secretArn should work instead of !Ref in CloudFormation template. If you're using aws_secretsmanager.CfnSecret use ref property.

However, there might be a catch. According to the AWS::DocDBElastic::Cluster doc, AuthUserPassword property does not allow forward slashes (/). And Secret ARN can have forward slashes in the path. I don't know if the service team applies validation rules based on AuthType (though it'd be expected), so if you have problems with your Secret ARN, make sure that your path doesn't have forward slashes.

P.S

It's not a CDK bug. More a lack of documentation and support from the service team.
Closing it for now but feel free to re-open if you have problems with related CDK constructs.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.