(aws-rds): grantConnect fails if Instance has secret and user not specified #26603
Description
I am trying to give a lambda function made using cdk.aws_lambda_nodejs.NodejsFunction.
if I do
dbInstance.grantConnect(converterLambdaFunc); While bootstrapping, it fails saying
Using a SecretValue here risks exposing your secret. Only pass SecretValues to constructs that accept a SecretValue property, or call AWS Secrets Manager directly in your runtime code
Expected Behavior
It should have bootstrapped successfully, allowing connection from lambda to rds.
Current Behavior
Error: Resolution error: Resolution error: Resolution error: Resolution error: Synthing a secret value to Resources/${Token[SmplDynamicStack-dev.pdfconverterlambda.Servic
eRole.DefaultPolicy.Resource.LogicalID.839]}/Properties/policyDocument/Statement/0/Resource. Using a SecretValue here risks exposing your secret. Only pass SecretValues t
o constructs that accept a SecretValue property, or call AWS Secrets Manager directly in your runtime code. Call 'secretValue.unsafeUnwrap()' if you understand and accept
the risks..
Object creation stack:
at stack traces disabled.
Object creation stack:
at stack traces disabled..
at SecretValue.resolve (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/secret-value.js:1:3801)
at RememberingTokenResolver.resolveToken (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/resolvable.js:1:1238)
at RememberingTokenResolver.resolveToken (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:3924)
at resolve (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:2510)
at Object.resolve [as mapToken] (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:892)
at TokenizedStringFragments.mapTokens (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/string-fragments.js:1:1365)
at RememberingTokenResolver.resolveString (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/resolvable.js:4:358)
at RememberingTokenResolver.resolveString (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:4000)
at resolve (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:1816)
at Object.resolve (/home/amrit/aws/smpl-dynamic-prod/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:892)
Reproduction Steps
to reproduce, make a rds instance:
const dbInstance = new rds.DatabaseInstance(this, "db-instance", {
vpc,
vpcSubnets: {
subnetType: ec2.SubnetType.PUBLIC,
},
engine: rds.DatabaseInstanceEngine.postgres({
version: rds.PostgresEngineVersion.VER_14,
}),
instanceType: ec2.InstanceType.of(
ec2.InstanceClass.T3,
ec2.InstanceSize.MICRO
),
credentials: rds.Credentials.fromGeneratedSecret("dbuser"),
multiAz: false,
deletionProtection: false,
databaseName: DB_NAME,
publiclyAccessible: false,
backupRetention: cdk.Duration.days(0),
});make a nodejs lambda function:
const nodeJsFunctionProps = {
runtime: Runtime.NODEJS_18_X,
timeout: cdk.Duration.minutes(3),
memorySize: 256,
};
const converterLambdaFunc = new NodejsFunction(this, "testfunc", {
entry: path.join(__dirname, "../functions/converter.js"),
...nodeJsFunctionProps,
functionName: 'testfunction',
});grant connect to lambda :
dbInstance.grantConnect(converterLambdaFunc);run
npm run build
cdk bootstrap
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.89.0 (build 2ad6683)
Framework Version
No response
Node.js Version
v18.12.1
OS
Arch Linux
Language
Typescript
Language Version
tsc - version 4.8.4
Other information
No response