berenddeboer / cdk-rds-sql Goto Github PK

Heya. 👋🙂

This project looks exactly like what I've been looking for and looks pretty high-quality too, with tests and all. 🙌

Thanks for the great work @berenddeboer. ❤️

When installing though, I discovered there are a few packages used which have known vulnerabilities. It'd be fantastic to get a new version released with those issues fixed. 🙏

# npm audit report

fast-xml-parser  <=4.2.3
Severity: high
fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name - https://github.com/advisories/GHSA-x3cc-x39p-42qx
fast-xml-parser vulnerable to Regex Injection via Doctype Entities - https://github.com/advisories/GHSA-6w63-h3fj-q4vw
No fix available
node_modules/cdk-rds-sql/node_modules/fast-xml-parser
  @aws-sdk/client-sts  <=3.54.1 || 3.55.0 - 3.186.0 || 3.188.0 - 3.272.0
  Depends on vulnerable versions of fast-xml-parser
  node_modules/cdk-rds-sql/node_modules/@aws-sdk/client-sts
    @aws-sdk/client-secrets-manager  3.12.0 - 3.272.0
    Depends on vulnerable versions of @aws-sdk/client-sts
    node_modules/cdk-rds-sql/node_modules/@aws-sdk/client-secrets-manager
      cdk-rds-sql  *
      Depends on vulnerable versions of @aws-sdk/client-secrets-manager
      node_modules/cdk-rds-sql

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix`
node_modules/cdk-rds-sql/node_modules/xml2js
  aws-sdk  <=2.1353.0
  Depends on vulnerable versions of xml2js
  node_modules/cdk-rds-sql/node_modules/aws-sdk

6 vulnerabilities (2 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

In case you haven't done so, maybe enabling "Dependabot security updates" in the repository settings can help make maintenance easier for you. 🎛️

Greetings from Berlin. 👋

The following line will log the password into the CloudWatch log for the Lambda handler:

This bundle source:

Another good option to have is:

sourcesContent: false,

And finally, this flag needs to be set to activate the source map output in the log:

fn.addEnvironment('NODE_OPTIONS', '--enable-source-maps')

Otherwise, error stack does not output the right refs.

See #8 for an example of the error message.

When creating an rds.DatabaseCluster and a Role with the option credentials: rds.Credentials.fromGeneratedSecret("my-username"),, the Lambda function returns the following error:

Received response status [FAILED] from custom resource. Message returned: database "my-username" does not exist

I believe this is happening because the database config when establishing a client uses event.ResourceProperties.Database. However, the Role custom resource doesn't define a Database property in its outputs to the handler. The default fallback for the pg.Client object is to use the username. For Aurora Postgres, the default database name is postgres and not the username.

To fix this, the custom resource should try to use the following for the value of ResourceProperties.Database:

• Check to see if cluster.defaultDatabaseName is set and use that value
• Use the default engine value of postgres for Postgres

The current implementation only works if credentials is not set on the rds.DatabaseCluster and it defaults to postgres, or if the generated username happens to also be postgres

It is not part of the @types/aws-lambda combo. It's an entirely different package, that does something else.

https://www.npmjs.com/package/aws-lambda

My request is rather a niche one, so I can see how this may not be desired.

I need an "escape hatch" and run some SQL before the role is created.

This is related to the following issue, where in QuickSight the new password encryption is not supported and needs to be downgraded:

https://stackoverflow.com/a/74527856/1566758

Basically, I need to run this, before role creation:

set password_encryption = 'md5';

This timeout value is low, especially for RDS Serverless v1, which can be sleeping and needs time to wake up.

I don't see any harm in setting this higher, as CloudFormation is slow.

This should be Database:

As that is what the handler expects:

Otherwise, an error is thrown:

{
    "errorType": "error",
    "errorMessage": "database \"root\" does not exist",
    "code": "3D000",
    "length": 89,
    "name": "error",
    "severity": "FATAL",
    "file": "postinit.c",
    "line": "921",
    "routine": "InitPostgres",
    "stack": [
        "error: database \"root\" does not exist",
        "    at Parser.parseErrorMessage (/var/task/index.js:22772:98)",
        "    at Parser.handlePacket (/var/task/index.js:22613:25)",
        "    at Parser.parse (/var/task/index.js:22537:34)",
        "    at Socket.<anonymous> (/var/task/index.js:22813:44)",
        "    at Socket.emit (node:events:513:28)",
        "    at addChunk (node:internal/streams/readable:315:12)",
        "    at readableAddChunk (node:internal/streams/readable:289:9)",
        "    at Socket.Readable.push (node:internal/streams/readable:228:10)",
        "    at TCP.onStreamRead (node:internal/stream_base_commons:190:23)"
    ]
}