berenddeboer / cdk-rds-sql Goto Github PK
View Code? Open in Web Editor NEWA CDK construct that allows creating roles and databases an on Aurora Serverless Postgresql cluster.
License: Apache License 2.0
A CDK construct that allows creating roles and databases an on Aurora Serverless Postgresql cluster.
License: Apache License 2.0
Heya. ๐๐
This project looks exactly like what I've been looking for and looks pretty high-quality too, with tests and all. ๐
Thanks for the great work @berenddeboer. โค๏ธ
When installing though, I discovered there are a few packages used which have known vulnerabilities. It'd be fantastic to get a new version released with those issues fixed. ๐
npm audit
# npm audit report
fast-xml-parser <=4.2.3
Severity: high
fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name - https://github.com/advisories/GHSA-x3cc-x39p-42qx
fast-xml-parser vulnerable to Regex Injection via Doctype Entities - https://github.com/advisories/GHSA-6w63-h3fj-q4vw
No fix available
node_modules/cdk-rds-sql/node_modules/fast-xml-parser
@aws-sdk/client-sts <=3.54.1 || 3.55.0 - 3.186.0 || 3.188.0 - 3.272.0
Depends on vulnerable versions of fast-xml-parser
node_modules/cdk-rds-sql/node_modules/@aws-sdk/client-sts
@aws-sdk/client-secrets-manager 3.12.0 - 3.272.0
Depends on vulnerable versions of @aws-sdk/client-sts
node_modules/cdk-rds-sql/node_modules/@aws-sdk/client-secrets-manager
cdk-rds-sql *
Depends on vulnerable versions of @aws-sdk/client-secrets-manager
node_modules/cdk-rds-sql
xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix`
node_modules/cdk-rds-sql/node_modules/xml2js
aws-sdk <=2.1353.0
Depends on vulnerable versions of xml2js
node_modules/cdk-rds-sql/node_modules/aws-sdk
6 vulnerabilities (2 moderate, 4 high)
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
In case you haven't done so, maybe enabling "Dependabot security updates" in the repository settings can help make maintenance easier for you. ๐๏ธ
Greetings from Berlin. ๐
The following line will log the password into the CloudWatch log for the Lambda handler:
Line 254 in 2ee7dd1
This bundle source:
Line 68 in 2ee7dd1
Another good option to have is:
sourcesContent: false,
And finally, this flag needs to be set to activate the source map output in the log:
fn.addEnvironment('NODE_OPTIONS', '--enable-source-maps')
Otherwise, error stack does not output the right refs.
See #8 for an example of the error message.
When creating an rds.DatabaseCluster
and a Role
with the option credentials: rds.Credentials.fromGeneratedSecret("my-username"),
, the Lambda function returns the following error:
Received response status [FAILED] from custom resource. Message returned: database "my-username" does not exist
I believe this is happening because the database config when establishing a client uses event.ResourceProperties.Database
. However, the Role
custom resource doesn't define a Database
property in its outputs to the handler. The default fallback for the pg.Client
object is to use the username. For Aurora Postgres, the default database name is postgres
and not the username.
To fix this, the custom resource should try to use the following for the value of ResourceProperties.Database
:
cluster.defaultDatabaseName
is set and use that valuepostgres
for PostgresThe current implementation only works if credentials
is not set on the rds.DatabaseCluster
and it defaults to postgres
, or if the generated username happens to also be postgres
Line 39 in 2ee7dd1
It is not part of the @types/aws-lambda
combo. It's an entirely different package, that does something else.
My request is rather a niche one, so I can see how this may not be desired.
I need an "escape hatch" and run some SQL before the role is created.
Line 86 in 2ee7dd1
This is related to the following issue, where in QuickSight the new password encryption is not supported and needs to be downgraded:
https://stackoverflow.com/a/74527856/1566758
Basically, I need to run this, before role creation:
set password_encryption = 'md5';
This timeout value is low, especially for RDS Serverless v1, which can be sleeping and needs time to wake up.
Line 261 in 2ee7dd1
I don't see any harm in setting this higher, as CloudFormation is slow.
This should be Database
:
cdk-rds-sql/src/role.custom-resource.ts
Line 58 in 2ee7dd1
As that is what the handler expects:
Line 214 in 2ee7dd1
Otherwise, an error is thrown:
{
"errorType": "error",
"errorMessage": "database \"root\" does not exist",
"code": "3D000",
"length": 89,
"name": "error",
"severity": "FATAL",
"file": "postinit.c",
"line": "921",
"routine": "InitPostgres",
"stack": [
"error: database \"root\" does not exist",
" at Parser.parseErrorMessage (/var/task/index.js:22772:98)",
" at Parser.handlePacket (/var/task/index.js:22613:25)",
" at Parser.parse (/var/task/index.js:22537:34)",
" at Socket.<anonymous> (/var/task/index.js:22813:44)",
" at Socket.emit (node:events:513:28)",
" at addChunk (node:internal/streams/readable:315:12)",
" at readableAddChunk (node:internal/streams/readable:289:9)",
" at Socket.Readable.push (node:internal/streams/readable:228:10)",
" at TCP.onStreamRead (node:internal/stream_base_commons:190:23)"
]
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.