I am trying to create a Elastic Document DB cluster using AWS CDK. This is the L1 resource to achieve the same (sadly there is no L2 construct for Elastic doc db).
There is a property authType
which accepts either PLAIN_TEXT
or SECRET_ARN
as values. The documentation doesn’t clarify what it means. Neither is the Cloudformation documentation clear. I am assuming that when the value is set to PLAIN_TEXT
, we have to hardcode our password in our CDK code under the adminUserPassword
field (which is not secure). So how to use the SECRET_ARN
value? Where do I create and pass my AWS Secret?
The CDK documentation states that adminUserPassword
is an optional field while the Cloud formation documentation states that it is a conditional field. But when I omit this field (regardless of the value of authType), Cloudformation throws an error that this field is missing.
This is what I tried
const secret = new cdk.aws_secretsmanager.Secret(this, 'DocDbSecret', {
description: "Secret for docDb cluster",
secretName: "docDbSecret",
});
const elasticCluster = new aws_docdbelastic.CfnCluster(this, 'elasticCluster', {
adminUserName: 'myAdmin',
adminUserPassword: secret.secretArn, // Should we pass secret here? if yes how?
authType: 'SECRET_ARN',
clusterName: 'myCluster',
shardCapacity: 2,
shardCount: 2,
});
The terraform resource also has the same confusion…
2
Answers
You can create a username / password in AWS Secrets Manager, with the username being the name of your secret.
You can then reference this ARN in the call.
Why don’t you use the L2
opensearch.Domain
? Then you can specify the engine to be elastic:opensearch.EngineVersion.ELASTICSEARCH_7_10
.But to answer your question exactly, you need to tell CDK to parse the secret value as a string.
Will result in this: