Skip to content

Commit

Permalink
fix: retry getting secret as IAM caching can fail just updated policies
Browse files Browse the repository at this point in the history
  • Loading branch information
dnz-bdeboer committed Mar 2, 2024
1 parent 0dbb680 commit 0fab79d
Show file tree
Hide file tree
Showing 6 changed files with 41 additions and 4 deletions.
8 changes: 8 additions & 0 deletions .projen/deps.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion .projenrc.ts
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,14 @@ const project = new awscdk.AwsCdkConstructLibrary({
gitignore: tmpDirectories,
npmignore: tmpDirectories,
docgen: false,
deps: [],
deps: ["exponential-backoff"],
bundledDeps: [
"aws-lambda",
"@aws-sdk/client-secrets-manager",
"pg",
"node-pg-format",
"ms",
"exponential-backoff",
"source-map-support",
],
devDeps: ["@types/ms", "@types/pg", "@types/aws-lambda", "testcontainers", "esbuild"],
Expand Down
13 changes: 13 additions & 0 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions package.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 15 additions & 3 deletions src/handler.ts
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
import {
SecretsManagerClient,
GetSecretValueCommand,
GetSecretValueCommandOutput,
} from "@aws-sdk/client-secrets-manager"
import {
CloudFormationCustomResourceCreateEvent,
CloudFormationCustomResourceUpdateEvent,
CloudFormationCustomResourceDeleteEvent,
} from "aws-lambda"
import { backOff } from "exponential-backoff"
import { format } from "node-pg-format"
import { Client } from "pg"
import { RdsSqlResource } from "./enum"
Expand Down Expand Up @@ -219,12 +221,23 @@ export const handler = async (
}

const secrets_client = new SecretsManagerClient({})

const command = new GetSecretValueCommand({
SecretId: event.ResourceProperties.SecretArn,
})
const secret = await secrets_client.send(command)
// As the IAM credentials can be cached, an update makde very recent
// could not yet be available.
// So we retry this a bit.
const secret: GetSecretValueCommandOutput = await backOff(
async () => {
return secrets_client.send(command)
},
{
numOfAttempts: 3,
startingDelay: 500,
}
)
if (!secret.SecretString) throw "No secret string"

const secretValues = JSON.parse(secret.SecretString)

let sql: string | string[] | void
Expand All @@ -243,7 +256,6 @@ export const handler = async (
break
}
case "Delete": {
console.debug("!!!!!!!!!! DELETE", event)
sql = jumpTable[resource][requestType](resourceId, event.ResourceProperties)
break
}
Expand Down
1 change: 1 addition & 0 deletions src/role.ts
Original file line number Diff line number Diff line change
Expand Up @@ -105,5 +105,6 @@ export class Role extends Construct {
// It seems we need to grant explicit permission
this.secret.encryptionKey.grantDecrypt(props.provider.handler)
}
props.provider.handler.node.addDependency(this.secret)
}
}

0 comments on commit 0fab79d

Please sign in to comment.