By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CDK and the tale of the removed secret

0

I have a CDK script that uses a secret as part of the script. Works pretty well:

const PARAM_PREFIX = '/autofrog-ha-skill';
const alexaVendorId = ssm.StringParameter.valueForStringParameter(this, `${PARAM_PREFIX}/alexa-developer-vendor-id`);
const lwaClientId = ssm.StringParameter.valueForStringParameter(this, `${PARAM_PREFIX}/lwa-client-id`);

const secret = Secret.fromSecretNameV2(this, 'secrets', `${PARAM_PREFIX}/secrets`);
const lwaClientSecret = SecretValue.secretsManager(secret.secretArn, {            jsonField: 'lwa_client_secret'        });
const lwaRefreshToken = SecretValue.secretsManager(secret.secretArn, {            jsonField: 'lwa_refresh_token'        });

but I wanted to rename the secret, which necessarily lives outside of CloudFormation. I cancelled the secret under the old name and created a new secret under the new name, then tried to do an update:

You can't perform this operation on the secret because it was marked for deletion.
(Service: AWSSecretsManager; Status Code: 400; Error Code: InvalidRequestException

Not good! I'm experienced with CDK so I know now to go manually touching things that are part of the stack. In this case, though, I didn't think there would be any reason why updating the stack would make it want to touch or see the old secret.

I was able to fix the problem by restoring the cancelled secrets then doing an update. Then I went back and deleted the old secrets and CDK was happy again. I still think the hardest part of CloudFormation and CDK is this kind of thing, where you get your stack into a situation where it can't be updated because it's out of sync.

In this case, it's the [cdk-alexa-skill[(https://github.com/aws-samples/cdk-alexa-skill) resource trying to access the old secret in order to update the skill. Does anybody have any idea why it would be trying to do that?

Topics
AWS Cloud Development Kit (CDK)
Tags
AWS Cloud Development Kit (CDK)
Language
English
profile picture
wz2b
asked a year ago157 views
2 Answers
0

Hi

The stack is DRIFTED, and is out of sync due to the out of band changes that made when the secret was manually touched

Please run a drift detection in the CloudFormation console, and check the drift results to see the differences.

Check if the old secret is not referenced in the template, if it is please replace it with the new secret name

Alternatively please open an issue with the alexa skill team https://github.com/aws-samples/cdk-alexa-skill or a support case with AWS Premium Support

AWS
rePost-Nomzamo
answered a year ago
  • wz2b
    a year ago

    That's ok, I fixed it by just deleting everything. Question though, if something is drifted, is your recourse to try to manually set it back to the way it was originally ?

0

Hi

There are various ways to resolve a DRIFT, you can resolve a DRIFT with an import operation more details are found here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-resolve-drift.html

Or you can update the CloudFormation template to match the configuration of the resource in the AWS resource console.

Or you can manually update the resource in console to match the old configuration in the CloudFormation template, then update the stack with the new configuration

AWS
rePost-Nomzamo
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content