Cloudformation support for Secrets Manager Integration

aws-redshift-cluster/aws-redshift-cluster.json

@@ -67,7 +67,7 @@
             "maxLength": 128
         },
         "MasterUserPassword": {
-            "description": "The password associated with the master user account for the cluster that is being created. Password must be between 8 and 64 characters in length, should have at least one uppercase letter.Must contain at least one lowercase letter.Must contain one number.Can be any printable ASCII character.",
+            "description": "The password associated with the master user account for the cluster that is being created. You can't use MasterUserPassword if ManageMasterPassword is true. Password must be between 8 and 64 characters in length, should have at least one uppercase letter.Must contain at least one lowercase letter.Must contain one number.Can be any printable ASCII character.",
             "type": "string",
             "maxLength": 64
         },
@@ -281,6 +281,18 @@
         "NamespaceResourcePolicy": {
             "description": "The namespace resource policy document that will be attached to a Redshift cluster.",
             "type": "object"
+        },
+        "ManageMasterPassword": {
+            "description": "A boolean indicating if the redshift cluster's admin user credentials is managed by Redshift or not. You can't use MasterUserPassword if ManageMasterPassword is true. If ManageMasterPassword is false or not set, Amazon Redshift uses MasterUserPassword for the admin user account's password.",
+            "type": "boolean"
+        },
+        "MasterPasswordSecretKmsKeyId": {
+            "description": "The ID of the Key Management Service (KMS) key used to encrypt and store the cluster's admin user credentials secret.",
+            "type": "string"
+        },
+        "MasterPasswordSecretArn": {
+            "description": "The Amazon Resource Name (ARN) for the cluster's admin user credentials secret.",
+            "type": "string"
         }
     },
     "additionalProperties": false,
@@ -297,7 +309,8 @@
         "/properties/DeferMaintenanceIdentifier",
         "/properties/Endpoint/Port",
         "/properties/Endpoint/Address",
-        "/properties/ClusterNamespaceArn"
+        "/properties/ClusterNamespaceArn",
+        "/properties/MasterPasswordSecretArn"
     ],
     "createOnlyProperties": [
         "/properties/ClusterIdentifier",
@@ -313,7 +326,8 @@
         "/properties/Classic",
         "/properties/SnapshotIdentifier",
         "/properties/DeferMaintenance",
-        "/properties/DeferMaintenanceDuration"
+        "/properties/DeferMaintenanceDuration",
+        "/properties/ManageMasterPassword"
     ],
     "tagging": {
         "taggable": true

aws-redshift-cluster/docs/README.md

@@ -61,7 +61,9 @@ To declare this entity in your AWS CloudFormation template, use the following sy
         "<a href="#resourceaction" title="ResourceAction">ResourceAction</a>" : <i>String</i>,
         "<a href="#rotateencryptionkey" title="RotateEncryptionKey">RotateEncryptionKey</a>" : <i>Boolean</i>,
         "<a href="#multiaz" title="MultiAZ">MultiAZ</a>" : <i>Boolean</i>,
-        "<a href="#namespaceresourcepolicy" title="NamespaceResourcePolicy">NamespaceResourcePolicy</a>" : <i>Map</i>
+        "<a href="#namespaceresourcepolicy" title="NamespaceResourcePolicy">NamespaceResourcePolicy</a>" : <i>Map</i>,
+        "<a href="#managemasterpassword" title="ManageMasterPassword">ManageMasterPassword</a>" : <i>Boolean</i>,
+        "<a href="#masterpasswordsecretkmskeyid" title="MasterPasswordSecretKmsKeyId">MasterPasswordSecretKmsKeyId</a>" : <i>String</i>,
     }
 }
 </pre>
@@ -125,6 +127,8 @@ Properties:
     <a href="#rotateencryptionkey" title="RotateEncryptionKey">RotateEncryptionKey</a>: <i>Boolean</i>
     <a href="#multiaz" title="MultiAZ">MultiAZ</a>: <i>Boolean</i>
     <a href="#namespaceresourcepolicy" title="NamespaceResourcePolicy">NamespaceResourcePolicy</a>: <i>Map</i>
+    <a href="#managemasterpassword" title="ManageMasterPassword">ManageMasterPassword</a>: <i>Boolean</i>
+    <a href="#masterpasswordsecretkmskeyid" title="MasterPasswordSecretKmsKeyId">MasterPasswordSecretKmsKeyId</a>: <i>String</i>
 </pre>
 
 ## Properties
@@ -155,7 +159,7 @@ _Update requires_: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/l
 
 #### MasterUserPassword
 
-The password associated with the master user account for the cluster that is being created. Password must be between 8 and 64 characters in length, should have at least one uppercase letter.Must contain at least one lowercase letter.Must contain one number.Can be any printable ASCII character.
+The password associated with the master user account for the cluster that is being created. You can't use MasterUserPassword if ManageMasterPassword is true. Password must be between 8 and 64 characters in length, should have at least one uppercase letter.Must contain at least one lowercase letter.Must contain one number.Can be any printable ASCII character.
 
 _Required_: No
 
@@ -646,6 +650,26 @@ _Type_: Map
 
 _Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
 
+#### ManageMasterPassword
+
+A boolean indicating if the redshift cluster's admin user credentials is managed by Redshift or not. You can't use MasterUserPassword if ManageMasterPassword is true. If ManageMasterPassword is false or not set, Amazon Redshift uses MasterUserPassword for the admin user account's password.
+
+_Required_: No
+
+_Type_: Boolean
+
+_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
+
+#### MasterPasswordSecretKmsKeyId
+
+The ID of the Key Management Service (KMS) key used to encrypt and store the cluster's admin user credentials secret.
+
+_Required_: No
+
+_Type_: String
+
+_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
+
 ## Return Values
 
 ### Ref
@@ -673,3 +697,7 @@ Returns the <code>Address</code> value.
 #### ClusterNamespaceArn
 
 The Amazon Resource Name (ARN) of the cluster namespace.
+
+#### MasterPasswordSecretArn
+
+The Amazon Resource Name (ARN) for the cluster's admin user credentials secret.

aws-redshift-cluster/pom.xml

@@ -23,7 +23,7 @@
         <dependency>
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>redshift</artifactId>
-            <version>2.21.37</version>
+            <version>2.21.44</version>
         </dependency>
         <!-- https://mvnrepository.com/artifact/software.amazon.cloudformation/aws-cloudformation-rpdk-java-plugin -->
         <dependency>

aws-redshift-cluster/src/main/java/software/amazon/redshift/cluster/BaseHandlerStd.java

@@ -3,6 +3,8 @@
 import com.amazonaws.util.CollectionUtils;
 import com.amazonaws.util.StringUtils;
 import com.google.common.collect.Sets;
+
+import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.ObjectUtils;
 import software.amazon.awssdk.services.redshift.RedshiftClient;
 import software.amazon.awssdk.services.redshift.model.AquaConfiguration;
@@ -204,10 +206,16 @@ protected boolean issueModifyClusterMaintenanceRequest(ResourceModel model) {
               ObjectUtils.allNotNull(model.getDeferMaintenanceIdentifier());
   }
 
-  // check for required parameters to not have null values
   protected boolean invalidCreateClusterRequest(ResourceModel model) {
-    return model.getClusterIdentifier() == null || model.getNodeType() == null
-            || model.getMasterUsername() == null || model.getMasterUserPassword() == null;
+    // check for required parameters to not have null values
+    boolean isInvalid = model.getClusterIdentifier() == null || model.getNodeType() == null
+        || model.getMasterUsername() == null;
+
+    // check if either MasterUserPassword is provided or ManageMasterPassword is true
+    if (model.getMasterUserPassword() == null) {
+      return !BooleanUtils.isTrue(model.getManageMasterPassword()) || isInvalid;
+    }
+    return isInvalid;
   }
 
   protected boolean issueModifyClusterParameterGroupRequest(ResourceModel prevModel, ResourceModel model) {

aws-redshift-cluster/src/main/java/software/amazon/redshift/cluster/Translator.java

@@ -114,6 +114,8 @@ static CreateClusterRequest translateToCreateRequest(final ResourceModel model,
             .enhancedVpcRouting(model.getEnhancedVpcRouting())
             .maintenanceTrackName(model.getMaintenanceTrackName())
             .multiAZ(model.getMultiAZ())
+            .manageMasterPassword(model.getManageMasterPassword())
+            .masterPasswordSecretKmsKeyId(model.getMasterPasswordSecretKmsKeyId())
             .build();
   }
 
@@ -593,6 +595,17 @@ static ResourceModel translateFromReadResponse(final DescribeClustersResponse aw
             .findAny()
             .orElse(null);
 
+    final String masterPasswordSecretArn = streamOfOrEmpty(awsResponse.clusters())
+            .map(software.amazon.awssdk.services.redshift.model.Cluster::masterPasswordSecretArn)
+            .filter(Objects::nonNull)
+            .findAny()
+            .orElse(null);
+
+    final String masterPasswordSecretKmsKeyId = streamOfOrEmpty(awsResponse.clusters())
+            .map(software.amazon.awssdk.services.redshift.model.Cluster::masterPasswordSecretKmsKeyId)
+            .filter(Objects::nonNull)
+            .findAny()
+            .orElse(null);
 
     return ResourceModel.builder()
             .clusterIdentifier(clusterIdentifier)
@@ -634,6 +647,8 @@ static ResourceModel translateFromReadResponse(final DescribeClustersResponse aw
             .deferMaintenanceIdentifier(translateDeferMaintenanceIdentifierFromSdk(deferMaintenanceWindows))
             .deferMaintenanceStartTime(translateDeferMaintenanceStartTimeFromSdk(deferMaintenanceWindows))
             .deferMaintenanceEndTime(translateDeferMaintenanceEndTimeFromSdk(deferMaintenanceWindows))
+            .masterPasswordSecretArn(masterPasswordSecretArn)
+            .masterPasswordSecretKmsKeyId(masterPasswordSecretKmsKeyId)
             .build();
   }
 
@@ -683,7 +698,7 @@ static String finalClusterSnapshotIdentifierBuilder(String clusterIdentifier, bo
   static ModifyClusterRequest translateToUpdateRequest(final ResourceModel model, final ResourceModel prevModel) {
     ModifyClusterRequest modifyClusterRequest =  ModifyClusterRequest.builder()
             .clusterIdentifier(model.getClusterIdentifier())
-            .masterUserPassword(model.getMasterUserPassword().equals(prevModel.getMasterUserPassword()) ? null : model.getMasterUserPassword())
+            .masterUserPassword(model.getMasterUserPassword() == null || model.getMasterUserPassword().equals(prevModel.getMasterUserPassword()) ? null : model.getMasterUserPassword())
             .allowVersionUpgrade(model.getAllowVersionUpgrade() == null || model.getAllowVersionUpgrade().equals(prevModel.getAllowVersionUpgrade()) ? null : model.getAllowVersionUpgrade())
             .automatedSnapshotRetentionPeriod(model.getAutomatedSnapshotRetentionPeriod() == null || model.getAutomatedSnapshotRetentionPeriod().equals(prevModel.getAutomatedSnapshotRetentionPeriod()) ? null : model.getAutomatedSnapshotRetentionPeriod())
             //.clusterParameterGroupName(model.getClusterParameterGroupName() == null || model.getClusterParameterGroupName().equals(prevModel.getClusterParameterGroupName()) ? null : model.getClusterParameterGroupName())
@@ -706,6 +721,8 @@ static ModifyClusterRequest translateToUpdateRequest(final ResourceModel model,
             .maintenanceTrackName(model.getMaintenanceTrackName() == null || model.getMaintenanceTrackName().equals(prevModel.getMaintenanceTrackName()) ? null : model.getMaintenanceTrackName())
             .enhancedVpcRouting(model.getEnhancedVpcRouting() == null || model.getEnhancedVpcRouting().equals(prevModel.getEnhancedVpcRouting()) ? null : model.getEnhancedVpcRouting())
             .multiAZ(model.getMultiAZ() == null || model.getMultiAZ().equals(prevModel.getMultiAZ()) ? null : model.getMultiAZ())
+            .manageMasterPassword(model.getManageMasterPassword())
+            .masterPasswordSecretKmsKeyId(model.getMasterPasswordSecretKmsKeyId() == null || model.getMasterPasswordSecretKmsKeyId().equals(prevModel.getMasterPasswordSecretKmsKeyId()) ? null : model.getMasterPasswordSecretKmsKeyId())
             .build();
 
     return modifyClusterRequest;
@@ -877,6 +894,8 @@ static RestoreFromClusterSnapshotRequest translateToRestoreFromClusterSnapshotRe
             .numberOfNodes(model.getNumberOfNodes())
             .encrypted(model.getEncrypted())
             .multiAZ(model.getMultiAZ())
+            .manageMasterPassword(model.getManageMasterPassword())
+            .masterPasswordSecretKmsKeyId(model.getMasterPasswordSecretKmsKeyId())
             .build();
   }
 

aws-redshift-cluster/src/main/java/software/amazon/redshift/cluster/UpdateHandler.java

@@ -137,7 +137,9 @@ public class UpdateHandler extends BaseHandlerStd {
             "PreferredMaintenanceWindow",
             "PubliclyAccessible",
             "VpcSecurityGroupIds",
-            "MultiAZ"
+            "MultiAZ",
+            "ManageMasterPassword",
+            "MasterPasswordSecretKmsKeyId"
     };
     public static final String[] DETECTABLE_MODIFY_CLUSTER_ATTRIBUTES_SENSITIVE = new String[] {
             "MasterUserPassword"

aws-redshift-cluster/src/test/java/software/amazon/redshift/cluster/AbstractTestBase.java

@@ -24,6 +24,7 @@ public class AbstractTestBase {
   protected static final String AWS_PARTITION;
   protected static final String AWS_ACCOUNT_ID;
   protected static final String CLUSTER_IDENTIFIER;
+  protected static final String SNAPSHOT_IDENTIFIER;
   protected static final String CLUSTER_NAMESPACE_UUID;
   protected static final String MASTER_USERNAME;
   protected static final String MASTER_USERPASSWORD;
@@ -65,6 +66,7 @@ public class AbstractTestBase {
     DEFER_MAINTENANCE_IDENTIFIER = "cfn-defer-maintenance-identifier";
     DEFER_MAINTENANCE_START_TIME = "2023-12-10T00:00:00Z";
     DEFER_MAINTENANCE_END_TIME = "2024-01-19T00:00:00Z";
+    SNAPSHOT_IDENTIFIER = "redshift-cluster-1-snapshot";
 
     RESOURCE_POLICY = ResourcePolicy.builder()
             .resourceArn(CLUSTER_NAMESPACE_ARN)
@@ -181,6 +183,12 @@ public static ResourceModel createClusterRequestModel() {
             .build();
   }
 
+  public static ResourceModel restoreClusterRequestModel() {
+    return createClusterRequestModel().toBuilder()
+            .snapshotIdentifier(SNAPSHOT_IDENTIFIER)
+            .build();
+  }
+
   public static ResourceModel createClusterResponseModel() {
     return ResourceModel.builder()
             .clusterIdentifier(CLUSTER_IDENTIFIER)