fix: ensure depenency between connectionTarget and secret update

Author: hrodmn

.github/workflows/build.yaml

@@ -18,9 +18,9 @@ jobs:
     name: Build and package
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 18
           cache: "npm"
@@ -37,22 +37,22 @@ jobs:
       - name: Generate documentation
         run: npm run docgen
 
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: docs
           path: docs
 
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: python
           path: dist/python/*
 
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: js
           path: dist/js/*
 
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: jsii
           path: .jsii

integration_tests/cdk/app.py

@@ -85,6 +85,9 @@ def __init__(
 
         assert pgstac_db.security_group
 
+        # make sure we can get the secret value!
+        assert pgstac_db.pgstac_secret.secret_value_from_json("host").to_string()
+
         pgstac_db.security_group.add_ingress_rule(
             aws_ec2.Peer.any_ipv4(), aws_ec2.Port.tcp(5432)
         )

lib/database/PgBouncer.ts

@@ -71,6 +71,7 @@ export class PgBouncer extends Construct {
   public readonly instance: ec2.Instance;
   public readonly pgbouncerSecret: secretsmanager.Secret;
   public readonly securityGroup: ec2.SecurityGroup;
+  public readonly secretUpdateComplete: CustomResource;
 
   // The max_connections parameter in PgBouncer determines the maximum number of
   // connections to open on the actual database instance. We want that number to
@@ -208,14 +209,18 @@ export class PgBouncer extends Construct {
     props.database.secret.grantRead(secretUpdaterFn);
     this.pgbouncerSecret.grantWrite(secretUpdaterFn);
 
-    new CustomResource(this, "pgbouncerSecretBootstrapper", {
-      serviceToken: secretUpdaterFn.functionArn,
-      properties: {
-        instanceIp: props.usePublicSubnet
-          ? this.instance.instancePublicIp
-          : this.instance.instancePrivateIp,
-      },
-    });
+    this.secretUpdateComplete = new CustomResource(
+      this,
+      "pgbouncerSecretBootstrapper",
+      {
+        serviceToken: secretUpdaterFn.functionArn,
+        properties: {
+          instanceIp: props.usePublicSubnet
+            ? this.instance.instancePublicIp
+            : this.instance.instancePrivateIp,
+        },
+      }
+    );
   }
 
   private loadUserDataScript(

lib/database/index.ts

@@ -171,7 +171,13 @@ export class PgStacDatabase extends Construct {
       this._pgBouncerServer.node.addDependency(bootstrapper);
 
       this.pgstacSecret = this._pgBouncerServer.pgbouncerSecret;
+
       this.connectionTarget = this._pgBouncerServer.instance;
+      // ensure the secret has been updated before releasing the connectionTarget
+      this.connectionTarget.node.addDependency(
+        this._pgBouncerServer.secretUpdateComplete
+      );
+
       this.securityGroup = this._pgBouncerServer.securityGroup;
     } else {
       this.connectionTarget = this.db;