We released a new version of the rds-broker, which surfaced an error in creating a binding from an RDS service (MySQL or Postgres) which already existed, to an app that it was not previously bound to.
What caused the original problem?
There was an existing bug in the rds-broker which meant that when we changed how we generated root passwords, the broker did not upgrade the root password on all the services.
The bug surfaced during this release as we hadn’t used the root password rotation recently.
Why wasn’t this caught before it reached prod?
Checking for this was not a part of our acceptance tests, there are no straightforward automated tests for errors of this kind. The error was found by chance as a team member checked whether binding/unbinding worked for existing RDS services on production.
This did not affect the availability of applications hosted on GOV.UK PaaS. Users (tenants) of the platform would have seen errors if they had tried to bind RDS databases which already existed, to an app that it was not previously bound to. We don’t believe any tenants were actually affected.