aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.js

Version 2 of the AWS Cloud Development Kit library

"use strict";var __esDecorate=exports&&exports.__esDecorate||function(ctor,descriptorIn,decorators,contextIn,initializers,extraInitializers){function accept(f){if(f!==void 0&&typeof f!="function")throw new TypeError("Function expected");return f}for(var kind=contextIn.kind,key=kind==="getter"?"get":kind==="setter"?"set":"value",target=!descriptorIn&&ctor?contextIn.static?ctor:ctor.prototype:null,descriptor=descriptorIn||(target?Object.getOwnPropertyDescriptor(target,contextIn.name):{}),_,done=!1,i=decorators.length-1;i>=0;i--){var context={};for(var p in contextIn)context[p]=p==="access"?{}:contextIn[p];for(var p in contextIn.access)context.access[p]=contextIn.access[p];context.addInitializer=function(f){if(done)throw new TypeError("Cannot add initializers after decoration has completed");extraInitializers.push(accept(f||null))};var result=(0,decorators[i])(kind==="accessor"?{get:descriptor.get,set:descriptor.set}:descriptor[key],context);if(kind==="accessor"){if(result===void 0)continue;if(result===null||typeof result!="object")throw new TypeError("Object expected");(_=accept(result.get))&&(descriptor.get=_),(_=accept(result.set))&&(descriptor.set=_),(_=accept(result.init))&&initializers.unshift(_)}else(_=accept(result))&&(kind==="field"?initializers.unshift(_):descriptor[key]=_)}target&&Object.defineProperty(target,contextIn.name,descriptor),done=!0},__runInitializers=exports&&exports.__runInitializers||function(thisArg,initializers,value){for(var useValue=arguments.length>2,i=0;i<initializers.length;i++)value=useValue?initializers[i].call(thisArg,value):initializers[i].call(thisArg);return useValue?value:void 0};Object.defineProperty(exports,"__esModule",{value:!0}),exports.HostedRotationType=exports.HostedRotation=exports.RotationSchedule=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var secret_1=()=>{var tmp=require("./secret");return secret_1=()=>tmp,tmp},secretsmanager_generated_1=()=>{var tmp=require("./secretsmanager.generated");return secretsmanager_generated_1=()=>tmp,tmp},ec2=()=>{var tmp=require("../../aws-ec2");return ec2=()=>tmp,tmp},aws_events_1=()=>{var tmp=require("../../aws-events");return aws_events_1=()=>tmp,tmp},iam=()=>{var tmp=require("../../aws-iam");return iam=()=>tmp,tmp},kms=()=>{var tmp=require("../../aws-kms");return kms=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},metadata_resource_1=()=>{var tmp=require("../../core/lib/metadata-resource");return metadata_resource_1=()=>tmp,tmp},prop_injectable_1=()=>{var tmp=require("../../core/lib/prop-injectable");return prop_injectable_1=()=>tmp,tmp};const DEFAULT_PASSWORD_EXCLUDE_CHARS=" %+~`#$&*()|[]{}:;<>?!'/@\"\\";let RotationSchedule=(()=>{let _classDecorators=[prop_injectable_1().propertyInjectable],_classDescriptor,_classExtraInitializers=[],_classThis,_classSuper=core_1().Resource;var RotationSchedule2=class extends _classSuper{static{_classThis=this}static{const _metadata=typeof Symbol=="function"&&Symbol.metadata?Object.create(_classSuper[Symbol.metadata]??null):void 0;__esDecorate(null,_classDescriptor={value:_classThis},_classDecorators,{kind:"class",name:_classThis.name,metadata:_metadata},null,_classExtraInitializers),RotationSchedule2=_classThis=_classDescriptor.value,_metadata&&Object.defineProperty(_classThis,Symbol.metadata,{enumerable:!0,configurable:!0,writable:!0,value:_metadata})}static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_secretsmanager.RotationSchedule",version:"2.233.0"};static PROPERTY_INJECTION_ID="aws-cdk-lib.aws-secretsmanager.RotationSchedule";constructor(scope,id,props){super(scope,id);try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_RotationScheduleProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,RotationSchedule2),error}if((0,metadata_resource_1().addConstructMetadata)(this,props),!props.rotationLambda&&!props.hostedRotation||props.rotationLambda&&props.hostedRotation)throw new(core_1()).ValidationError("One of `rotationLambda` or `hostedRotation` must be specified.",this);props.rotationLambda?.permissionsNode.defaultChild&&(props.secret.encryptionKey&&props.secret.encryptionKey.grantEncryptDecrypt(new(kms()).ViaServicePrincipal(`secretsmanager.${core_1().Stack.of(this).region}.amazonaws.com`,props.rotationLambda.grantPrincipal)),props.rotationLambda.grantInvoke(new(iam()).ServicePrincipal("secretsmanager.amazonaws.com")).applyBefore(this),props.rotationLambda.addToRolePolicy(new(iam()).PolicyStatement({actions:["secretsmanager:DescribeSecret","secretsmanager:GetSecretValue","secretsmanager:PutSecretValue","secretsmanager:UpdateSecretVersionStage"],resources:[props.secret.secretFullArn?props.secret.secretFullArn:`${props.secret.secretArn}-??????`]})),props.rotationLambda.addToRolePolicy(new(iam()).PolicyStatement({actions:["secretsmanager:GetRandomPassword"],resources:["*"]})));let scheduleExpression;if(props.automaticallyAfter){const automaticallyAfterMillis=props.automaticallyAfter.toMilliseconds();if(automaticallyAfterMillis>0){if(automaticallyAfterMillis<core_1().Duration.hours(4).toMilliseconds())throw new(core_1()).ValidationError(`automaticallyAfter must not be smaller than 4 hours, got ${props.automaticallyAfter.toHours()} hours`,this);if(automaticallyAfterMillis>core_1().Duration.days(1e3).toMilliseconds())throw new(core_1()).ValidationError(`automaticallyAfter must not be greater than 1000 days, got ${props.automaticallyAfter.toDays()} days`,this);scheduleExpression=aws_events_1().Schedule.rate(props.automaticallyAfter).expressionString}}else scheduleExpression=aws_events_1().Schedule.rate(core_1().Duration.days(30)).expressionString;let rotationRules;scheduleExpression&&(rotationRules={scheduleExpression}),new(secretsmanager_generated_1()).CfnRotationSchedule(this,"Resource",{secretId:props.secret.secretArn,rotationLambdaArn:props.rotationLambda?.functionArn,hostedRotationLambda:props.hostedRotation?.bind(props.secret,this),rotationRules,rotateImmediatelyOnUpdate:props.rotateImmediatelyOnUpdate}),props.secret.denyAccountRootDelete()}static{__runInitializers(_classThis,_classExtraInitializers)}};return RotationSchedule2=_classThis})();exports.RotationSchedule=RotationSchedule;class HostedRotation{type;props;masterSecret;static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_secretsmanager.HostedRotation",version:"2.233.0"};static mysqlSingleUser(options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_SingleUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.mysqlSingleUser),error}return new HostedRotation(HostedRotationType.MYSQL_SINGLE_USER,options)}static mysqlMultiUser(options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_MultiUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.mysqlMultiUser),error}return new HostedRotation(HostedRotationType.MYSQL_MULTI_USER,options,options.masterSecret)}static postgreSqlSingleUser(options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_SingleUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.postgreSqlSingleUser),error}return new HostedRotation(HostedRotationType.POSTGRESQL_SINGLE_USER,options)}static postgreSqlMultiUser(options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_MultiUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.postgreSqlMultiUser),error}return new HostedRotation(HostedRotationType.POSTGRESQL_MULTI_USER,options,options.masterSecret)}static oracleSingleUser(options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_SingleUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.oracleSingleUser),error}return new HostedRotation(HostedRotationType.ORACLE_SINGLE_USER,options)}static oracleMultiUser(options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_MultiUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.oracleMultiUser),error}return new HostedRotation(HostedRotationType.ORACLE_MULTI_USER,options,options.masterSecret)}static mariaDbSingleUser(options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_SingleUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.mariaDbSingleUser),error}return new HostedRotation(HostedRotationType.MARIADB_SINGLE_USER,options)}static mariaDbMultiUser(options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_MultiUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.mariaDbMultiUser),error}return new HostedRotation(HostedRotationType.MARIADB_MULTI_USER,options,options.masterSecret)}static sqlServerSingleUser(options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_SingleUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.sqlServerSingleUser),error}return new HostedRotation(HostedRotationType.SQLSERVER_SINGLE_USER,options)}static sqlServerMultiUser(options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_MultiUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.sqlServerMultiUser),error}return new HostedRotation(HostedRotationType.SQLSERVER_MULTI_USER,options,options.masterSecret)}static redshiftSingleUser(options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_SingleUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.redshiftSingleUser),error}return new HostedRotation(HostedRotationType.REDSHIFT_SINGLE_USER,options)}static redshiftMultiUser(options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_MultiUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.redshiftMultiUser),error}return new HostedRotation(HostedRotationType.REDSHIFT_MULTI_USER,options,options.masterSecret)}static mongoDbSingleUser(options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_SingleUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.mongoDbSingleUser),error}return new HostedRotation(HostedRotationType.MONGODB_SINGLE_USER,options)}static mongoDbMultiUser(options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_MultiUserHostedRotationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.mongoDbMultiUser),error}return new HostedRotation(HostedRotationType.MONGODB_MULTI_USER,options,options.masterSecret)}_connections;constructor(type,props,masterSecret){if(this.type=type,this.props=props,this.masterSecret=masterSecret,type.isMultiUser&&!masterSecret)throw new(core_1()).UnscopedValidationError("The `masterSecret` must be specified when using the multi user scheme.")}bind(secret,scope){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_ISecret(secret)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.bind),error}if(core_1().Stack.of(scope).addTransform("AWS::SecretsManager-2024-09-16"),!this.props.vpc&&this.props.securityGroups)throw new(core_1()).ValidationError("`vpc` must be specified when specifying `securityGroups`.",secret);this.props.vpc&&(this._connections=new(ec2()).Connections({securityGroups:this.props.securityGroups||[new(ec2()).SecurityGroup(scope,"SecurityGroup",{vpc:this.props.vpc})]})),this.masterSecret&&this.masterSecret.denyAccountRootDelete();let masterSecretArn;this.masterSecret?.secretFullArn?masterSecretArn=this.masterSecret.secretArn:this.masterSecret&&(masterSecretArn=this.masterSecret.secretArn+"-??????");const defaultExcludeCharacters=secret_1().Secret.isSecret(secret)?secret.excludeCharacters??DEFAULT_PASSWORD_EXCLUDE_CHARS:DEFAULT_PASSWORD_EXCLUDE_CHARS;return{rotationType:this.type.name,kmsKeyArn:secret.encryptionKey?.keyArn,masterSecretArn,masterSecretKmsKeyArn:this.masterSecret?.encryptionKey?.keyArn,rotationLambdaName:this.props.functionName,vpcSecurityGroupIds:this._connections?.securityGroups?.map(s=>s.securityGroupId).join(","),vpcSubnetIds:this.props.vpc?.selectSubnets(this.props.vpcSubnets).subnetIds.join(","),excludeCharacters:this.props.excludeCharacters??defaultExcludeCharacters}}get connections(){if(!this.props.vpc)throw new(core_1()).UnscopedValidationError("Cannot use connections for a hosted rotation that is not deployed in a VPC");if(!this._connections)throw new(core_1()).UnscopedValidationError("Cannot use connections for a hosted rotation that has not been bound to a secret");return this._connections}}exports.HostedRotation=HostedRotation;class HostedRotationType{name;isMultiUser;static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_secretsmanager.HostedRotationType",version:"2.233.0"};static MYSQL_SINGLE_USER=new HostedRotationType("MySQLSingleUser");static MYSQL_MULTI_USER=new HostedRotationType("MySQLMultiUser",!0);static POSTGRESQL_SINGLE_USER=new HostedRotationType("PostgreSQLSingleUser");static POSTGRESQL_MULTI_USER=new HostedRotationType("PostgreSQLMultiUser",!0);static ORACLE_SINGLE_USER=new HostedRotationType("OracleSingleUser");static ORACLE_MULTI_USER=new HostedRotationType("OracleMultiUser",!0);static MARIADB_SINGLE_USER=new HostedRotationType("MariaDBSingleUser");static MARIADB_MULTI_USER=new HostedRotationType("MariaDBMultiUser",!0);static SQLSERVER_SINGLE_USER=new HostedRotationType("SQLServerSingleUser");static SQLSERVER_MULTI_USER=new HostedRotationType("SQLServerMultiUser",!0);static REDSHIFT_SINGLE_USER=new HostedRotationType("RedshiftSingleUser");static REDSHIFT_MULTI_USER=new HostedRotationType("RedshiftMultiUser",!0);static MONGODB_SINGLE_USER=new HostedRotationType("MongoDBSingleUser");static MONGODB_MULTI_USER=new HostedRotationType("MongoDBMultiUser",!0);constructor(name,isMultiUser){this.name=name,this.isMultiUser=isMultiUser}}exports.HostedRotationType=HostedRotationType;