aws-cdk-lib
Version:
Version 2 of the AWS Cloud Development Kit library
748 lines (747 loc) • 68.7 kB
TypeScript
import * as cdk from "../../core/lib";
import * as constructs from "constructs";
import * as cfn_parse from "../../core/lib/helpers-internal";
import { aws_kms as kmsRefs, aws_secretsmanager as secretsManagerRefs } from "../../interfaces";
import { IResourcePolicyRef, IRotationScheduleRef, ISecretRef, ISecretTargetAttachmentRef, ResourcePolicyReference, RotationScheduleReference, SecretReference, SecretTargetAttachmentReference } from "../../interfaces/generated/aws-secretsmanager-interfaces.generated";
/**
* Attaches a resource-based permission policy to a secret.
*
* A resource-based policy is optional. If a secret already has a resource policy attached, you must first remove it before attaching a new policy using this CloudFormation resource. You can remove the policy using the [console](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html) , [CLI](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/delete-resource-policy.html) , or [API](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteResourcePolicy.html) . For more information, see [Authentication and access control for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) .
*
* *Required permissions:* `secretsmanager:PutResourcePolicy` , `secretsmanager:GetResourcePolicy` . For more information, see [IAM policy actions for Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) and [Authentication and access control in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) .
*
* @cloudformationResource AWS::SecretsManager::ResourcePolicy
* @stability external
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html
*/
export declare class CfnResourcePolicy extends cdk.CfnResource implements cdk.IInspectable, IResourcePolicyRef {
/**
* The CloudFormation resource type name for this resource class.
*/
static readonly CFN_RESOURCE_TYPE_NAME: string;
/**
* Build a CfnResourcePolicy from CloudFormation properties
*
* A factory method that creates a new instance of this class from an object
* containing the CloudFormation properties of this resource.
* Used in the @aws-cdk/cloudformation-include module.
*
* @internal
*/
static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnResourcePolicy;
/**
* Checks whether the given object is a CfnResourcePolicy
*/
static isCfnResourcePolicy(x: any): x is CfnResourcePolicy;
/**
* Specifies whether to block resource-based policies that allow broad access to the secret.
*/
private _blockPublicPolicy?;
/**
* A JSON-formatted string for an AWS resource-based policy.
*/
private _resourcePolicy;
/**
* The ARN or name of the secret to attach the resource-based policy.
*/
private _secretId;
/**
* Create a new `AWS::SecretsManager::ResourcePolicy`.
*
* @param scope Scope in which this resource is defined
* @param id Construct identifier for this resource (unique in its scope)
* @param props Resource properties
*/
constructor(scope: constructs.Construct, id: string, props: CfnResourcePolicyProps);
get resourcePolicyRef(): ResourcePolicyReference;
/**
* Specifies whether to block resource-based policies that allow broad access to the secret.
*/
get blockPublicPolicy(): boolean | cdk.IResolvable | undefined;
/**
* Specifies whether to block resource-based policies that allow broad access to the secret.
*/
set blockPublicPolicy(value: boolean | cdk.IResolvable | undefined);
/**
* A JSON-formatted string for an AWS resource-based policy.
*/
get resourcePolicy(): any | cdk.IResolvable;
/**
* A JSON-formatted string for an AWS resource-based policy.
*/
set resourcePolicy(value: any | cdk.IResolvable);
/**
* The ARN or name of the secret to attach the resource-based policy.
*/
get secretId(): string;
/**
* The ARN or name of the secret to attach the resource-based policy.
*/
set secretId(value: string);
/**
* The Arn of the secret.
*
* @cloudformationAttribute Id
*/
get attrId(): string;
protected get cfnProperties(): Record<string, any>;
/**
* Examines the CloudFormation resource and discloses attributes
*
* @param inspector tree inspector to collect and process attributes
*/
inspect(inspector: cdk.TreeInspector): void;
protected renderProperties(props: Record<string, any>): Record<string, any>;
}
/**
* Properties for defining a `CfnResourcePolicy`
*
* @struct
* @stability external
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html
*/
export interface CfnResourcePolicyProps {
/**
* Specifies whether to block resource-based policies that allow broad access to the secret.
*
* By default, Secrets Manager blocks policies that allow broad access, for example those that use a wildcard for the principal.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html#cfn-secretsmanager-resourcepolicy-blockpublicpolicy
*/
readonly blockPublicPolicy?: boolean | cdk.IResolvable;
/**
* A JSON-formatted string for an AWS resource-based policy.
*
* For example policies, see [Permissions policy examples](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html) .
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html#cfn-secretsmanager-resourcepolicy-resourcepolicy
*/
readonly resourcePolicy: any | cdk.IResolvable;
/**
* The ARN or name of the secret to attach the resource-based policy.
*
* For an ARN, we recommend that you specify a complete ARN rather than a partial ARN.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html#cfn-secretsmanager-resourcepolicy-secretid
*/
readonly secretId: secretsManagerRefs.ISecretRef | string;
}
/**
* Configure the rotation schedule and Lambda rotation function for a secret. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) .
*
* For database credentials, refer to the following resources:
*
* - Amazon RDS master user credentials: [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html)
* - Amazon Redshift admin user credentials: [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html)
*
* Choose one of the following options for the rotation function:
*
* - Create a new rotation function using `HostedRotationLambda` based on a [Secrets Manager rotation function template](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) .
* - Use an existing rotation function by specifying its ARN with `RotationLambdaARN` .
*
* > For database secrets defined in the same CloudFormation template as the database or service:
* >
* > - Use the [AWS::SecretsManager::SecretTargetAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html) resource to populate the secret with connection details.
* > - Add a `DependsOn` attribute to the `RotationSchedule` resource that uses a `SecretTargetAttachment` . This ensures the rotation is configured after the secret is populated with connection details. > You can define only one rotation schedule per secret.
*
* @cloudformationResource AWS::SecretsManager::RotationSchedule
* @stability external
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html
*/
export declare class CfnRotationSchedule extends cdk.CfnResource implements cdk.IInspectable, IRotationScheduleRef {
/**
* The CloudFormation resource type name for this resource class.
*/
static readonly CFN_RESOURCE_TYPE_NAME: string;
/**
* Build a CfnRotationSchedule from CloudFormation properties
*
* A factory method that creates a new instance of this class from an object
* containing the CloudFormation properties of this resource.
* Used in the @aws-cdk/cloudformation-include module.
*
* @internal
*/
static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnRotationSchedule;
/**
* Checks whether the given object is a CfnRotationSchedule
*/
static isCfnRotationSchedule(x: any): x is CfnRotationSchedule;
/**
* The list of metadata needed to successfully rotate a managed external secret.
*/
private _externalSecretRotationMetadata?;
/**
* The ARN of the IAM role that is used by Secrets Manager to rotate a managed external secret.
*/
private _externalSecretRotationRoleArn?;
/**
* Creates a new Lambda rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) . To use a rotation function that already exists, specify `RotationLambdaARN` instead.
*/
private _hostedRotationLambda?;
/**
* Determines whether to rotate the secret immediately or wait until the next scheduled rotation window when the rotation schedule is updated.
*/
private _rotateImmediatelyOnUpdate?;
/**
* The ARN of an existing Lambda rotation function.
*/
private _rotationLambdaArn?;
/**
* A structure that defines the rotation configuration for this secret.
*/
private _rotationRules?;
/**
* The ARN or name of the secret to rotate. This is unique for each rotation schedule definition.
*/
private _secretId;
/**
* Create a new `AWS::SecretsManager::RotationSchedule`.
*
* @param scope Scope in which this resource is defined
* @param id Construct identifier for this resource (unique in its scope)
* @param props Resource properties
*/
constructor(scope: constructs.Construct, id: string, props: CfnRotationScheduleProps);
get rotationScheduleRef(): RotationScheduleReference;
/**
* The list of metadata needed to successfully rotate a managed external secret.
*/
get externalSecretRotationMetadata(): Array<CfnRotationSchedule.ExternalSecretRotationMetadataItemProperty | cdk.IResolvable> | cdk.IResolvable | undefined;
/**
* The list of metadata needed to successfully rotate a managed external secret.
*/
set externalSecretRotationMetadata(value: Array<CfnRotationSchedule.ExternalSecretRotationMetadataItemProperty | cdk.IResolvable> | cdk.IResolvable | undefined);
/**
* The ARN of the IAM role that is used by Secrets Manager to rotate a managed external secret.
*/
get externalSecretRotationRoleArn(): string | undefined;
/**
* The ARN of the IAM role that is used by Secrets Manager to rotate a managed external secret.
*/
set externalSecretRotationRoleArn(value: string | undefined);
/**
* Creates a new Lambda rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) . To use a rotation function that already exists, specify `RotationLambdaARN` instead.
*/
get hostedRotationLambda(): CfnRotationSchedule.HostedRotationLambdaProperty | cdk.IResolvable | undefined;
/**
* Creates a new Lambda rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) . To use a rotation function that already exists, specify `RotationLambdaARN` instead.
*/
set hostedRotationLambda(value: CfnRotationSchedule.HostedRotationLambdaProperty | cdk.IResolvable | undefined);
/**
* Determines whether to rotate the secret immediately or wait until the next scheduled rotation window when the rotation schedule is updated.
*/
get rotateImmediatelyOnUpdate(): boolean | cdk.IResolvable | undefined;
/**
* Determines whether to rotate the secret immediately or wait until the next scheduled rotation window when the rotation schedule is updated.
*/
set rotateImmediatelyOnUpdate(value: boolean | cdk.IResolvable | undefined);
/**
* The ARN of an existing Lambda rotation function.
*/
get rotationLambdaArn(): string | undefined;
/**
* The ARN of an existing Lambda rotation function.
*/
set rotationLambdaArn(value: string | undefined);
/**
* A structure that defines the rotation configuration for this secret.
*/
get rotationRules(): cdk.IResolvable | CfnRotationSchedule.RotationRulesProperty | undefined;
/**
* A structure that defines the rotation configuration for this secret.
*/
set rotationRules(value: cdk.IResolvable | CfnRotationSchedule.RotationRulesProperty | undefined);
/**
* The ARN or name of the secret to rotate. This is unique for each rotation schedule definition.
*/
get secretId(): string;
/**
* The ARN or name of the secret to rotate. This is unique for each rotation schedule definition.
*/
set secretId(value: string);
/**
* The ARN of the secret.
*
* @cloudformationAttribute Id
*/
get attrId(): string;
protected get cfnProperties(): Record<string, any>;
/**
* Examines the CloudFormation resource and discloses attributes
*
* @param inspector tree inspector to collect and process attributes
*/
inspect(inspector: cdk.TreeInspector): void;
protected renderProperties(props: Record<string, any>): Record<string, any>;
}
export declare namespace CfnRotationSchedule {
/**
* Creates a new Lambda rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) .
*
* You must specify `Transform: AWS::SecretsManager-2024-09-16` at the beginning of the CloudFormation template.
*
* For Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) .
*
* For Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) .
*
* @struct
* @stability external
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html
*/
interface HostedRotationLambdaProperty {
/**
* A string of the characters that you don't want in the password.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-excludecharacters
*/
readonly excludeCharacters?: string;
/**
* The ARN of the KMS key that Secrets Manager uses to encrypt the secret.
*
* If you don't specify this value, then Secrets Manager uses the key `aws/secretsmanager` . If `aws/secretsmanager` doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-kmskeyarn
*/
readonly kmsKeyArn?: string;
/**
* The ARN of the secret that contains superuser credentials, if you use the [Alternating users rotation strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) . CloudFormation grants the execution role for the Lambda rotation function `GetSecretValue` permission to the secret in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html) .
*
* You must create the superuser secret before you can set this property.
*
* You must also include the superuser secret ARN as a key in the JSON of the rotating secret so that the Lambda rotation function can find it. CloudFormation does not hardcode secret ARNs in the Lambda rotation function, so you can use the function to rotate multiple secrets. For more information, see [JSON structure of Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html) .
*
* You can specify `MasterSecretArn` or `SuperuserSecretArn` but not both. They represent the same superuser secret.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-mastersecretarn
*/
readonly masterSecretArn?: string;
/**
* The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the [alternating users strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key `aws/secretsmanager` . CloudFormation grants the execution role for the Lambda rotation function `Decrypt` , `DescribeKey` , and `GenerateDataKey` permission to the key in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html) .
*
* You can specify `MasterSecretKmsKeyArn` or `SuperuserSecretKmsKeyArn` but not both. They represent the same superuser secret KMS key .
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-mastersecretkmskeyarn
*/
readonly masterSecretKmsKeyArn?: string;
/**
* The name of the Lambda rotation function.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-rotationlambdaname
*/
readonly rotationLambdaName?: string;
/**
* The rotation template to base the rotation function on, one of the following:.
*
* - `Db2SingleUser` to use the template [SecretsManagerRDSDb2RotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-db2-singleuser) .
* - `Db2MultiUser` to use the template [SecretsManagerRDSDb2RotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-db2-multiuser) .
* - `MySQLSingleUser` to use the template [SecretsManagerRDSMySQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-singleuser) .
* - `MySQLMultiUser` to use the template [SecretsManagerRDSMySQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-multiuser) .
* - `PostgreSQLSingleUser` to use the template [SecretsManagerRDSPostgreSQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-singleuser)
* - `PostgreSQLMultiUser` to use the template [SecretsManagerRDSPostgreSQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-multiuser) .
* - `OracleSingleUser` to use the template [SecretsManagerRDSOracleRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-singleuser) .
* - `OracleMultiUser` to use the template [SecretsManagerRDSOracleRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-multiuser) .
* - `MariaDBSingleUser` to use the template [SecretsManagerRDSMariaDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-singleuser) .
* - `MariaDBMultiUser` to use the template [SecretsManagerRDSMariaDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-multiuser) .
* - `SQLServerSingleUser` to use the template [SecretsManagerRDSSQLServerRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-singleuser) .
* - `SQLServerMultiUser` to use the template [SecretsManagerRDSSQLServerRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-multiuser) .
* - `RedshiftSingleUser` to use the template [SecretsManagerRedshiftRotationSingleUsr](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-singleuser) .
* - `RedshiftMultiUser` to use the template [SecretsManagerRedshiftRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-multiuser) .
* - `MongoDBSingleUser` to use the template [SecretsManagerMongoDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-singleuser) .
* - `MongoDBMultiUser` to use the template [SecretsManagerMongoDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-multiuser) .
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-rotationtype
*/
readonly rotationType: string;
/**
* > Do not set this value if you are using `Transform: AWS::SecretsManager-2024-09-16` .
*
* Over time, the updated rotation lambda artifacts vended by AWS may not be compatible with the code or shared object files defined in the rotation function deployment package.
* >
* > Only define the `Runtime` key if:
* >
* > - You are using `Transform: AWS::SecretsManager-2020-07-23` .
* > - The code or shared object files defined in the rotation function deployment package are incompatible with Python 3.10.
*
* The Python Runtime version for with the rotation function. By default, CloudFormation deploys Python 3.10 binaries for the rotation function. To use a different version of Python, you must do the following two steps:
*
* - Deploy the matching version Python binaries with your rotation function.
* - Set the version number in this field. For example, for Python 3.10, enter *python3.10* .
*
* If you only do one of the steps, your rotation function will be incompatible with the binaries. For more information, see [Why did my Lambda rotation function fail with a "pg module not found" error](https://docs.aws.amazon.com/https://repost.aws/knowledge-center/secrets-manager-lambda-rotation) .
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-runtime
*/
readonly runtime?: string;
/**
* The ARN of the secret that contains superuser credentials, if you use the [Alternating users rotation strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) . CloudFormation grants the execution role for the Lambda rotation function `GetSecretValue` permission to the secret in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html) .
*
* You must create the superuser secret before you can set this property.
*
* You must also include the superuser secret ARN as a key in the JSON of the rotating secret so that the Lambda rotation function can find it. CloudFormation does not hardcode secret ARNs in the Lambda rotation function, so you can use the function to rotate multiple secrets. For more information, see [JSON structure of Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html) .
*
* You can specify `MasterSecretArn` or `SuperuserSecretArn` but not both. They represent the same superuser secret.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-superusersecretarn
*/
readonly superuserSecretArn?: string;
/**
* The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the [alternating users strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key `aws/secretsmanager` . CloudFormation grants the execution role for the Lambda rotation function `Decrypt` , `DescribeKey` , and `GenerateDataKey` permission to the key in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html) .
*
* You can specify `MasterSecretKmsKeyArn` or `SuperuserSecretKmsKeyArn` but not both. They represent the same superuser secret KMS key .
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-superusersecretkmskeyarn
*/
readonly superuserSecretKmsKeyArn?: string;
/**
* A comma-separated list of security group IDs applied to the target database.
*
* The template applies the same security groups as on the Lambda rotation function that is created as part of this stack.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-vpcsecuritygroupids
*/
readonly vpcSecurityGroupIds?: string;
/**
* A comma separated list of VPC subnet IDs of the target database network.
*
* The Lambda rotation function is in the same subnet group.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-vpcsubnetids
*/
readonly vpcSubnetIds?: string;
}
/**
* The rotation schedule and window.
*
* We recommend you use `ScheduleExpression` to set a cron or rate expression for the schedule and `Duration` to set the length of the rotation window.
*
* > When changing an existing rotation schedule and setting `RotateImmediatelyOnUpdate` to `false` :
* >
* > - If using `AutomaticallyAfterDays` or a `ScheduleExpression` with `rate()` , the previously scheduled rotation might still occur.
* > - To prevent unintended rotations, use a `ScheduleExpression` with `cron()` for granular control over rotation windows.
*
* @struct
* @stability external
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-rotationrules.html
*/
interface RotationRulesProperty {
/**
* The number of days between automatic scheduled rotations of the secret.
*
* You can use this value to check that your secret meets your compliance guidelines for how often secrets must be rotated.
*
* In `DescribeSecret` and `ListSecrets` , this value is calculated from the rotation schedule after every successful rotation. In `RotateSecret` , you can set the rotation schedule in `RotationRules` with `AutomaticallyAfterDays` or `ScheduleExpression` , but not both.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-rotationrules.html#cfn-secretsmanager-rotationschedule-rotationrules-automaticallyafterdays
*/
readonly automaticallyAfterDays?: number;
/**
* The length of the rotation window in hours, for example `3h` for a three hour window.
*
* Secrets Manager rotates your secret at any time during this window. The window must not extend into the next rotation window or the next UTC day. The window starts according to the `ScheduleExpression` . If you don't specify a `Duration` , for a `ScheduleExpression` in hours, the window automatically closes after one hour. For a `ScheduleExpression` in days, the window automatically closes at the end of the UTC day. For more information, including examples, see [Schedule expressions in Secrets Manager rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html) in the *Secrets Manager Users Guide* .
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-rotationrules.html#cfn-secretsmanager-rotationschedule-rotationrules-duration
*/
readonly duration?: string;
/**
* A `cron()` or `rate()` expression that defines the schedule for rotating your secret.
*
* Secrets Manager rotation schedules use UTC time zone. Secrets Manager rotates your secret any time during a rotation window.
*
* Secrets Manager `rate()` expressions represent the interval in hours or days that you want to rotate your secret, for example `rate(12 hours)` or `rate(10 days)` . You can rotate a secret as often as every four hours. If you use a `rate()` expression, the rotation window starts at midnight. For a rate in hours, the default rotation window closes after one hour. For a rate in days, the default rotation window closes at the end of the day. You can set the `Duration` to change the rotation window. The rotation window must not extend into the next UTC day or into the next rotation window.
*
* You can use a `cron()` expression to create a rotation schedule that is more detailed than a rotation interval. For more information, including examples, see [Schedule expressions in Secrets Manager rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html) in the *Secrets Manager Users Guide* . For a cron expression that represents a schedule in hours, the default rotation window closes after one hour. For a cron expression that represents a schedule in days, the default rotation window closes at the end of the day. You can set the `Duration` to change the rotation window. The rotation window must not extend into the next UTC day or into the next rotation window.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-rotationrules.html#cfn-secretsmanager-rotationschedule-rotationrules-scheduleexpression
*/
readonly scheduleExpression?: string;
}
/**
* The metadata needed to successfully rotate a managed external secret.
*
* A list of key value pairs in JSON format specified by the partner. For more information, see [Managed external secret partners](https://docs.aws.amazon.com/secretsmanager/latest/userguide/mes-partners.html) .
*
* @struct
* @stability external
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-externalsecretrotationmetadataitem.html
*/
interface ExternalSecretRotationMetadataItemProperty {
/**
* The key that identifies the item.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-externalsecretrotationmetadataitem.html#cfn-secretsmanager-rotationschedule-externalsecretrotationmetadataitem-key
*/
readonly key: string;
/**
* The value of the specified item.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-externalsecretrotationmetadataitem.html#cfn-secretsmanager-rotationschedule-externalsecretrotationmetadataitem-value
*/
readonly value: string;
}
}
/**
* Properties for defining a `CfnRotationSchedule`
*
* @struct
* @stability external
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html
*/
export interface CfnRotationScheduleProps {
/**
* The list of metadata needed to successfully rotate a managed external secret.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-externalsecretrotationmetadata
*/
readonly externalSecretRotationMetadata?: Array<CfnRotationSchedule.ExternalSecretRotationMetadataItemProperty | cdk.IResolvable> | cdk.IResolvable;
/**
* The ARN of the IAM role that is used by Secrets Manager to rotate a managed external secret.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-externalsecretrotationrolearn
*/
readonly externalSecretRotationRoleArn?: string;
/**
* Creates a new Lambda rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) . To use a rotation function that already exists, specify `RotationLambdaARN` instead.
*
* You must specify `Transform: AWS::SecretsManager-2024-09-16` at the beginning of the CloudFormation template. Transforms are macros hosted by AWS CloudFormation that help you create and manage complex infrastructure. The `Transform: AWS::SecretsManager-2024-09-16` transform automatically extends the CloudFormation stack to include a nested stack (of type `AWS::CloudFormation::Stack` ), which then creates and updates on your behalf during subsequent stack operations, the appropriate rotation Lambda function for your database or service. For general information on transforms, see the [AWS CloudFormation documentation.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-reference.html)
*
* For Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) .
*
* For Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) .
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda
*/
readonly hostedRotationLambda?: CfnRotationSchedule.HostedRotationLambdaProperty | cdk.IResolvable;
/**
* Determines whether to rotate the secret immediately or wait until the next scheduled rotation window when the rotation schedule is updated.
*
* The rotation schedule is defined in `RotationRules` .
*
* The default for `RotateImmediatelyOnUpdate` is `true` . If you don't specify this value, Secrets Manager rotates the secret immediately.
*
* If you set `RotateImmediatelyOnUpdate` to `false` , Secrets Manager tests the rotation configuration by running the [`testSecret` step](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) of the Lambda rotation function. This test creates an `AWSPENDING` version of the secret and then removes it.
*
* > When changing an existing rotation schedule and setting `RotateImmediatelyOnUpdate` to `false` :
* >
* > - If using `AutomaticallyAfterDays` or a `ScheduleExpression` with `rate()` , the previously scheduled rotation might still occur.
* > - To prevent unintended rotations, use a `ScheduleExpression` with `cron()` for granular control over rotation windows.
*
* Rotation is an asynchronous process. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) .
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-rotateimmediatelyonupdate
*/
readonly rotateImmediatelyOnUpdate?: boolean | cdk.IResolvable;
/**
* The ARN of an existing Lambda rotation function.
*
* To specify a rotation function that is also defined in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function.
*
* For Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) .
*
* For Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) .
*
* To create a new rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) , specify `HostedRotationLambda` instead.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-rotationlambdaarn
*/
readonly rotationLambdaArn?: string;
/**
* A structure that defines the rotation configuration for this secret.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-rotationrules
*/
readonly rotationRules?: cdk.IResolvable | CfnRotationSchedule.RotationRulesProperty;
/**
* The ARN or name of the secret to rotate. This is unique for each rotation schedule definition.
*
* To reference a secret also created in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the secret's logical ID.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-secretid
*/
readonly secretId: string;
}
/**
* Creates a new secret.
*
* A *secret* can be a password, a set of credentials such as a user name and password, an OAuth token, or other secret information that you store in an encrypted form in Secrets Manager.
*
* For Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) .
*
* For Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) .
*
* To retrieve a secret in a CloudFormation template, use a *dynamic reference* . For more information, see [Retrieve a secret in an CloudFormation resource](https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html) .
*
* For information about creating a secret in the console, see [Create a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) . For information about creating a secret using the CLI or SDK, see [CreateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html) .
*
* For information about retrieving a secret in code, see [Retrieve secrets from Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html) .
*
* @cloudformationResource AWS::SecretsManager::Secret
* @stability external
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html
*/
export declare class CfnSecret extends cdk.CfnResource implements cdk.IInspectable, ISecretRef, cdk.ITaggable {
/**
* The CloudFormation resource type name for this resource class.
*/
static readonly CFN_RESOURCE_TYPE_NAME: string;
/**
* Build a CfnSecret from CloudFormation properties
*
* A factory method that creates a new instance of this class from an object
* containing the CloudFormation properties of this resource.
* Used in the @aws-cdk/cloudformation-include module.
*
* @internal
*/
static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnSecret;
/**
* Checks whether the given object is a CfnSecret
*/
static isCfnSecret(x: any): x is CfnSecret;
/**
* Creates a new ISecretRef from a secretId
*/
static fromSecretId(scope: constructs.Construct, id: string, secretId: string): ISecretRef;
static arnForSecret(resource: ISecretRef): string;
/**
* The description of the secret.
*/
private _description?;
/**
* A structure that specifies how to generate a password to encrypt and store in the secret.
*/
private _generateSecretString?;
/**
* The ARN, key ID, or alias of the AWS key that Secrets Manager uses to encrypt the secret value in the secret.
*/
private _kmsKeyId?;
/**
* The name of the new secret.
*/
private _name?;
/**
* A custom type that specifies a `Region` and the `KmsKeyId` for a replica secret.
*/
private _replicaRegions?;
/**
* The text to encrypt and store in the secret.
*/
private _secretString?;
/**
* Tag Manager which manages the tags for this resource
*/
readonly tags: cdk.TagManager;
/**
* A list of tags to attach to the secret.
*/
private _tagsRaw?;
/**
* The exact string that identifies the third-party partner that holds the external secret.
*/
private _type?;
/**
* Create a new `AWS::SecretsManager::Secret`.
*
* @param scope Scope in which this resource is defined
* @param id Construct identifier for this resource (unique in its scope)
* @param props Resource properties
*/
constructor(scope: constructs.Construct, id: string, props?: CfnSecretProps);
get secretRef(): SecretReference;
/**
* The description of the secret.
*/
get description(): string | undefined;
/**
* The description of the secret.
*/
set description(value: string | undefined);
/**
* A structure that specifies how to generate a password to encrypt and store in the secret.
*/
get generateSecretString(): CfnSecret.GenerateSecretStringProperty | cdk.IResolvable | undefined;
/**
* A structure that specifies how to generate a password to encrypt and store in the secret.
*/
set generateSecretString(value: CfnSecret.GenerateSecretStringProperty | cdk.IResolvable | undefined);
/**
* The ARN, key ID, or alias of the AWS key that Secrets Manager uses to encrypt the secret value in the secret.
*/
get kmsKeyId(): string | undefined;
/**
* The ARN, key ID, or alias of the AWS key that Secrets Manager uses to encrypt the secret value in the secret.
*/
set kmsKeyId(value: string | undefined);
/**
* The name of the new secret.
*/
get name(): string | undefined;
/**
* The name of the new secret.
*/
set name(value: string | undefined);
/**
* A custom type that specifies a `Region` and the `KmsKeyId` for a replica secret.
*/
get replicaRegions(): Array<cdk.IResolvable | CfnSecret.ReplicaRegionProperty> | cdk.IResolvable | undefined;
/**
* A custom type that specifies a `Region` and the `KmsKeyId` for a replica secret.
*/
set replicaRegions(value: Array<cdk.IResolvable | CfnSecret.ReplicaRegionProperty> | cdk.IResolvable | undefined);
/**
* The text to encrypt and store in the secret.
*/
get secretString(): string | undefined;
/**
* The text to encrypt and store in the secret.
*/
set secretString(value: string | undefined);
/**
* A list of tags to attach to the secret.
*/
get tagsRaw(): Array<cdk.CfnTag> | undefined;
/**
* A list of tags to attach to the secret.
*/
set tagsRaw(value: Array<cdk.CfnTag> | undefined);
/**
* The exact string that identifies the third-party partner that holds the external secret.
*/
get type(): string | undefined;
/**
* The exact string that identifies the third-party partner that holds the external secret.
*/
set type(value: string | undefined);
/**
* The ARN of the secret.
*
* @cloudformationAttribute Id
*/
get attrId(): string;
protected get cfnProperties(): Record<string, any>;
/**
* Examines the CloudFormation resource and discloses attributes
*
* @param inspector tree inspector to collect and process attributes
*/
inspect(inspector: cdk.TreeInspector): void;
protected renderProperties(props: Record<string, any>): Record<string, any>;
}
export declare namespace CfnSecret {
/**
* Generates a random password.
*
* We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.
*
* *Required permissions:* `secretsmanager:GetRandomPassword` . For more information, see [IAM policy actions for Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) and [Authentication and access control in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) .
*
* @struct
* @stability external
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html
*/
interface GenerateSecretStringProperty {
/**
* A string of the characters that you don't want in the password.
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-excludecharacters
*/