UNPKG

cdk-sops-secrets

Version:

CDK Constructs that syncs your sops secrets into AWS SecretsManager secrets.

constructs.dev/packages/cdk-sops-secrets

dbsystel/cdk-sops-secrets

83 lines (82 loc) 3.12 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import { AddToResourcePolicyResult, Grant, IGrantable, PolicyStatement } from 'aws-cdk-lib/aws-iam'; import { IKey } from 'aws-cdk-lib/aws-kms'; import { ISecret, ISecretAttachmentTarget, ReplicaRegion, RotationSchedule, RotationScheduleOptions } from 'aws-cdk-lib/aws-secretsmanager'; import { RemovalPolicy, ResourceEnvironment, SecretValue, Stack } from 'aws-cdk-lib/core'; import { Construct } from 'constructs'; import { SopsSync, SopsSyncOptions } from './SopsSync'; export declare enum RawOutput { /** * Parse the secret as a string */ STRING = "STRING", /** * Parse the secret as a binary */ BINARY = "BINARY" } /** * The configuration options of the SopsSecret */ export interface SopsSecretProps extends SopsSyncOptions { /** * Should the secret parsed and transformed to json? * @default - undefined - STRING for binary secrets, else no raw output */ readonly rawOutput?: RawOutput; /** * An optional, human-friendly description of the secret. * * @default - No description. */ readonly description?: string; /** * The customer-managed encryption key to use for encrypting the secret value. * * @default - A default KMS key for the account and region is used. */ readonly encryptionKey?: IKey; /** * A name for the secret. Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to * 30 days blackout period. During that period, it is not possible to create another secret that shares the same name. * * @default - A name is generated by CloudFormation. */ readonly secretName?: string; /** * Policy to apply when the secret is removed from this stack. * * @default - Not set. */ readonly removalPolicy?: RemovalPolicy; /** * A list of regions where to replicate this secret. * * @default - Secret is not replicated */ readonly replicaRegions?: ReplicaRegion[]; } /** * A drop in replacement for the normal Secret, that is populated with the encrypted * content of the given sops file. */ export declare class SopsSecret extends Construct implements ISecret { private readonly secret; readonly encryptionKey?: IKey | undefined; readonly secretArn: string; readonly secretFullArn?: string | undefined; readonly secretName: string; readonly stack: Stack; readonly env: ResourceEnvironment; readonly sync: SopsSync; constructor(scope: Construct, id: string, props: SopsSecretProps); currentVersionId(): string; grantRead(grantee: IGrantable, versionStages?: string[]): Grant; grantWrite(_grantee: IGrantable): Grant; addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule; addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult; denyAccountRootDelete(): void; attach(target: ISecretAttachmentTarget): ISecret; applyRemovalPolicy(policy: RemovalPolicy): void; secretValueFromJson(jsonField: string): SecretValue; get secretValue(): SecretValue; }