cdk-sops-secrets/lib/SopsSecret.d.ts

CDK Constructs that syncs your sops secrets into AWS SecretsManager secrets.

import { AddToResourcePolicyResult, Grant, IGrantable, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { IKey } from 'aws-cdk-lib/aws-kms';
import { ISecret, ISecretAttachmentTarget, ReplicaRegion, RotationSchedule, RotationScheduleOptions, SecretReference } from 'aws-cdk-lib/aws-secretsmanager';
import { ITopic, ITopicSubscription } from 'aws-cdk-lib/aws-sns';
import { RemovalPolicy, ResourceEnvironment, SecretsManagerSecretOptions, SecretValue, Stack } from 'aws-cdk-lib/core';
import { Construct } from 'constructs';
import { SopsSync, SopsSyncOptions } from './SopsSync';
export declare enum RawOutput {
    /**
     * Parse the secret as a string
     */
    STRING = "STRING",
    /**
     * Parse the secret as a binary
     */
    BINARY = "BINARY"
}
/**
 * Options for expiration notifications on secret keys.
 * When enabled, CDK reads unencrypted keys ending with the configured suffix
 * (e.g. `gitlab_token_expiration`) from the local `sopsFilePath` and
 * synthesizes one-time EventBridge Scheduler schedules that publish to SNS
 * before each expiration date.
 */
export interface ExpirationOptions {
    /**
     * Enable expiration notifications.
     *
     * @default false
     */
    readonly enabled?: boolean;
    /**
     * An existing SNS topic to publish expiration notifications to.
     * If not provided, a new SNS topic will be created automatically.
     *
     * @default - A new SNS topic is created
     */
    readonly notificationTopic?: ITopic;
    /**
     * A subscriber to attach to the expiration notification topic.
     * Works for both an auto-created topic and a provided `notificationTopic`.
     *
     * @default - No subscriber is added
     */
    readonly subscriber?: ITopicSubscription;
    /**
     * The suffix used to identify expiration date keys in the secret.
     * For example, a suffix of `_expiration` will match any key like
     * `gitlab_token_expiration` and treat its value as the expiration date
     * for `gitlab_token`.
     *
     * @default '_expiration'
     */
    readonly expirationSuffix?: string;
    /**
     * Number of days before the expiration date to send the SNS notification,
     * or multiple reminder offsets to synthesize one schedule per value.
     *
     * @default 14
     */
    readonly daysBeforeExpiration?: number | number[];
}
/**
 * The configuration options of the SopsSecret
 */
export interface SopsSecretProps extends SopsSyncOptions {
    /**
     * Should the secret parsed and transformed to json?
     * @default - undefined - STRING for binary secrets, else no raw output
     */
    readonly rawOutput?: RawOutput;
    /**
     * An optional, human-friendly description of the secret.
     *
     * @default - No description.
     */
    readonly description?: string;
    /**
     * The customer-managed encryption key to use for encrypting the secret value.
     *
     * @default - A default KMS key for the account and region is used.
     */
    readonly encryptionKey?: IKey;
    /**
     * A name for the secret. Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to
     * 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.
     *
     * @default - A name is generated by CloudFormation.
     */
    readonly secretName?: string;
    /**
     * Policy to apply when the secret is removed from this stack.
     *
     * @default - Not set.
     */
    readonly removalPolicy?: RemovalPolicy;
    /**
     * A list of regions where to replicate this secret.
     *
     * @default - Secret is not replicated
     */
    readonly replicaRegions?: ReplicaRegion[];
    /**
     * Configure expiration notifications for secret keys.
     * When `enabled: true`, CDK reads unencrypted expiration keys from the local
     * `sopsFilePath` and synthesizes one-time EventBridge Scheduler schedules
     * that publish to SNS before each expiration.
     *
     * @default - Expiration notifications are disabled
     */
    readonly expirationNotification?: ExpirationOptions;
}
/**
 * A drop in replacement for the normal Secret, that is populated with the encrypted
 * content of the given sops file.
 */
export declare class SopsSecret extends Construct implements ISecret {
    private readonly secret;
    readonly encryptionKey?: IKey | undefined;
    readonly secretArn: string;
    readonly secretFullArn?: string | undefined;
    readonly secretName: string;
    readonly secretRef: SecretReference;
    readonly stack: Stack;
    readonly env: ResourceEnvironment;
    /**
     * The SNS topic that receives expiration notifications.
     * Only set when expiration notifications are enabled.
     */
    readonly expirationNotificationTopic?: ITopic;
    readonly sync: SopsSync;
    constructor(scope: Construct, id: string, props: SopsSecretProps);
    private addExpirationSchedules;
    currentVersionId(): string;
    grantRead(grantee: IGrantable, versionStages?: string[]): Grant;
    grantWrite(_grantee: IGrantable): Grant;
    addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule;
    addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult;
    denyAccountRootDelete(): void;
    attach(target: ISecretAttachmentTarget): ISecret;
    cfnDynamicReferenceKey(options?: SecretsManagerSecretOptions): string;
    applyRemovalPolicy(policy: RemovalPolicy): void;
    secretValueFromJson(jsonField: string): SecretValue;
    get secretValue(): SecretValue;
}