UNPKG

cdk-sops-secrets

Version:

CDK Constructs that syncs your sops secrets into AWS SecretsManager secrets.

constructs.dev/packages/cdk-sops-secrets

dbsystel/cdk-sops-secrets

253 lines (252 loc) • 9.68 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
import { SecretValue } from 'aws-cdk-lib'; import { ISecurityGroup, IVpc, SubnetSelection } from 'aws-cdk-lib/aws-ec2'; import { IGrantable, IRole } from 'aws-cdk-lib/aws-iam'; import { IKey } from 'aws-cdk-lib/aws-kms'; import { SingletonFunction } from 'aws-cdk-lib/aws-lambda'; import { RetentionDays, ILogGroup } from 'aws-cdk-lib/aws-logs'; import { Asset } from 'aws-cdk-lib/aws-s3-assets'; import { ISecret } from 'aws-cdk-lib/aws-secretsmanager'; import { IStringParameter } from 'aws-cdk-lib/aws-ssm'; import { Construct } from 'constructs'; export declare enum UploadType { /** * Pass the secret data inline (base64 encoded and compressed) */ INLINE = "INLINE", /** * Uplaod the secret data as asset */ ASSET = "ASSET" } export declare enum ResourceType { SECRET = "SECRET", SECRET_RAW = "SECRET_RAW", SECRET_BINARY = "SECRET_BINARY", PARAMETER = "PARAMETER", PARAMETER_MULTI = "PARAMETER_MULTI" } /** * Configuration options for the SopsSync */ export interface SopsSyncOptions { /** * The custom resource provider to use. If you don't specify any, a new * provider will be created - or if already exists within this stack - reused. * * @default - A new singleton provider will be created */ readonly sopsProvider?: SopsSyncProvider; /** * The filepath to the sops file */ readonly sopsFilePath?: string; /** * If you want to pass the sops file via s3, you can specify the bucket * you can use cfn parameter here * Both, sopsS3Bucket and sopsS3Key have to be specified */ readonly sopsS3Bucket?: string; /** * If you want to pass the sops file via s3, you can specify the key inside the bucket * you can use cfn parameter here * Both, sopsS3Bucket and sopsS3Key have to be specified */ readonly sopsS3Key?: string; /** * How should the secret be passed to the CustomResource? * @default INLINE */ readonly uploadType?: UploadType; /** * The format of the sops file. * * @default - The fileformat will be derived from the file ending */ readonly sopsFileFormat?: undefined | 'json' | 'yaml' | 'dotenv' | 'binary'; /** * The kmsKey used to encrypt the sops file. Encrypt permissions * will be granted to the custom resource provider. * * @default - The key will be derived from the sops file */ readonly sopsKmsKey?: IKey[]; /** * The age key that should be used for encryption. */ readonly sopsAgeKey?: SecretValue; /** * Should this construct automatically create IAM permissions? * * @default true */ readonly autoGenerateIamPermissions?: boolean; /** * The encryption key used by the CDK default Asset S3 Bucket. * @default - Trying to get the key using the CDK Bootstrap context. */ readonly assetEncryptionKey?: IKey; } /** * The configuration options extended by the target Secret / Parameter */ export interface SopsSyncProps extends SopsSyncOptions { /** * The target to populate with the sops file content. * - for secret, it's the name or arn of the secret * - for parameter, it's the name of the parameter * - for parameter multi, it's the prefix of the parameters */ readonly target: string; /** * If the structure should be flattened use the provided separator between keys. * * @default - undefined */ readonly flattenSeparator?: string; /** * The encryption key used for encrypting the ssm parameter if `parameterName` is set. */ readonly encryptionKey?: IKey; /** * Will this Sync deploy a Secret or Parameter(s) */ readonly resourceType: ResourceType; readonly secret?: ISecret; readonly parameterNames?: string[]; } /** * Configuration options for a custom SopsSyncProvider. */ export interface SopsSyncProviderProps { /** * VPC network to place Lambda network interfaces. * * @default - Lambda function is not placed within a VPC. */ readonly vpc?: IVpc; /** * Where to place the network interfaces within the VPC. * * @default - Subnets will be chosen automatically. */ readonly vpcSubnets?: SubnetSelection; /** * Only if `vpc` is supplied: The list of security groups to associate with the Lambda's network interfaces. * * @default - A dedicated security group will be created for the lambda function. */ readonly securityGroups?: ISecurityGroup[]; /** * The role that should be used for the custom resource provider. * If you don't specify any, a new role will be created with all required permissions * * @default - a new role will be created */ readonly role?: IRole; /** * The number of days log events are kept in CloudWatch Logs. When updating * this property, unsetting it doesn't remove the log retention policy. To * remove the retention policy, set the value to `INFINITE`. * * This is a legacy API and we strongly recommend you move away from it if you can. * Instead create a fully customizable log group with `logs.LogGroup` and use the `logGroup` property * to instruct the Lambda function to send logs to it. * Migrating from `logRetention` to `logGroup` will cause the name of the log group to change. * Users and code and referencing the name verbatim will have to adjust. * * In AWS CDK code, you can access the log group name directly from the LogGroup construct: * ```ts * import * as logs from 'aws-cdk-lib/aws-logs'; * * declare const myLogGroup: logs.LogGroup; * myLogGroup.logGroupName; * ``` * * @default logs.RetentionDays.INFINITE */ readonly logRetention?: RetentionDays; /** * The log group the function sends logs to. * * By default, Lambda functions send logs to an automatically created default log group named /aws/lambda/{function-name}. * However you cannot change the properties of this auto-created log group using the AWS CDK, e.g. you cannot set a different log retention. * * Use the `logGroup` property to create a fully customizable LogGroup ahead of time, and instruct the Lambda function to send logs to it. * * Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16. * If you are deploying to another type of region, please check regional availability first. * * @default `/aws/lambda/${this.functionName}` - default log group created by Lambda */ readonly logGroup?: ILogGroup; /** * A unique identifier to identify this provider * * Overwrite the default, if you need a dedicated provider. * * @default SopsSyncProvider */ readonly uuid?: string; } export declare class SopsSyncProvider extends SingletonFunction implements IGrantable { private sopsAgeKeys; private sopsAgeKeyParams; constructor(scope: Construct, id?: string, props?: SopsSyncProviderProps); addAgeKey(key: SecretValue): void; /** * Configure the Lambda to fetch an age private key from an SSM Parameter * Store SecureString at runtime, rather than injecting it as a plaintext * environment variable at synthesis time. * * The KMS key used to encrypt the SecureString is required: storing an age * private key without envelope encryption is considered insecure. * * The Lambda is automatically granted `ssm:GetParameter` on the parameter * and `kms:Decrypt` on the encryption key. * * @param param Parameter name string (e.g. '/sops/age/key') or an * `IStringParameter` reference from `aws-cdk-lib/aws-ssm`. * @param encryptionKey KMS key used to encrypt the SecureString parameter. */ addAgeKeyFromSsmParameter(param: string | IStringParameter, encryptionKey: IKey): void; } /** * The custom resource, that is syncing the content from a sops file to a secret. */ export declare class SopsSync extends Construct { /** * The current versionId of the secret populated via this resource */ readonly versionId: string; constructor(scope: Construct, id: string, props: SopsSyncProps); } export declare namespace Permissions { /** * Grants the necessary permissions for encrypt/decrypt on the customer managed encryption key * for the secrets / parameters. */ function encryptionKey(key: IKey | undefined, target: IGrantable): void; function keysFromSopsContent(ctx: Construct, c: string): IKey[]; function keysFromSopsContentAlias(ctx: Construct, c: string): IKey[]; /** * Grants the necessary permissions to decrypt the given sops file content. * Takes user defined keys, and searches the sops file for keys and aliases. */ function sopsKeys(ctx: Construct, props: { userDefinedKeys?: IKey[]; sopsFileContent: string; role: IRole; }): void; /** * Grants the necessary permissions to write the given secrets. */ function secret(targetSecret: ISecret | undefined, target: IGrantable): void; /** * Grants the necessary permissions to write the given parameters. */ function parameters(ctx: Construct, targetParameters: string[] | undefined, role: IRole): void; /** * Grants the necessary permissions to read the given asset from S3. */ function assetBucket(context: Construct, asset: Asset | undefined, target: IGrantable, assetKey: IKey | undefined): void; }