awssecretsmanager

package
v1.138.1-devpreview Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 7, 2022 License: Apache-2.0 Imports: 10 Imported by: 8

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CfnResourcePolicy_CFN_RESOURCE_TYPE_NAME

func CfnResourcePolicy_CFN_RESOURCE_TYPE_NAME() *string

func CfnResourcePolicy_IsCfnElement

func CfnResourcePolicy_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnResourcePolicy_IsCfnResource

func CfnResourcePolicy_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnResourcePolicy_IsConstruct

func CfnResourcePolicy_IsConstruct(x interface{}) *bool

Return whether the given object is a Construct. Experimental.

func CfnRotationSchedule_CFN_RESOURCE_TYPE_NAME

func CfnRotationSchedule_CFN_RESOURCE_TYPE_NAME() *string

func CfnRotationSchedule_IsCfnElement

func CfnRotationSchedule_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnRotationSchedule_IsCfnResource

func CfnRotationSchedule_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnRotationSchedule_IsConstruct

func CfnRotationSchedule_IsConstruct(x interface{}) *bool

Return whether the given object is a Construct. Experimental.

func CfnSecretTargetAttachment_CFN_RESOURCE_TYPE_NAME

func CfnSecretTargetAttachment_CFN_RESOURCE_TYPE_NAME() *string

func CfnSecretTargetAttachment_IsCfnElement

func CfnSecretTargetAttachment_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnSecretTargetAttachment_IsCfnResource

func CfnSecretTargetAttachment_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnSecretTargetAttachment_IsConstruct

func CfnSecretTargetAttachment_IsConstruct(x interface{}) *bool

Return whether the given object is a Construct. Experimental.

func CfnSecret_CFN_RESOURCE_TYPE_NAME

func CfnSecret_CFN_RESOURCE_TYPE_NAME() *string

func CfnSecret_IsCfnElement

func CfnSecret_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnSecret_IsCfnResource

func CfnSecret_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnSecret_IsConstruct

func CfnSecret_IsConstruct(x interface{}) *bool

Return whether the given object is a Construct. Experimental.

func NewCfnResourcePolicy_Override

func NewCfnResourcePolicy_Override(c CfnResourcePolicy, scope awscdk.Construct, id *string, props *CfnResourcePolicyProps)

Create a new `AWS::SecretsManager::ResourcePolicy`.

func NewCfnRotationSchedule_Override

func NewCfnRotationSchedule_Override(c CfnRotationSchedule, scope awscdk.Construct, id *string, props *CfnRotationScheduleProps)

Create a new `AWS::SecretsManager::RotationSchedule`.

func NewCfnSecretTargetAttachment_Override

func NewCfnSecretTargetAttachment_Override(c CfnSecretTargetAttachment, scope awscdk.Construct, id *string, props *CfnSecretTargetAttachmentProps)

Create a new `AWS::SecretsManager::SecretTargetAttachment`.

func NewCfnSecret_Override

func NewCfnSecret_Override(c CfnSecret, scope awscdk.Construct, id *string, props *CfnSecretProps)

Create a new `AWS::SecretsManager::Secret`.

func NewResourcePolicy_Override

func NewResourcePolicy_Override(r ResourcePolicy, scope constructs.Construct, id *string, props *ResourcePolicyProps)

Experimental.

func NewRotationSchedule_Override

func NewRotationSchedule_Override(r RotationSchedule, scope constructs.Construct, id *string, props *RotationScheduleProps)

Experimental.

func NewSecretRotationApplication_Override

func NewSecretRotationApplication_Override(s SecretRotationApplication, applicationId *string, semanticVersion *string, options *SecretRotationApplicationOptions)

Experimental.

func NewSecretRotation_Override

func NewSecretRotation_Override(s SecretRotation, scope constructs.Construct, id *string, props *SecretRotationProps)

Experimental.

func NewSecretTargetAttachment_Override

func NewSecretTargetAttachment_Override(s SecretTargetAttachment, scope constructs.Construct, id *string, props *SecretTargetAttachmentProps)

Experimental.

func NewSecret_Override

func NewSecret_Override(s Secret, scope constructs.Construct, id *string, props *SecretProps)

Experimental.

func ResourcePolicy_IsConstruct

func ResourcePolicy_IsConstruct(x interface{}) *bool

Return whether the given object is a Construct. Experimental.

func ResourcePolicy_IsResource

func ResourcePolicy_IsResource(construct awscdk.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

func RotationSchedule_IsConstruct

func RotationSchedule_IsConstruct(x interface{}) *bool

Return whether the given object is a Construct. Experimental.

func RotationSchedule_IsResource

func RotationSchedule_IsResource(construct awscdk.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

func SecretRotation_IsConstruct

func SecretRotation_IsConstruct(x interface{}) *bool

Return whether the given object is a Construct. Experimental.

func SecretTargetAttachment_IsConstruct

func SecretTargetAttachment_IsConstruct(x interface{}) *bool

Return whether the given object is a Construct. Experimental.

func SecretTargetAttachment_IsResource

func SecretTargetAttachment_IsResource(construct awscdk.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

func Secret_IsConstruct

func Secret_IsConstruct(x interface{}) *bool

Return whether the given object is a Construct. Experimental.

func Secret_IsResource

func Secret_IsResource(construct awscdk.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

Types

type AttachedSecretOptions

type AttachedSecretOptions struct {
	// The target to attach the secret to.
	// Experimental.
	Target ISecretAttachmentTarget `json:"target"`
}

Options to add a secret attachment to a secret.

TODO: EXAMPLE

Experimental.

type AttachmentTargetType

type AttachmentTargetType string

The type of service or database that's being associated with the secret. Experimental.

const (
	AttachmentTargetType_INSTANCE          AttachmentTargetType = "INSTANCE"
	AttachmentTargetType_CLUSTER           AttachmentTargetType = "CLUSTER"
	AttachmentTargetType_RDS_DB_PROXY      AttachmentTargetType = "RDS_DB_PROXY"
	AttachmentTargetType_REDSHIFT_CLUSTER  AttachmentTargetType = "REDSHIFT_CLUSTER"
	AttachmentTargetType_DOCDB_DB_INSTANCE AttachmentTargetType = "DOCDB_DB_INSTANCE"
	AttachmentTargetType_DOCDB_DB_CLUSTER  AttachmentTargetType = "DOCDB_DB_CLUSTER"
)

type CfnResourcePolicy

type CfnResourcePolicy interface {
	awscdk.CfnResource
	awscdk.IInspectable
	BlockPublicPolicy() interface{}
	SetBlockPublicPolicy(val interface{})
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	LogicalId() *string
	Node() awscdk.ConstructNode
	Ref() *string
	ResourcePolicy() interface{}
	SetResourcePolicy(val interface{})
	SecretId() *string
	SetSecretId(val *string)
	Stack() awscdk.Stack
	UpdatedProperites() *map[string]interface{}
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OnPrepare()
	OnSynthesize(session constructs.ISynthesisSession)
	OnValidate() *[]*string
	OverrideLogicalId(newLogicalId *string)
	Prepare()
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	Synthesize(session awscdk.ISynthesisSession)
	ToString() *string
	Validate() *[]*string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::SecretsManager::ResourcePolicy`.

Attaches a resource-based permission policy to a secret. A resource-based policy is optional. For more information, see [Authentication and access control for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html)

For information about attaching a policy in the console, see [Attach a permissions policy to a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html) .

*Required permissions:* `secretsmanager:PutResourcePolicy` . For more information, see [IAM policy actions for Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) and [Authentication and access control in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) .

TODO: EXAMPLE

func NewCfnResourcePolicy

func NewCfnResourcePolicy(scope awscdk.Construct, id *string, props *CfnResourcePolicyProps) CfnResourcePolicy

Create a new `AWS::SecretsManager::ResourcePolicy`.

type CfnResourcePolicyProps

type CfnResourcePolicyProps struct {
	// A JSON-formatted string for an AWS resource-based policy.
	//
	// For example policies, see [Permissions policy examples](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html) .
	ResourcePolicy interface{} `json:"resourcePolicy"`
	// The ARN or name of the secret to attach the resource-based policy.
	//
	// For an ARN, we recommend that you specify a complete ARN rather than a partial ARN.
	SecretId *string `json:"secretId"`
	// Specifies whether to block resource-based policies that allow broad access to the secret.
	//
	// By default, Secrets Manager blocks policies that allow broad access, for example those that use a wildcard for the principal.
	BlockPublicPolicy interface{} `json:"blockPublicPolicy"`
}

Properties for defining a `CfnResourcePolicy`.

TODO: EXAMPLE

type CfnRotationSchedule

type CfnRotationSchedule interface {
	awscdk.CfnResource
	awscdk.IInspectable
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	HostedRotationLambda() interface{}
	SetHostedRotationLambda(val interface{})
	LogicalId() *string
	Node() awscdk.ConstructNode
	Ref() *string
	RotationLambdaArn() *string
	SetRotationLambdaArn(val *string)
	RotationRules() interface{}
	SetRotationRules(val interface{})
	SecretId() *string
	SetSecretId(val *string)
	Stack() awscdk.Stack
	UpdatedProperites() *map[string]interface{}
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OnPrepare()
	OnSynthesize(session constructs.ISynthesisSession)
	OnValidate() *[]*string
	OverrideLogicalId(newLogicalId *string)
	Prepare()
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	Synthesize(session awscdk.ISynthesisSession)
	ToString() *string
	Validate() *[]*string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::SecretsManager::RotationSchedule`.

Configures rotation for a secret. You must already configure the secret with the details of the database or service. If you define both the secret and the database or service in an AWS CloudFormation template, then define the [AWS::SecretsManager::SecretTargetAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html) resource to populate the secret with the connection details of the database or service before you attempt to configure rotation.

> When you configure rotation for a secret, AWS CloudFormation automatically rotates the secret one time.

TODO: EXAMPLE

func NewCfnRotationSchedule

func NewCfnRotationSchedule(scope awscdk.Construct, id *string, props *CfnRotationScheduleProps) CfnRotationSchedule

Create a new `AWS::SecretsManager::RotationSchedule`.

type CfnRotationScheduleProps

type CfnRotationScheduleProps struct {
	// The ARN or name of the secret to rotate.
	//
	// To reference a secret also created in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the secret's logical ID.
	SecretId *string `json:"secretId"`
	// To use these values, you must specify `Transform: AWS::SecretsManager-2020-07-23` at the beginning of the CloudFormation template.
	//
	// When you enter valid values for `RotationSchedule.HostedRotationLambda` , Secrets Manager launches a Lambda that performs rotation on the secret specified in the `secret-id` property. The template creates a Lambda as part of a nested stack within the current stack.
	HostedRotationLambda interface{} `json:"hostedRotationLambda"`
	// The ARN of the Lambda function that can rotate the secret.
	//
	// If you don't specify this parameter, then the secret must already have the ARN of a Lambda function configured.
	//
	// To reference a Lambda function also created in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the function's logical ID.
	RotationLambdaArn *string `json:"rotationLambdaArn"`
	// A structure that defines the rotation configuration for this secret.
	RotationRules interface{} `json:"rotationRules"`
}

Properties for defining a `CfnRotationSchedule`.

TODO: EXAMPLE

type CfnRotationSchedule_HostedRotationLambdaProperty

type CfnRotationSchedule_HostedRotationLambdaProperty struct {
	// The type of rotation template to use. For more information, see [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) .
	//
	// You can specify one of the following `RotationTypes` :
	//
	// - MySQLSingleUser
	// - MySQLMultiUser
	// - PostgreSQLSingleUser
	// - PostgreSQLMultiUser
	// - OracleSingleUser
	// - OracleMultiUser
	// - MariaDBSingleUser
	// - MariaDBMultiUser
	// - SQLServerSingleUser
	// - SQLServerMultiUser
	// - RedshiftSingleUser
	// - RedshiftMultiUser
	// - MongoDBSingleUser
	// - MongoDBMultiUser
	RotationType *string `json:"rotationType"`
	// The ARN of the KMS key that Secrets Manager uses to encrypt the secret.
	//
	// If you don't specify this value, then Secrets Manager uses the key `aws/secretsmanager` . If `aws/secretsmanager` doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
	KmsKeyArn *string `json:"kmsKeyArn"`
	// The ARN of the secret that contains elevated credentials.
	//
	// The Lambda rotation function uses this secret for the [Alternating users rotation strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) .
	MasterSecretArn *string `json:"masterSecretArn"`
	// The ARN of the KMS key that Secrets Manager uses to encrypt the elevated secret if you use the [alternating users strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) . If you don't specify this value and you use the alternating users strategy, then Secrets Manager uses the key `aws/secretsmanager` . If `aws/secretsmanager` doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
	MasterSecretKmsKeyArn *string `json:"masterSecretKmsKeyArn"`
	// The name of the Lambda rotation function.
	RotationLambdaName *string `json:"rotationLambdaName"`
	// `CfnRotationSchedule.HostedRotationLambdaProperty.SuperuserSecretArn`.
	SuperuserSecretArn *string `json:"superuserSecretArn"`
	// `CfnRotationSchedule.HostedRotationLambdaProperty.SuperuserSecretKmsKeyArn`.
	SuperuserSecretKmsKeyArn *string `json:"superuserSecretKmsKeyArn"`
	// A comma-separated list of security group IDs applied to the target database.
	//
	// The templates applies the same security groups as on the Lambda rotation function that is created as part of this stack.
	VpcSecurityGroupIds *string `json:"vpcSecurityGroupIds"`
	// A comma separated list of VPC subnet IDs of the target database network.
	//
	// The Lambda rotation function is in the same subnet group.
	VpcSubnetIds *string `json:"vpcSubnetIds"`
}

Specifies that you want to create a hosted Lambda rotation function.

To use these values, you must specify `Transform: AWS::SecretsManager-2020-07-23` at the beginning of the CloudFormation template.

TODO: EXAMPLE

type CfnRotationSchedule_RotationRulesProperty

type CfnRotationSchedule_RotationRulesProperty struct {
	// Specifies the number of days between automatic scheduled rotations of the secret.
	//
	// Secrets Manager schedules the next rotation when the previous one is complete. Secrets Manager schedules the date by adding the rotation interval (number of days) to the actual date of the last rotation. The service chooses the hour within that 24-hour date window randomly. The minute is also chosen somewhat randomly, but weighted towards the top of the hour and influenced by a variety of factors that help distribute load.
	AutomaticallyAfterDays *float64 `json:"automaticallyAfterDays"`
}

A structure that defines the rotation configuration for the secret.

TODO: EXAMPLE

type CfnSecret

type CfnSecret interface {
	awscdk.CfnResource
	awscdk.IInspectable
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	Description() *string
	SetDescription(val *string)
	GenerateSecretString() interface{}
	SetGenerateSecretString(val interface{})
	KmsKeyId() *string
	SetKmsKeyId(val *string)
	LogicalId() *string
	Name() *string
	SetName(val *string)
	Node() awscdk.ConstructNode
	Ref() *string
	ReplicaRegions() interface{}
	SetReplicaRegions(val interface{})
	SecretString() *string
	SetSecretString(val *string)
	Stack() awscdk.Stack
	Tags() awscdk.TagManager
	UpdatedProperites() *map[string]interface{}
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OnPrepare()
	OnSynthesize(session constructs.ISynthesisSession)
	OnValidate() *[]*string
	OverrideLogicalId(newLogicalId *string)
	Prepare()
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	Synthesize(session awscdk.ISynthesisSession)
	ToString() *string
	Validate() *[]*string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::SecretsManager::Secret`.

Creates a new secret. A *secret* is a set of credentials, such as a user name and password, that you store in an encrypted form in Secrets Manager. The secret also includes the connection information to access a database or other service, which Secrets Manager doesn't encrypt. A secret in Secrets Manager consists of both the protected secret data and the important information needed to manage the secret.

For information about creating a secret in the console, see [Create a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) .

For information about creating a secret using the CLI or SDK, see [CreateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html) .

To specify the encrypted value for the secret, you must include either the `GenerateSecretString` or the `SecretString` property, but not both. We recommend that you use the `GenerateSecretString` property to generate a random password as shown in the examples. You can't generate a secret with a `SecretBinary` secret value using AWS CloudFormation .

> Do not create a dynamic reference using a backslash `(\)` as the final value. AWS CloudFormation cannot resolve those references, which causes a resource failure.

TODO: EXAMPLE

func NewCfnSecret

func NewCfnSecret(scope awscdk.Construct, id *string, props *CfnSecretProps) CfnSecret

Create a new `AWS::SecretsManager::Secret`.

type CfnSecretProps

type CfnSecretProps struct {
	// The description of the secret.
	Description *string `json:"description"`
	// A structure that specifies how to generate a password to encrypt and store in the secret.
	//
	// Either `GenerateSecretString` or `SecretString` must have a value, but not both. They cannot both be empty.
	//
	// We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.
	GenerateSecretString interface{} `json:"generateSecretString"`
	// The ARN, key ID, or alias of the AWS KMS key that Secrets Manager uses to encrypt the secret value in the secret.
	//
	// To use a AWS KMS key in a different account, use the key ARN or the alias ARN.
	//
	// If you don't specify this value, then Secrets Manager uses the key `aws/secretsmanager` . If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
	//
	// If the secret is in a different AWS account from the credentials calling the API, then you can't use `aws/secretsmanager` to encrypt the secret, and you must create and use a customer managed AWS KMS key.
	KmsKeyId *string `json:"kmsKeyId"`
	// The name of the new secret.
	//
	// The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@-
	//
	// Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN.
	Name *string `json:"name"`
	// A custom type that specifies a `Region` and the `KmsKeyId` for a replica secret.
	ReplicaRegions interface{} `json:"replicaRegions"`
	// The text to encrypt and store in the secret.
	//
	// We recommend you use a JSON structure of key/value pairs for your secret value.
	//
	// Either `GenerateSecretString` or `SecretString` must have a value, but not both. They cannot both be empty. We recommend that you use the `GenerateSecretString` property to generate a random password.
	SecretString *string `json:"secretString"`
	// A list of tags to attach to the secret.
	//
	// Each tag is a key and value pair of strings in a JSON text string, for example:
	//
	// `[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]`
	//
	// Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc".
	//
	// If you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns an `Access Denied` error. For more information, see [Control access to secrets using tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac) and [Limit access to identities with tags that match secrets' tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2) .
	//
	// For information about how to format a JSON parameter for the various command line tool environments, see [Using JSON for Parameters](https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json) . If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text.
	//
	// The following restrictions apply to tags:
	//
	// - Maximum number of tags per secret: 50
	// - Maximum key length: 127 Unicode characters in UTF-8
	// - Maximum value length: 255 Unicode characters in UTF-8
	// - Tag keys and values are case sensitive.
	// - Do not use the `aws:` prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.
	// - If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.
	Tags *[]*awscdk.CfnTag `json:"tags"`
}

Properties for defining a `CfnSecret`.

TODO: EXAMPLE

type CfnSecretTargetAttachment

type CfnSecretTargetAttachment interface {
	awscdk.CfnResource
	awscdk.IInspectable
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	LogicalId() *string
	Node() awscdk.ConstructNode
	Ref() *string
	SecretId() *string
	SetSecretId(val *string)
	Stack() awscdk.Stack
	TargetId() *string
	SetTargetId(val *string)
	TargetType() *string
	SetTargetType(val *string)
	UpdatedProperites() *map[string]interface{}
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OnPrepare()
	OnSynthesize(session constructs.ISynthesisSession)
	OnValidate() *[]*string
	OverrideLogicalId(newLogicalId *string)
	Prepare()
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	Synthesize(session awscdk.ISynthesisSession)
	ToString() *string
	Validate() *[]*string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::SecretsManager::SecretTargetAttachment`.

The `AWS::SecretsManager::SecretTargetAttachment` resource completes the final link between a Secrets Manager secret and the associated database. This is required because each has a dependency on the other. No matter which one you create first, the other doesn't exist yet. To resolve this, you must create the resources in the following order:

- Define the secret without referencing the service or database. You can't reference the service or database because it doesn't exist yet. The secret must contain a user name and password. - Next, define the service or database. Include the reference to the secret to use stored credentials to define the database admin user and password. - Finally, define a `SecretTargetAttachment` resource type to finish configuring the secret with the required database engine type and the connection details of the service or database. The rotation function requires the details, if you attach one later by defining a [AWS::SecretsManager::RotationSchedule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html) resource type.

TODO: EXAMPLE

func NewCfnSecretTargetAttachment

func NewCfnSecretTargetAttachment(scope awscdk.Construct, id *string, props *CfnSecretTargetAttachmentProps) CfnSecretTargetAttachment

Create a new `AWS::SecretsManager::SecretTargetAttachment`.

type CfnSecretTargetAttachmentProps

type CfnSecretTargetAttachmentProps struct {
	// The ARN or name of the secret.
	//
	// To reference a secret also created in this template, use the see [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the secret's logical ID.
	SecretId *string `json:"secretId"`
	// The ARN of the database or cluster.
	TargetId *string `json:"targetId"`
	// A string that defines the type of service or database associated with the secret.
	//
	// This value instructs Secrets Manager how to update the secret with the details of the service or database. This value must be one of the following:
	//
	// - AWS::RDS::DBInstance
	// - AWS::RDS::DBCluster
	// - AWS::Redshift::Cluster
	// - AWS::DocDB::DBInstance
	// - AWS::DocDB::DBCluster
	TargetType *string `json:"targetType"`
}

Properties for defining a `CfnSecretTargetAttachment`.

TODO: EXAMPLE

type CfnSecret_GenerateSecretStringProperty

type CfnSecret_GenerateSecretStringProperty struct {
	// A string of the characters that you don't want in the password.
	ExcludeCharacters *string `json:"excludeCharacters"`
	// Specifies whether to exclude lowercase letters from the password.
	//
	// If you don't include this switch, the password can contain lowercase letters.
	ExcludeLowercase interface{} `json:"excludeLowercase"`
	// Specifies whether to exclude numbers from the password.
	//
	// If you don't include this switch, the password can contain numbers.
	ExcludeNumbers interface{} `json:"excludeNumbers"`
	// Specifies whether to exclude the following punctuation characters from the password: `!
	//
	// " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~` . If you don't include this switch, the password can contain punctuation.
	ExcludePunctuation interface{} `json:"excludePunctuation"`
	// Specifies whether to exclude uppercase letters from the password.
	//
	// If you don't include this switch, the password can contain uppercase letters.
	ExcludeUppercase interface{} `json:"excludeUppercase"`
	// The JSON key name for the key/value pair, where the value is the generated password.
	//
	// This pair is added to the JSON structure specified by the `SecretStringTemplate` parameter. If you specify this parameter, then you must also specify `SecretStringTemplate` .
	GenerateStringKey *string `json:"generateStringKey"`
	// Specifies whether to include the space character.
	//
	// If you include this switch, the password can contain space characters.
	IncludeSpace interface{} `json:"includeSpace"`
	// The length of the password.
	//
	// If you don't include this parameter, the default length is 32 characters.
	PasswordLength *float64 `json:"passwordLength"`
	// Specifies whether to include at least one upper and lowercase letter, one number, and one punctuation.
	//
	// If you don't include this switch, the password contains at least one of every character type.
	RequireEachIncludedType interface{} `json:"requireEachIncludedType"`
	// A template that the generated string must match.
	SecretStringTemplate *string `json:"secretStringTemplate"`
}

Generates a random password.

We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.

*Required permissions:* `secretsmanager:GetRandomPassword` . For more information, see [IAM policy actions for Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) and [Authentication and access control in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) .

TODO: EXAMPLE

type CfnSecret_ReplicaRegionProperty

type CfnSecret_ReplicaRegionProperty struct {
	// `CfnSecret.ReplicaRegionProperty.Region`.
	Region *string `json:"region"`
	// The ARN, key ID, or alias of the KMS key to encrypt the secret.
	//
	// If you don't include this field, Secrets Manager uses `aws/secretsmanager` .
	KmsKeyId *string `json:"kmsKeyId"`
}

A custom type that specifies a `Region` and the `KmsKeyId` for a replica secret.

TODO: EXAMPLE

type HostedRotation

type HostedRotation interface {
	awsec2.IConnectable
	Connections() awsec2.Connections
	Bind(secret ISecret, scope constructs.Construct) *CfnRotationSchedule_HostedRotationLambdaProperty
}

A hosted rotation.

TODO: EXAMPLE

Experimental.

func HostedRotation_MariaDbMultiUser

func HostedRotation_MariaDbMultiUser(options *MultiUserHostedRotationOptions) HostedRotation

MariaDB Multi User. Experimental.

func HostedRotation_MariaDbSingleUser

func HostedRotation_MariaDbSingleUser(options *SingleUserHostedRotationOptions) HostedRotation

MariaDB Single User. Experimental.

func HostedRotation_MongoDbMultiUser

func HostedRotation_MongoDbMultiUser(options *MultiUserHostedRotationOptions) HostedRotation

MongoDB Multi User. Experimental.

func HostedRotation_MongoDbSingleUser

func HostedRotation_MongoDbSingleUser(options *SingleUserHostedRotationOptions) HostedRotation

MongoDB Single User. Experimental.

func HostedRotation_MysqlMultiUser

func HostedRotation_MysqlMultiUser(options *MultiUserHostedRotationOptions) HostedRotation

MySQL Multi User. Experimental.

func HostedRotation_MysqlSingleUser

func HostedRotation_MysqlSingleUser(options *SingleUserHostedRotationOptions) HostedRotation

MySQL Single User. Experimental.

func HostedRotation_OracleMultiUser

func HostedRotation_OracleMultiUser(options *MultiUserHostedRotationOptions) HostedRotation

Oracle Multi User. Experimental.

func HostedRotation_OracleSingleUser

func HostedRotation_OracleSingleUser(options *SingleUserHostedRotationOptions) HostedRotation

Oracle Single User. Experimental.

func HostedRotation_PostgreSqlMultiUser

func HostedRotation_PostgreSqlMultiUser(options *MultiUserHostedRotationOptions) HostedRotation

PostgreSQL Multi User. Experimental.

func HostedRotation_PostgreSqlSingleUser

func HostedRotation_PostgreSqlSingleUser(options *SingleUserHostedRotationOptions) HostedRotation

PostgreSQL Single User. Experimental.

func HostedRotation_RedshiftMultiUser

func HostedRotation_RedshiftMultiUser(options *MultiUserHostedRotationOptions) HostedRotation

Redshift Multi User. Experimental.

func HostedRotation_RedshiftSingleUser

func HostedRotation_RedshiftSingleUser(options *SingleUserHostedRotationOptions) HostedRotation

Redshift Single User. Experimental.

func HostedRotation_SqlServerMultiUser

func HostedRotation_SqlServerMultiUser(options *MultiUserHostedRotationOptions) HostedRotation

SQL Server Multi User. Experimental.

func HostedRotation_SqlServerSingleUser

func HostedRotation_SqlServerSingleUser(options *SingleUserHostedRotationOptions) HostedRotation

SQL Server Single User. Experimental.

type HostedRotationType

type HostedRotationType interface {
	IsMultiUser() *bool
	Name() *string
}

Hosted rotation type.

TODO: EXAMPLE

Experimental.

func HostedRotationType_MARIADB_MULTI_USER

func HostedRotationType_MARIADB_MULTI_USER() HostedRotationType

func HostedRotationType_MARIADB_SINGLE_USER

func HostedRotationType_MARIADB_SINGLE_USER() HostedRotationType

func HostedRotationType_MONGODB_MULTI_USER

func HostedRotationType_MONGODB_MULTI_USER() HostedRotationType

func HostedRotationType_MONGODB_SINGLE_USER

func HostedRotationType_MONGODB_SINGLE_USER() HostedRotationType

func HostedRotationType_MYSQL_MULTI_USER

func HostedRotationType_MYSQL_MULTI_USER() HostedRotationType

func HostedRotationType_MYSQL_SINGLE_USER

func HostedRotationType_MYSQL_SINGLE_USER() HostedRotationType

func HostedRotationType_ORACLE_MULTI_USER

func HostedRotationType_ORACLE_MULTI_USER() HostedRotationType

func HostedRotationType_ORACLE_SINGLE_USER

func HostedRotationType_ORACLE_SINGLE_USER() HostedRotationType

func HostedRotationType_POSTGRESQL_MULTI_USER

func HostedRotationType_POSTGRESQL_MULTI_USER() HostedRotationType

func HostedRotationType_POSTGRESQL_SINGLE_USER

func HostedRotationType_POSTGRESQL_SINGLE_USER() HostedRotationType

func HostedRotationType_REDSHIFT_MULTI_USER

func HostedRotationType_REDSHIFT_MULTI_USER() HostedRotationType

func HostedRotationType_REDSHIFT_SINGLE_USER

func HostedRotationType_REDSHIFT_SINGLE_USER() HostedRotationType

func HostedRotationType_SQLSERVER_MULTI_USER

func HostedRotationType_SQLSERVER_MULTI_USER() HostedRotationType

func HostedRotationType_SQLSERVER_SINGLE_USER

func HostedRotationType_SQLSERVER_SINGLE_USER() HostedRotationType

type ISecret

type ISecret interface {
	awscdk.IResource
	// Adds a rotation schedule to the secret.
	// Experimental.
	AddRotationSchedule(id *string, options *RotationScheduleOptions) RotationSchedule
	// Adds a statement to the IAM resource policy associated with this secret.
	//
	// If this secret was created in this stack, a resource policy will be
	// automatically created upon the first call to `addToResourcePolicy`. If
	// the secret is imported, then this is a no-op.
	// Experimental.
	AddToResourcePolicy(statement awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult
	// Attach a target to this secret.
	//
	// Returns: An attached secret
	// Experimental.
	Attach(target ISecretAttachmentTarget) ISecret
	// Denies the `DeleteSecret` action to all principals within the current account.
	// Experimental.
	DenyAccountRootDelete()
	// Grants reading the secret value to some role.
	// Experimental.
	GrantRead(grantee awsiam.IGrantable, versionStages *[]*string) awsiam.Grant
	// Grants writing and updating the secret value to some role.
	// Experimental.
	GrantWrite(grantee awsiam.IGrantable) awsiam.Grant
	// Interpret the secret as a JSON object and return a field's value from it as a `SecretValue`.
	// Experimental.
	SecretValueFromJson(key *string) awscdk.SecretValue
	// The customer-managed encryption key that is used to encrypt this secret, if any.
	//
	// When not specified, the default
	// KMS key for the account and region is being used.
	// Experimental.
	EncryptionKey() awskms.IKey
	// The ARN of the secret in AWS Secrets Manager.
	//
	// Will return the full ARN if available, otherwise a partial arn.
	// For secrets imported by the deprecated `fromSecretName`, it will return the `secretName`.
	// Experimental.
	SecretArn() *string
	// The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.
	//
	// This is equal to `secretArn` in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).
	// Experimental.
	SecretFullArn() *string
	// The name of the secret.
	//
	// For "owned" secrets, this will be the full resource name (secret name + suffix), unless the
	// '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.
	// Experimental.
	SecretName() *string
	// Retrieve the value of the stored secret as a `SecretValue`.
	// Experimental.
	SecretValue() awscdk.SecretValue
}

A secret in AWS Secrets Manager. Experimental.

func Secret_FromSecretArn deprecated

func Secret_FromSecretArn(scope constructs.Construct, id *string, secretArn *string) ISecret

Deprecated: use `fromSecretCompleteArn` or `fromSecretPartialArn`

func Secret_FromSecretAttributes

func Secret_FromSecretAttributes(scope constructs.Construct, id *string, attrs *SecretAttributes) ISecret

Import an existing secret into the Stack. Experimental.

func Secret_FromSecretCompleteArn

func Secret_FromSecretCompleteArn(scope constructs.Construct, id *string, secretCompleteArn *string) ISecret

Imports a secret by complete ARN.

The complete ARN is the ARN with the Secrets Manager-supplied suffix. Experimental.

func Secret_FromSecretName

func Secret_FromSecretName(scope constructs.Construct, id *string, secretName *string) ISecret

Imports a secret by secret name;

the ARN of the Secret will be set to the secret name. A secret with this name must exist in the same account & region. Deprecated: use `fromSecretNameV2`

func Secret_FromSecretNameV2

func Secret_FromSecretNameV2(scope constructs.Construct, id *string, secretName *string) ISecret

Imports a secret by secret name.

A secret with this name must exist in the same account & region. Replaces the deprecated `fromSecretName`. Experimental.

func Secret_FromSecretPartialArn

func Secret_FromSecretPartialArn(scope constructs.Construct, id *string, secretPartialArn *string) ISecret

Imports a secret by partial ARN.

The partial ARN is the ARN without the Secrets Manager-supplied suffix. Experimental.

type ISecretAttachmentTarget

type ISecretAttachmentTarget interface {
	// Renders the target specifications.
	// Experimental.
	AsSecretAttachmentTarget() *SecretAttachmentTargetProps
}

A secret attachment target. Experimental.

type ISecretTargetAttachment

type ISecretTargetAttachment interface {
	ISecret
	// Same as `secretArn`.
	// Experimental.
	SecretTargetAttachmentSecretArn() *string
}

Experimental.

func SecretTargetAttachment_FromSecretTargetAttachmentSecretArn

func SecretTargetAttachment_FromSecretTargetAttachmentSecretArn(scope constructs.Construct, id *string, secretTargetAttachmentSecretArn *string) ISecretTargetAttachment

Experimental.

type MultiUserHostedRotationOptions

type MultiUserHostedRotationOptions struct {
	// A name for the Lambda created to rotate the secret.
	// Experimental.
	FunctionName *string `json:"functionName"`
	// A list of security groups for the Lambda created to rotate the secret.
	// Experimental.
	SecurityGroups *[]awsec2.ISecurityGroup `json:"securityGroups"`
	// The VPC where the Lambda rotation function will run.
	// Experimental.
	Vpc awsec2.IVpc `json:"vpc"`
	// The type of subnets in the VPC where the Lambda rotation function will run.
	// Experimental.
	VpcSubnets *awsec2.SubnetSelection `json:"vpcSubnets"`
	// The master secret for a multi user rotation scheme.
	// Experimental.
	MasterSecret ISecret `json:"masterSecret"`
}

Multi user hosted rotation options.

TODO: EXAMPLE

Experimental.

type ReplicaRegion

type ReplicaRegion struct {
	// The name of the region.
	// Experimental.
	Region *string `json:"region"`
	// The customer-managed encryption key to use for encrypting the secret value.
	// Experimental.
	EncryptionKey awskms.IKey `json:"encryptionKey"`
}

Secret replica region.

TODO: EXAMPLE

Experimental.

type ResourcePolicy

type ResourcePolicy interface {
	awscdk.Resource
	Document() awsiam.PolicyDocument
	Env() *awscdk.ResourceEnvironment
	Node() awscdk.ConstructNode
	PhysicalName() *string
	Stack() awscdk.Stack
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	GetResourceNameAttribute(nameAttr *string) *string
	OnPrepare()
	OnSynthesize(session constructs.ISynthesisSession)
	OnValidate() *[]*string
	Prepare()
	Synthesize(session awscdk.ISynthesisSession)
	ToString() *string
	Validate() *[]*string
}

Resource Policy for SecretsManager Secrets.

Policies define the operations that are allowed on this resource.

You almost never need to define this construct directly.

All AWS resources that support resource policies have a method called `addToResourcePolicy()`, which will automatically create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.

Prefer to use `addToResourcePolicy()` instead.

TODO: EXAMPLE

Experimental.

func NewResourcePolicy

func NewResourcePolicy(scope constructs.Construct, id *string, props *ResourcePolicyProps) ResourcePolicy

Experimental.

type ResourcePolicyProps

type ResourcePolicyProps struct {
	// The secret to attach a resource-based permissions policy.
	// Experimental.
	Secret ISecret `json:"secret"`
}

Construction properties for a ResourcePolicy.

TODO: EXAMPLE

Experimental.

type RotationSchedule

type RotationSchedule interface {
	awscdk.Resource
	Env() *awscdk.ResourceEnvironment
	Node() awscdk.ConstructNode
	PhysicalName() *string
	Stack() awscdk.Stack
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	GetResourceNameAttribute(nameAttr *string) *string
	OnPrepare()
	OnSynthesize(session constructs.ISynthesisSession)
	OnValidate() *[]*string
	Prepare()
	Synthesize(session awscdk.ISynthesisSession)
	ToString() *string
	Validate() *[]*string
}

A rotation schedule.

TODO: EXAMPLE

Experimental.

func NewRotationSchedule

func NewRotationSchedule(scope constructs.Construct, id *string, props *RotationScheduleProps) RotationSchedule

Experimental.

type RotationScheduleOptions

type RotationScheduleOptions struct {
	// Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation.
	// Experimental.
	AutomaticallyAfter awscdk.Duration `json:"automaticallyAfter"`
	// Hosted rotation.
	// Experimental.
	HostedRotation HostedRotation `json:"hostedRotation"`
	// A Lambda function that can rotate the secret.
	// Experimental.
	RotationLambda awslambda.IFunction `json:"rotationLambda"`
}

Options to add a rotation schedule to a secret.

TODO: EXAMPLE

Experimental.

type RotationScheduleProps

type RotationScheduleProps struct {
	// Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation.
	// Experimental.
	AutomaticallyAfter awscdk.Duration `json:"automaticallyAfter"`
	// Hosted rotation.
	// Experimental.
	HostedRotation HostedRotation `json:"hostedRotation"`
	// A Lambda function that can rotate the secret.
	// Experimental.
	RotationLambda awslambda.IFunction `json:"rotationLambda"`
	// The secret to rotate.
	//
	// If hosted rotation is used, this must be a JSON string with the following format:
	//
	// “`
	// {
	//    "engine": <required: database engine>,
	//    "host": <required: instance host name>,
	//    "username": <required: username>,
	//    "password": <required: password>,
	//    "dbname": <optional: database name>,
	//    "port": <optional: if not specified, default port will be used>,
	//    "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>
	// }
	// “`
	//
	// This is typically the case for a secret referenced from an `AWS::SecretsManager::SecretTargetAttachment`
	// or an `ISecret` returned by the `attach()` method of `Secret`.
	// Experimental.
	Secret ISecret `json:"secret"`
}

Construction properties for a RotationSchedule.

TODO: EXAMPLE

Experimental.

type Secret

type Secret interface {
	awscdk.Resource
	ISecret
	ArnForPolicies() *string
	AutoCreatePolicy() *bool
	EncryptionKey() awskms.IKey
	Env() *awscdk.ResourceEnvironment
	Node() awscdk.ConstructNode
	PhysicalName() *string
	SecretArn() *string
	SecretFullArn() *string
	SecretName() *string
	SecretValue() awscdk.SecretValue
	Stack() awscdk.Stack
	AddReplicaRegion(region *string, encryptionKey awskms.IKey)
	AddRotationSchedule(id *string, options *RotationScheduleOptions) RotationSchedule
	AddTargetAttachment(id *string, options *AttachedSecretOptions) SecretTargetAttachment
	AddToResourcePolicy(statement awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	Attach(target ISecretAttachmentTarget) ISecret
	DenyAccountRootDelete()
	GeneratePhysicalName() *string
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	GetResourceNameAttribute(nameAttr *string) *string
	GrantRead(grantee awsiam.IGrantable, versionStages *[]*string) awsiam.Grant
	GrantWrite(grantee awsiam.IGrantable) awsiam.Grant
	OnPrepare()
	OnSynthesize(session constructs.ISynthesisSession)
	OnValidate() *[]*string
	Prepare()
	SecretValueFromJson(jsonField *string) awscdk.SecretValue
	Synthesize(session awscdk.ISynthesisSession)
	ToString() *string
	Validate() *[]*string
}

Creates a new secret in AWS SecretsManager.

TODO: EXAMPLE

Experimental.

func NewSecret

func NewSecret(scope constructs.Construct, id *string, props *SecretProps) Secret

Experimental.

type SecretAttachmentTargetProps

type SecretAttachmentTargetProps struct {
	// The id of the target to attach the secret to.
	// Experimental.
	TargetId *string `json:"targetId"`
	// The type of the target to attach the secret to.
	// Experimental.
	TargetType AttachmentTargetType `json:"targetType"`
}

Attachment target specifications.

TODO: EXAMPLE

Experimental.

type SecretAttributes

type SecretAttributes struct {
	// The encryption key that is used to encrypt the secret, unless the default SecretsManager key is used.
	// Experimental.
	EncryptionKey awskms.IKey `json:"encryptionKey"`
	// The ARN of the secret in SecretsManager.
	//
	// Cannot be used with `secretCompleteArn` or `secretPartialArn`.
	// Deprecated: use `secretCompleteArn` or `secretPartialArn` instead.
	SecretArn *string `json:"secretArn"`
	// The complete ARN of the secret in SecretsManager.
	//
	// This is the ARN including the Secrets Manager 6-character suffix.
	// Cannot be used with `secretArn` or `secretPartialArn`.
	// Experimental.
	SecretCompleteArn *string `json:"secretCompleteArn"`
	// The partial ARN of the secret in SecretsManager.
	//
	// This is the ARN without the Secrets Manager 6-character suffix.
	// Cannot be used with `secretArn` or `secretCompleteArn`.
	// Experimental.
	SecretPartialArn *string `json:"secretPartialArn"`
}

Attributes required to import an existing secret into the Stack.

One ARN format (`secretArn`, `secretCompleteArn`, `secretPartialArn`) must be provided.

TODO: EXAMPLE

Experimental.

type SecretProps

type SecretProps struct {
	// An optional, human-friendly description of the secret.
	// Experimental.
	Description *string `json:"description"`
	// The customer-managed encryption key to use for encrypting the secret value.
	// Experimental.
	EncryptionKey awskms.IKey `json:"encryptionKey"`
	// Configuration for how to generate a secret value.
	//
	// Only one of `secretString` and `generateSecretString` can be provided.
	// Experimental.
	GenerateSecretString *SecretStringGenerator `json:"generateSecretString"`
	// Policy to apply when the secret is removed from this stack.
	// Experimental.
	RemovalPolicy awscdk.RemovalPolicy `json:"removalPolicy"`
	// A list of regions where to replicate this secret.
	// Experimental.
	ReplicaRegions *[]*ReplicaRegion `json:"replicaRegions"`
	// A name for the secret.
	//
	// Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to
	// 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.
	// Experimental.
	SecretName *string `json:"secretName"`
	// Initial value for the secret.
	//
	// **NOTE:** *It is **highly** encouraged to leave this field undefined and allow SecretsManager to create the secret value.
	// The secret string -- if provided -- will be included in the output of the cdk as part of synthesis,
	// and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to
	// another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access
	// to the CloudFormation template (via the AWS Console, SDKs, or CLI).
	//
	// Specifies text data that you want to encrypt and store in this new version of the secret.
	// May be a simple string value, or a string representation of a JSON structure.
	//
	// Only one of `secretString` and `generateSecretString` can be provided.
	// Experimental.
	SecretStringBeta1 SecretStringValueBeta1 `json:"secretStringBeta1"`
}

The properties required to create a new secret in AWS Secrets Manager.

TODO: EXAMPLE

Experimental.

type SecretRotation

type SecretRotation interface {
	awscdk.Construct
	Node() awscdk.ConstructNode
	OnPrepare()
	OnSynthesize(session constructs.ISynthesisSession)
	OnValidate() *[]*string
	Prepare()
	Synthesize(session awscdk.ISynthesisSession)
	ToString() *string
	Validate() *[]*string
}

Secret rotation for a service or database.

TODO: EXAMPLE

Experimental.

func NewSecretRotation

func NewSecretRotation(scope constructs.Construct, id *string, props *SecretRotationProps) SecretRotation

Experimental.

type SecretRotationApplication

type SecretRotationApplication interface {
	ApplicationId() *string
	IsMultiUser() *bool
	SemanticVersion() *string
	ApplicationArnForPartition(partition *string) *string
	SemanticVersionForPartition(partition *string) *string
}

A secret rotation serverless application.

TODO: EXAMPLE

Experimental.

func NewSecretRotationApplication

func NewSecretRotationApplication(applicationId *string, semanticVersion *string, options *SecretRotationApplicationOptions) SecretRotationApplication

Experimental.

func SecretRotationApplication_MARIADB_ROTATION_MULTI_USER

func SecretRotationApplication_MARIADB_ROTATION_MULTI_USER() SecretRotationApplication

func SecretRotationApplication_MARIADB_ROTATION_SINGLE_USER

func SecretRotationApplication_MARIADB_ROTATION_SINGLE_USER() SecretRotationApplication

func SecretRotationApplication_MONGODB_ROTATION_MULTI_USER

func SecretRotationApplication_MONGODB_ROTATION_MULTI_USER() SecretRotationApplication

func SecretRotationApplication_MONGODB_ROTATION_SINGLE_USER

func SecretRotationApplication_MONGODB_ROTATION_SINGLE_USER() SecretRotationApplication

func SecretRotationApplication_MYSQL_ROTATION_MULTI_USER

func SecretRotationApplication_MYSQL_ROTATION_MULTI_USER() SecretRotationApplication

func SecretRotationApplication_MYSQL_ROTATION_SINGLE_USER

func SecretRotationApplication_MYSQL_ROTATION_SINGLE_USER() SecretRotationApplication

func SecretRotationApplication_ORACLE_ROTATION_MULTI_USER

func SecretRotationApplication_ORACLE_ROTATION_MULTI_USER() SecretRotationApplication

func SecretRotationApplication_ORACLE_ROTATION_SINGLE_USER

func SecretRotationApplication_ORACLE_ROTATION_SINGLE_USER() SecretRotationApplication

func SecretRotationApplication_POSTGRES_ROTATION_MULTI_USER

func SecretRotationApplication_POSTGRES_ROTATION_MULTI_USER() SecretRotationApplication

func SecretRotationApplication_POSTGRES_ROTATION_SINGLE_USER

func SecretRotationApplication_POSTGRES_ROTATION_SINGLE_USER() SecretRotationApplication

func SecretRotationApplication_REDSHIFT_ROTATION_MULTI_USER

func SecretRotationApplication_REDSHIFT_ROTATION_MULTI_USER() SecretRotationApplication

func SecretRotationApplication_REDSHIFT_ROTATION_SINGLE_USER

func SecretRotationApplication_REDSHIFT_ROTATION_SINGLE_USER() SecretRotationApplication

func SecretRotationApplication_SQLSERVER_ROTATION_MULTI_USER

func SecretRotationApplication_SQLSERVER_ROTATION_MULTI_USER() SecretRotationApplication

func SecretRotationApplication_SQLSERVER_ROTATION_SINGLE_USER

func SecretRotationApplication_SQLSERVER_ROTATION_SINGLE_USER() SecretRotationApplication

type SecretRotationApplicationOptions

type SecretRotationApplicationOptions struct {
	// Whether the rotation application uses the mutli user scheme.
	// Experimental.
	IsMultiUser *bool `json:"isMultiUser"`
}

Options for a SecretRotationApplication.

TODO: EXAMPLE

Experimental.

type SecretRotationProps

type SecretRotationProps struct {
	// The serverless application for the rotation.
	// Experimental.
	Application SecretRotationApplication `json:"application"`
	// The secret to rotate. It must be a JSON string with the following format:.
	//
	// “`
	// {
	//    "engine": <required: database engine>,
	//    "host": <required: instance host name>,
	//    "username": <required: username>,
	//    "password": <required: password>,
	//    "dbname": <optional: database name>,
	//    "port": <optional: if not specified, default port will be used>,
	//    "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>
	// }
	// “`
	//
	// This is typically the case for a secret referenced from an `AWS::SecretsManager::SecretTargetAttachment`
	// or an `ISecret` returned by the `attach()` method of `Secret`.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html
	//
	// Experimental.
	Secret ISecret `json:"secret"`
	// The target service or database.
	// Experimental.
	Target awsec2.IConnectable `json:"target"`
	// The VPC where the Lambda rotation function will run.
	// Experimental.
	Vpc awsec2.IVpc `json:"vpc"`
	// Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation.
	// Experimental.
	AutomaticallyAfter awscdk.Duration `json:"automaticallyAfter"`
	// The VPC interface endpoint to use for the Secrets Manager API.
	//
	// If you enable private DNS hostnames for your VPC private endpoint (the default), you don't
	// need to specify an endpoint. The standard Secrets Manager DNS hostname the Secrets Manager
	// CLI and SDKs use by default (https://secretsmanager.<region>.amazonaws.com) automatically
	// resolves to your VPC endpoint.
	// Experimental.
	Endpoint awsec2.IInterfaceVpcEndpoint `json:"endpoint"`
	// Characters which should not appear in the generated password.
	// Experimental.
	ExcludeCharacters *string `json:"excludeCharacters"`
	// The master secret for a multi user rotation scheme.
	// Experimental.
	MasterSecret ISecret `json:"masterSecret"`
	// The security group for the Lambda rotation function.
	// Experimental.
	SecurityGroup awsec2.ISecurityGroup `json:"securityGroup"`
	// The type of subnets in the VPC where the Lambda rotation function will run.
	// Experimental.
	VpcSubnets *awsec2.SubnetSelection `json:"vpcSubnets"`
}

Construction properties for a SecretRotation.

TODO: EXAMPLE

Experimental.

type SecretStringGenerator

type SecretStringGenerator struct {
	// A string that includes characters that shouldn't be included in the generated password.
	//
	// The string can be a minimum
	// of “0“ and a maximum of “4096“ characters long.
	// Experimental.
	ExcludeCharacters *string `json:"excludeCharacters"`
	// Specifies that the generated password shouldn't include lowercase letters.
	// Experimental.
	ExcludeLowercase *bool `json:"excludeLowercase"`
	// Specifies that the generated password shouldn't include digits.
	// Experimental.
	ExcludeNumbers *bool `json:"excludeNumbers"`
	// Specifies that the generated password shouldn't include punctuation characters.
	// Experimental.
	ExcludePunctuation *bool `json:"excludePunctuation"`
	// Specifies that the generated password shouldn't include uppercase letters.
	// Experimental.
	ExcludeUppercase *bool `json:"excludeUppercase"`
	// The JSON key name that's used to add the generated password to the JSON structure specified by the “secretStringTemplate“ parameter.
	//
	// If you specify “generateStringKey“ then “secretStringTemplate“
	// must be also be specified.
	// Experimental.
	GenerateStringKey *string `json:"generateStringKey"`
	// Specifies that the generated password can include the space character.
	// Experimental.
	IncludeSpace *bool `json:"includeSpace"`
	// The desired length of the generated password.
	// Experimental.
	PasswordLength *float64 `json:"passwordLength"`
	// Specifies whether the generated password must include at least one of every allowed character type.
	// Experimental.
	RequireEachIncludedType *bool `json:"requireEachIncludedType"`
	// A properly structured JSON string that the generated password can be added to.
	//
	// The “generateStringKey“ is
	// combined with the generated random string and inserted into the JSON structure that's specified by this parameter.
	// The merged JSON string is returned as the completed SecretString of the secret. If you specify “secretStringTemplate“
	// then “generateStringKey“ must be also be specified.
	// Experimental.
	SecretStringTemplate *string `json:"secretStringTemplate"`
}

Configuration to generate secrets such as passwords automatically.

TODO: EXAMPLE

Experimental.

type SecretStringValueBeta1

type SecretStringValueBeta1 interface {
	SecretValue() *string
}

An experimental class used to specify an initial secret value for a Secret.

The class wraps a simple string (or JSON representation) in order to provide some safety checks and warnings about the dangers of using plaintext strings as initial secret seed values via CDK/CloudFormation.

TODO: EXAMPLE

Experimental.

func SecretStringValueBeta1_FromToken

func SecretStringValueBeta1_FromToken(secretValueFromToken *string) SecretStringValueBeta1

Creates a `SecretValueValueBeta1` from a string value coming from a Token.

The intent is to enable creating secrets from references (e.g., `Ref`, `Fn::GetAtt`) from other resources. This might be the direct output of another Construct, or the output of a Custom Resource. This method throws if it determines the input is an unsafe plaintext string.

For example: ```ts

// Creates a new IAM user, access and secret keys, and stores the secret access key in a Secret.
const user = new iam.User(this, 'User');
const accessKey = new iam.CfnAccessKey(this, 'AccessKey', { userName: user.userName });
const secretValue = secretsmanager.SecretStringValueBeta1.fromToken(accessKey.attrSecretAccessKey);
new secretsmanager.Secret(this, 'Secret', {
  secretStringBeta1: secretValue,
});

```

The secret may also be embedded in a string representation of a JSON structure:

const secretValue = secretsmanager.SecretStringValueBeta1.fromToken(JSON.stringify({
  username: user.userName,
  database: 'foo',
  password: accessKey.attrSecretAccessKey
}));

Note that the value being a Token does *not* guarantee safety. For example, a Lazy-evaluated string (e.g., `Lazy.string({ produce: () => 'myInsecurePassword' }))`) is a Token, but as the output is ultimately a plaintext string, and so insecure. Experimental.

func SecretStringValueBeta1_FromUnsafePlaintext

func SecretStringValueBeta1_FromUnsafePlaintext(secretValue *string) SecretStringValueBeta1

Creates a `SecretStringValueBeta1` from a plaintext value.

This approach is inherently unsafe, as the secret value may be visible in your source control repository and will also appear in plaintext in the resulting CloudFormation template, including in the AWS Console or APIs. Usage of this method is discouraged, especially for production workloads. Experimental.

type SecretTargetAttachment

type SecretTargetAttachment interface {
	awscdk.Resource
	ISecret
	ISecretTargetAttachment
	ArnForPolicies() *string
	AutoCreatePolicy() *bool
	EncryptionKey() awskms.IKey
	Env() *awscdk.ResourceEnvironment
	Node() awscdk.ConstructNode
	PhysicalName() *string
	SecretArn() *string
	SecretFullArn() *string
	SecretName() *string
	SecretTargetAttachmentSecretArn() *string
	SecretValue() awscdk.SecretValue
	Stack() awscdk.Stack
	AddRotationSchedule(id *string, options *RotationScheduleOptions) RotationSchedule
	AddToResourcePolicy(statement awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	Attach(target ISecretAttachmentTarget) ISecret
	DenyAccountRootDelete()
	GeneratePhysicalName() *string
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	GetResourceNameAttribute(nameAttr *string) *string
	GrantRead(grantee awsiam.IGrantable, versionStages *[]*string) awsiam.Grant
	GrantWrite(grantee awsiam.IGrantable) awsiam.Grant
	OnPrepare()
	OnSynthesize(session constructs.ISynthesisSession)
	OnValidate() *[]*string
	Prepare()
	SecretValueFromJson(jsonField *string) awscdk.SecretValue
	Synthesize(session awscdk.ISynthesisSession)
	ToString() *string
	Validate() *[]*string
}

An attached secret.

TODO: EXAMPLE

Experimental.

func NewSecretTargetAttachment

func NewSecretTargetAttachment(scope constructs.Construct, id *string, props *SecretTargetAttachmentProps) SecretTargetAttachment

Experimental.

type SecretTargetAttachmentProps

type SecretTargetAttachmentProps struct {
	// The target to attach the secret to.
	// Experimental.
	Target ISecretAttachmentTarget `json:"target"`
	// The secret to attach to the target.
	// Experimental.
	Secret ISecret `json:"secret"`
}

Construction properties for an AttachedSecret.

TODO: EXAMPLE

Experimental.

type SingleUserHostedRotationOptions

type SingleUserHostedRotationOptions struct {
	// A name for the Lambda created to rotate the secret.
	// Experimental.
	FunctionName *string `json:"functionName"`
	// A list of security groups for the Lambda created to rotate the secret.
	// Experimental.
	SecurityGroups *[]awsec2.ISecurityGroup `json:"securityGroups"`
	// The VPC where the Lambda rotation function will run.
	// Experimental.
	Vpc awsec2.IVpc `json:"vpc"`
	// The type of subnets in the VPC where the Lambda rotation function will run.
	// Experimental.
	VpcSubnets *awsec2.SubnetSelection `json:"vpcSubnets"`
}

Single user hosted rotation options.

TODO: EXAMPLE

Experimental.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL