Documentation ¶
Index ¶
- func CfnResourcePolicy_CFN_RESOURCE_TYPE_NAME() *string
- func CfnResourcePolicy_IsCfnElement(x interface{}) *bool
- func CfnResourcePolicy_IsCfnResource(x interface{}) *bool
- func CfnResourcePolicy_IsConstruct(x interface{}) *bool
- func CfnRotationSchedule_CFN_RESOURCE_TYPE_NAME() *string
- func CfnRotationSchedule_IsCfnElement(x interface{}) *bool
- func CfnRotationSchedule_IsCfnResource(x interface{}) *bool
- func CfnRotationSchedule_IsConstruct(x interface{}) *bool
- func CfnSecretTargetAttachment_CFN_RESOURCE_TYPE_NAME() *string
- func CfnSecretTargetAttachment_IsCfnElement(x interface{}) *bool
- func CfnSecretTargetAttachment_IsCfnResource(x interface{}) *bool
- func CfnSecretTargetAttachment_IsConstruct(x interface{}) *bool
- func CfnSecret_CFN_RESOURCE_TYPE_NAME() *string
- func CfnSecret_IsCfnElement(x interface{}) *bool
- func CfnSecret_IsCfnResource(x interface{}) *bool
- func CfnSecret_IsConstruct(x interface{}) *bool
- func NewCfnResourcePolicy_Override(c CfnResourcePolicy, scope constructs.Construct, id *string, ...)
- func NewCfnRotationSchedule_Override(c CfnRotationSchedule, scope constructs.Construct, id *string, ...)
- func NewCfnSecretTargetAttachment_Override(c CfnSecretTargetAttachment, scope constructs.Construct, id *string, ...)
- func NewCfnSecret_Override(c CfnSecret, scope constructs.Construct, id *string, props *CfnSecretProps)
- func NewResourcePolicy_Override(r ResourcePolicy, scope constructs.Construct, id *string, ...)
- func NewRotationSchedule_Override(r RotationSchedule, scope constructs.Construct, id *string, ...)
- func NewSecretRotationApplication_Override(s SecretRotationApplication, applicationId *string, semanticVersion *string, ...)
- func NewSecretRotation_Override(s SecretRotation, scope constructs.Construct, id *string, ...)
- func NewSecretTargetAttachment_Override(s SecretTargetAttachment, scope constructs.Construct, id *string, ...)
- func NewSecret_Override(s Secret, scope constructs.Construct, id *string, props *SecretProps)
- func ResourcePolicy_IsConstruct(x interface{}) *bool
- func ResourcePolicy_IsOwnedResource(construct constructs.IConstruct) *bool
- func ResourcePolicy_IsResource(construct constructs.IConstruct) *bool
- func RotationSchedule_IsConstruct(x interface{}) *bool
- func RotationSchedule_IsOwnedResource(construct constructs.IConstruct) *bool
- func RotationSchedule_IsResource(construct constructs.IConstruct) *bool
- func SecretRotation_IsConstruct(x interface{}) *bool
- func SecretTargetAttachment_IsConstruct(x interface{}) *bool
- func SecretTargetAttachment_IsOwnedResource(construct constructs.IConstruct) *bool
- func SecretTargetAttachment_IsResource(construct constructs.IConstruct) *bool
- func Secret_IsConstruct(x interface{}) *bool
- func Secret_IsOwnedResource(construct constructs.IConstruct) *bool
- func Secret_IsResource(construct constructs.IConstruct) *bool
- func Secret_IsSecret(x interface{}) *bool
- type AttachedSecretOptions
- type AttachmentTargetType
- type CfnResourcePolicy
- type CfnResourcePolicyProps
- type CfnRotationSchedule
- type CfnRotationScheduleProps
- type CfnRotationSchedule_HostedRotationLambdaProperty
- type CfnRotationSchedule_RotationRulesProperty
- type CfnSecret
- type CfnSecretProps
- type CfnSecretTargetAttachment
- type CfnSecretTargetAttachmentProps
- type CfnSecret_GenerateSecretStringProperty
- type CfnSecret_ReplicaRegionProperty
- type HostedRotation
- func HostedRotation_MariaDbMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_MariaDbSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- func HostedRotation_MongoDbMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_MongoDbSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- func HostedRotation_MysqlMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_MysqlSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- func HostedRotation_OracleMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_OracleSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- func HostedRotation_PostgreSqlMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_PostgreSqlSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- func HostedRotation_RedshiftMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_RedshiftSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- func HostedRotation_SqlServerMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
- func HostedRotation_SqlServerSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
- type HostedRotationType
- func HostedRotationType_MARIADB_MULTI_USER() HostedRotationType
- func HostedRotationType_MARIADB_SINGLE_USER() HostedRotationType
- func HostedRotationType_MONGODB_MULTI_USER() HostedRotationType
- func HostedRotationType_MONGODB_SINGLE_USER() HostedRotationType
- func HostedRotationType_MYSQL_MULTI_USER() HostedRotationType
- func HostedRotationType_MYSQL_SINGLE_USER() HostedRotationType
- func HostedRotationType_ORACLE_MULTI_USER() HostedRotationType
- func HostedRotationType_ORACLE_SINGLE_USER() HostedRotationType
- func HostedRotationType_POSTGRESQL_MULTI_USER() HostedRotationType
- func HostedRotationType_POSTGRESQL_SINGLE_USER() HostedRotationType
- func HostedRotationType_REDSHIFT_MULTI_USER() HostedRotationType
- func HostedRotationType_REDSHIFT_SINGLE_USER() HostedRotationType
- func HostedRotationType_SQLSERVER_MULTI_USER() HostedRotationType
- func HostedRotationType_SQLSERVER_SINGLE_USER() HostedRotationType
- type ISecret
- func Secret_FromSecretAttributes(scope constructs.Construct, id *string, attrs *SecretAttributes) ISecret
- func Secret_FromSecretCompleteArn(scope constructs.Construct, id *string, secretCompleteArn *string) ISecret
- func Secret_FromSecretNameV2(scope constructs.Construct, id *string, secretName *string) ISecret
- func Secret_FromSecretPartialArn(scope constructs.Construct, id *string, secretPartialArn *string) ISecret
- type ISecretAttachmentTarget
- type ISecretTargetAttachment
- type MultiUserHostedRotationOptions
- type ReplicaRegion
- type ResourcePolicy
- type ResourcePolicyProps
- type RotationSchedule
- type RotationScheduleOptions
- type RotationScheduleProps
- type Secret
- type SecretAttachmentTargetProps
- type SecretAttributes
- type SecretProps
- type SecretRotation
- type SecretRotationApplication
- func NewSecretRotationApplication(applicationId *string, semanticVersion *string, ...) SecretRotationApplication
- func SecretRotationApplication_MARIADB_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_MARIADB_ROTATION_SINGLE_USER() SecretRotationApplication
- func SecretRotationApplication_MONGODB_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_MONGODB_ROTATION_SINGLE_USER() SecretRotationApplication
- func SecretRotationApplication_MYSQL_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_MYSQL_ROTATION_SINGLE_USER() SecretRotationApplication
- func SecretRotationApplication_ORACLE_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_ORACLE_ROTATION_SINGLE_USER() SecretRotationApplication
- func SecretRotationApplication_POSTGRES_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_POSTGRES_ROTATION_SINGLE_USER() SecretRotationApplication
- func SecretRotationApplication_REDSHIFT_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_REDSHIFT_ROTATION_SINGLE_USER() SecretRotationApplication
- func SecretRotationApplication_SQLSERVER_ROTATION_MULTI_USER() SecretRotationApplication
- func SecretRotationApplication_SQLSERVER_ROTATION_SINGLE_USER() SecretRotationApplication
- type SecretRotationApplicationOptions
- type SecretRotationProps
- type SecretStringGenerator
- type SecretStringValueBeta1deprecated
- type SecretTargetAttachment
- type SecretTargetAttachmentProps
- type SingleUserHostedRotationOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CfnResourcePolicy_CFN_RESOURCE_TYPE_NAME ¶
func CfnResourcePolicy_CFN_RESOURCE_TYPE_NAME() *string
func CfnResourcePolicy_IsCfnElement ¶
func CfnResourcePolicy_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnResourcePolicy_IsCfnResource ¶
func CfnResourcePolicy_IsCfnResource(x interface{}) *bool
Check whether the given object is a CfnResource.
func CfnResourcePolicy_IsConstruct ¶
func CfnResourcePolicy_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.
Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.
Returns: true if `x` is an object created from a class which extends `Construct`.
func CfnRotationSchedule_CFN_RESOURCE_TYPE_NAME ¶
func CfnRotationSchedule_CFN_RESOURCE_TYPE_NAME() *string
func CfnRotationSchedule_IsCfnElement ¶
func CfnRotationSchedule_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnRotationSchedule_IsCfnResource ¶
func CfnRotationSchedule_IsCfnResource(x interface{}) *bool
Check whether the given object is a CfnResource.
func CfnRotationSchedule_IsConstruct ¶
func CfnRotationSchedule_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.
Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.
Returns: true if `x` is an object created from a class which extends `Construct`.
func CfnSecretTargetAttachment_CFN_RESOURCE_TYPE_NAME ¶
func CfnSecretTargetAttachment_CFN_RESOURCE_TYPE_NAME() *string
func CfnSecretTargetAttachment_IsCfnElement ¶
func CfnSecretTargetAttachment_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnSecretTargetAttachment_IsCfnResource ¶
func CfnSecretTargetAttachment_IsCfnResource(x interface{}) *bool
Check whether the given object is a CfnResource.
func CfnSecretTargetAttachment_IsConstruct ¶
func CfnSecretTargetAttachment_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.
Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.
Returns: true if `x` is an object created from a class which extends `Construct`.
func CfnSecret_CFN_RESOURCE_TYPE_NAME ¶
func CfnSecret_CFN_RESOURCE_TYPE_NAME() *string
func CfnSecret_IsCfnElement ¶
func CfnSecret_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnSecret_IsCfnResource ¶
func CfnSecret_IsCfnResource(x interface{}) *bool
Check whether the given object is a CfnResource.
func CfnSecret_IsConstruct ¶
func CfnSecret_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.
Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.
Returns: true if `x` is an object created from a class which extends `Construct`.
func NewCfnResourcePolicy_Override ¶
func NewCfnResourcePolicy_Override(c CfnResourcePolicy, scope constructs.Construct, id *string, props *CfnResourcePolicyProps)
func NewCfnRotationSchedule_Override ¶
func NewCfnRotationSchedule_Override(c CfnRotationSchedule, scope constructs.Construct, id *string, props *CfnRotationScheduleProps)
func NewCfnSecretTargetAttachment_Override ¶
func NewCfnSecretTargetAttachment_Override(c CfnSecretTargetAttachment, scope constructs.Construct, id *string, props *CfnSecretTargetAttachmentProps)
func NewCfnSecret_Override ¶
func NewCfnSecret_Override(c CfnSecret, scope constructs.Construct, id *string, props *CfnSecretProps)
func NewResourcePolicy_Override ¶
func NewResourcePolicy_Override(r ResourcePolicy, scope constructs.Construct, id *string, props *ResourcePolicyProps)
func NewRotationSchedule_Override ¶
func NewRotationSchedule_Override(r RotationSchedule, scope constructs.Construct, id *string, props *RotationScheduleProps)
func NewSecretRotationApplication_Override ¶
func NewSecretRotationApplication_Override(s SecretRotationApplication, applicationId *string, semanticVersion *string, options *SecretRotationApplicationOptions)
func NewSecretRotation_Override ¶
func NewSecretRotation_Override(s SecretRotation, scope constructs.Construct, id *string, props *SecretRotationProps)
func NewSecretTargetAttachment_Override ¶
func NewSecretTargetAttachment_Override(s SecretTargetAttachment, scope constructs.Construct, id *string, props *SecretTargetAttachmentProps)
func NewSecret_Override ¶
func NewSecret_Override(s Secret, scope constructs.Construct, id *string, props *SecretProps)
func ResourcePolicy_IsConstruct ¶
func ResourcePolicy_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.
Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.
Returns: true if `x` is an object created from a class which extends `Construct`.
func ResourcePolicy_IsOwnedResource ¶ added in v2.32.0
func ResourcePolicy_IsOwnedResource(construct constructs.IConstruct) *bool
Returns true if the construct was created by CDK, and false otherwise.
func ResourcePolicy_IsResource ¶
func ResourcePolicy_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func RotationSchedule_IsConstruct ¶
func RotationSchedule_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.
Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.
Returns: true if `x` is an object created from a class which extends `Construct`.
func RotationSchedule_IsOwnedResource ¶ added in v2.32.0
func RotationSchedule_IsOwnedResource(construct constructs.IConstruct) *bool
Returns true if the construct was created by CDK, and false otherwise.
func RotationSchedule_IsResource ¶
func RotationSchedule_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func SecretRotation_IsConstruct ¶
func SecretRotation_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.
Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.
Returns: true if `x` is an object created from a class which extends `Construct`.
func SecretTargetAttachment_IsConstruct ¶
func SecretTargetAttachment_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.
Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.
Returns: true if `x` is an object created from a class which extends `Construct`.
func SecretTargetAttachment_IsOwnedResource ¶ added in v2.32.0
func SecretTargetAttachment_IsOwnedResource(construct constructs.IConstruct) *bool
Returns true if the construct was created by CDK, and false otherwise.
func SecretTargetAttachment_IsResource ¶
func SecretTargetAttachment_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func Secret_IsConstruct ¶
func Secret_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.
Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.
Returns: true if `x` is an object created from a class which extends `Construct`.
func Secret_IsOwnedResource ¶ added in v2.32.0
func Secret_IsOwnedResource(construct constructs.IConstruct) *bool
Returns true if the construct was created by CDK, and false otherwise.
func Secret_IsResource ¶
func Secret_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func Secret_IsSecret ¶ added in v2.29.0
func Secret_IsSecret(x interface{}) *bool
Return whether the given object is a Secret.
Types ¶
type AttachedSecretOptions ¶
type AttachedSecretOptions struct { // The target to attach the secret to. Target ISecretAttachmentTarget `field:"required" json:"target" yaml:"target"` }
Options to add a secret attachment to a secret.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" var secretAttachmentTarget iSecretAttachmentTarget attachedSecretOptions := &AttachedSecretOptions{ Target: secretAttachmentTarget, }
type AttachmentTargetType ¶
type AttachmentTargetType string
The type of service or database that's being associated with the secret.
const ( // AWS::RDS::DBInstance. AttachmentTargetType_RDS_DB_INSTANCE AttachmentTargetType = "RDS_DB_INSTANCE" // AWS::RDS::DBCluster. AttachmentTargetType_RDS_DB_CLUSTER AttachmentTargetType = "RDS_DB_CLUSTER" // AWS::RDS::DBProxy. AttachmentTargetType_RDS_DB_PROXY AttachmentTargetType = "RDS_DB_PROXY" // AWS::Redshift::Cluster. AttachmentTargetType_REDSHIFT_CLUSTER AttachmentTargetType = "REDSHIFT_CLUSTER" // AWS::DocDB::DBInstance. AttachmentTargetType_DOCDB_DB_INSTANCE AttachmentTargetType = "DOCDB_DB_INSTANCE" // AWS::DocDB::DBCluster. AttachmentTargetType_DOCDB_DB_CLUSTER AttachmentTargetType = "DOCDB_DB_CLUSTER" )
type CfnResourcePolicy ¶
type CfnResourcePolicy interface { awscdk.CfnResource awscdk.IInspectable // The Arn of the secret. AttrId() *string // Specifies whether to block resource-based policies that allow broad access to the secret. BlockPublicPolicy() interface{} SetBlockPublicPolicy(val interface{}) // Options for this resource, such as condition, update policy etc. CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} // AWS resource type. CfnResourceType() *string // Returns: the stack trace of the point where this Resource was created from, sourced // from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most // node +internal+ entries filtered. CreationStack() *[]*string // The logical ID for this CloudFormation stack element. // // The logical ID of the element // is calculated from the path of the resource node in the construct tree. // // To override this value, use `overrideLogicalId(newLogicalId)`. // // Returns: the logical ID as a stringified token. This value will only get // resolved during synthesis. LogicalId() *string // The tree node. Node() constructs.Node // Return a string that will be resolved to a CloudFormation `{ Ref }` for this element. // // If, by any chance, the intrinsic reference of a resource is not a string, you could // coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`. Ref() *string // A JSON-formatted string for an AWS resource-based policy. ResourcePolicy() interface{} SetResourcePolicy(val interface{}) // The ARN or name of the secret to attach the resource-based policy. SecretId() *string SetSecretId(val *string) // The stack in which this element is defined. // // CfnElements must be defined within a stack scope (directly or indirectly). Stack() awscdk.Stack // Deprecated. // Deprecated: use `updatedProperties` // // Return properties modified after initiation // // Resources that expose mutable properties should override this function to // collect and return the properties object for this resource. UpdatedProperites() *map[string]interface{} // Return properties modified after initiation. // // Resources that expose mutable properties should override this function to // collect and return the properties object for this resource. UpdatedProperties() *map[string]interface{} // Syntactic sugar for `addOverride(path, undefined)`. AddDeletionOverride(path *string) // Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned. // // This can be used for resources across stacks (or nested stack) boundaries // and the dependency will automatically be transferred to the relevant scope. AddDependency(target awscdk.CfnResource) // Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned. // Deprecated: use addDependency. AddDependsOn(target awscdk.CfnResource) // Add a value to the CloudFormation Resource Metadata. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html // // Note that this is a different set of metadata from CDK node metadata; this // metadata ends up in the stack template under the resource, whereas CDK // node metadata ends up in the Cloud Assembly. // AddMetadata(key *string, value interface{}) // Adds an override to the synthesized CloudFormation resource. // // To add a // property override, either use `addPropertyOverride` or prefix `path` with // "Properties." (i.e. `Properties.TopicName`). // // If the override is nested, separate each nested level using a dot (.) in the path parameter. // If there is an array as part of the nesting, specify the index in the path. // // To include a literal `.` in the property name, prefix with a `\`. In most // programming languages you will need to write this as `"\\."` because the // `\` itself will need to be escaped. // // For example, // “`typescript // cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']); // cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE'); // “` // would add the overrides // “`json // "Properties": { // "GlobalSecondaryIndexes": [ // { // "Projection": { // "NonKeyAttributes": [ "myattribute" ] // ... // } // ... // }, // { // "ProjectionType": "INCLUDE" // ... // }, // ] // ... // } // “` // // The `value` argument to `addOverride` will not be processed or translated // in any way. Pass raw JSON values in here with the correct capitalization // for CloudFormation. If you pass CDK classes or structs, they will be // rendered with lowercased key names, and CloudFormation will reject the // template. AddOverride(path *string, value interface{}) // Adds an override that deletes the value of a property from the resource definition. AddPropertyDeletionOverride(propertyPath *string) // Adds an override to a resource property. // // Syntactic sugar for `addOverride("Properties.<...>", value)`. AddPropertyOverride(propertyPath *string, value interface{}) // Sets the deletion policy of the resource based on the removal policy specified. // // The Removal Policy controls what happens to this resource when it stops // being managed by CloudFormation, either because you've removed it from the // CDK application or because you've made a change that requires the resource // to be replaced. // // The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS // account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some // cases, a snapshot can be taken of the resource prior to deletion // (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy // can be found in the following link:. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options // ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) // Returns a token for an runtime attribute of this resource. // // Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility // in case there is no generated attribute. GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference // Retrieve a value value from the CloudFormation Resource Metadata. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html // // Note that this is a different set of metadata from CDK node metadata; this // metadata ends up in the stack template under the resource, whereas CDK // node metadata ends up in the Cloud Assembly. // GetMetadata(key *string) interface{} // Examines the CloudFormation resource and discloses attributes. Inspect(inspector awscdk.TreeInspector) // Retrieves an array of resources this resource depends on. // // This assembles dependencies on resources across stacks (including nested stacks) // automatically. ObtainDependencies() *[]interface{} // Get a shallow copy of dependencies between this resource and other resources in the same stack. ObtainResourceDependencies() *[]awscdk.CfnResource // Overrides the auto-generated logical ID with a specific ID. OverrideLogicalId(newLogicalId *string) // Indicates that this resource no longer depends on another resource. // // This can be used for resources across stacks (including nested stacks) // and the dependency will automatically be removed from the relevant scope. RemoveDependency(target awscdk.CfnResource) RenderProperties(props *map[string]interface{}) *map[string]interface{} // Replaces one dependency with another. ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource) // Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template. // // Returns: `true` if the resource should be included or `false` is the resource // should be omitted. ShouldSynthesize() *bool // Returns a string representation of this construct. // // Returns: a string representation of this resource. ToString() *string ValidateProperties(_properties interface{}) }
Attaches a resource-based permission policy to a secret.
A resource-based policy is optional. If a secret already has a resource policy attached, you must first remove it before attaching a new policy using this CloudFormation resource. You can remove the policy using the [console](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html) , [CLI](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/delete-resource-policy.html) , or [API](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteResourcePolicy.html) . For more information, see [Authentication and access control for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) .
*Required permissions:* `secretsmanager:PutResourcePolicy` , `secretsmanager:GetResourcePolicy` . For more information, see [IAM policy actions for Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) and [Authentication and access control in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) .
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" var resourcePolicy interface{} cfnResourcePolicy := awscdk.Aws_secretsmanager.NewCfnResourcePolicy(this, jsii.String("MyCfnResourcePolicy"), &CfnResourcePolicyProps{ ResourcePolicy: resourcePolicy, SecretId: jsii.String("secretId"), // the properties below are optional BlockPublicPolicy: jsii.Boolean(false), })
func NewCfnResourcePolicy ¶
func NewCfnResourcePolicy(scope constructs.Construct, id *string, props *CfnResourcePolicyProps) CfnResourcePolicy
type CfnResourcePolicyProps ¶
type CfnResourcePolicyProps struct { // A JSON-formatted string for an AWS resource-based policy. // // For example policies, see [Permissions policy examples](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html) . // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html#cfn-secretsmanager-resourcepolicy-resourcepolicy // ResourcePolicy interface{} `field:"required" json:"resourcePolicy" yaml:"resourcePolicy"` // The ARN or name of the secret to attach the resource-based policy. // // For an ARN, we recommend that you specify a complete ARN rather than a partial ARN. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html#cfn-secretsmanager-resourcepolicy-secretid // SecretId *string `field:"required" json:"secretId" yaml:"secretId"` // Specifies whether to block resource-based policies that allow broad access to the secret. // // By default, Secrets Manager blocks policies that allow broad access, for example those that use a wildcard for the principal. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html#cfn-secretsmanager-resourcepolicy-blockpublicpolicy // BlockPublicPolicy interface{} `field:"optional" json:"blockPublicPolicy" yaml:"blockPublicPolicy"` }
Properties for defining a `CfnResourcePolicy`.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" var resourcePolicy interface{} cfnResourcePolicyProps := &CfnResourcePolicyProps{ ResourcePolicy: resourcePolicy, SecretId: jsii.String("secretId"), // the properties below are optional BlockPublicPolicy: jsii.Boolean(false), }
type CfnRotationSchedule ¶
type CfnRotationSchedule interface { awscdk.CfnResource awscdk.IInspectable // The ARN of the secret. AttrId() *string // Options for this resource, such as condition, update policy etc. CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} // AWS resource type. CfnResourceType() *string // Returns: the stack trace of the point where this Resource was created from, sourced // from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most // node +internal+ entries filtered. CreationStack() *[]*string // Creates a new Lambda rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) . To use a rotation function that already exists, specify `RotationLambdaARN` instead. HostedRotationLambda() interface{} SetHostedRotationLambda(val interface{}) // The logical ID for this CloudFormation stack element. // // The logical ID of the element // is calculated from the path of the resource node in the construct tree. // // To override this value, use `overrideLogicalId(newLogicalId)`. // // Returns: the logical ID as a stringified token. This value will only get // resolved during synthesis. LogicalId() *string // The tree node. Node() constructs.Node // Return a string that will be resolved to a CloudFormation `{ Ref }` for this element. // // If, by any chance, the intrinsic reference of a resource is not a string, you could // coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`. Ref() *string // Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. RotateImmediatelyOnUpdate() interface{} SetRotateImmediatelyOnUpdate(val interface{}) // The ARN of an existing Lambda rotation function. RotationLambdaArn() *string SetRotationLambdaArn(val *string) // A structure that defines the rotation configuration for this secret. RotationRules() interface{} SetRotationRules(val interface{}) // The ARN or name of the secret to rotate. // // This is unique for each rotation schedule definition. SecretId() *string SetSecretId(val *string) // The stack in which this element is defined. // // CfnElements must be defined within a stack scope (directly or indirectly). Stack() awscdk.Stack // Deprecated. // Deprecated: use `updatedProperties` // // Return properties modified after initiation // // Resources that expose mutable properties should override this function to // collect and return the properties object for this resource. UpdatedProperites() *map[string]interface{} // Return properties modified after initiation. // // Resources that expose mutable properties should override this function to // collect and return the properties object for this resource. UpdatedProperties() *map[string]interface{} // Syntactic sugar for `addOverride(path, undefined)`. AddDeletionOverride(path *string) // Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned. // // This can be used for resources across stacks (or nested stack) boundaries // and the dependency will automatically be transferred to the relevant scope. AddDependency(target awscdk.CfnResource) // Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned. // Deprecated: use addDependency. AddDependsOn(target awscdk.CfnResource) // Add a value to the CloudFormation Resource Metadata. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html // // Note that this is a different set of metadata from CDK node metadata; this // metadata ends up in the stack template under the resource, whereas CDK // node metadata ends up in the Cloud Assembly. // AddMetadata(key *string, value interface{}) // Adds an override to the synthesized CloudFormation resource. // // To add a // property override, either use `addPropertyOverride` or prefix `path` with // "Properties." (i.e. `Properties.TopicName`). // // If the override is nested, separate each nested level using a dot (.) in the path parameter. // If there is an array as part of the nesting, specify the index in the path. // // To include a literal `.` in the property name, prefix with a `\`. In most // programming languages you will need to write this as `"\\."` because the // `\` itself will need to be escaped. // // For example, // “`typescript // cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']); // cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE'); // “` // would add the overrides // “`json // "Properties": { // "GlobalSecondaryIndexes": [ // { // "Projection": { // "NonKeyAttributes": [ "myattribute" ] // ... // } // ... // }, // { // "ProjectionType": "INCLUDE" // ... // }, // ] // ... // } // “` // // The `value` argument to `addOverride` will not be processed or translated // in any way. Pass raw JSON values in here with the correct capitalization // for CloudFormation. If you pass CDK classes or structs, they will be // rendered with lowercased key names, and CloudFormation will reject the // template. AddOverride(path *string, value interface{}) // Adds an override that deletes the value of a property from the resource definition. AddPropertyDeletionOverride(propertyPath *string) // Adds an override to a resource property. // // Syntactic sugar for `addOverride("Properties.<...>", value)`. AddPropertyOverride(propertyPath *string, value interface{}) // Sets the deletion policy of the resource based on the removal policy specified. // // The Removal Policy controls what happens to this resource when it stops // being managed by CloudFormation, either because you've removed it from the // CDK application or because you've made a change that requires the resource // to be replaced. // // The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS // account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some // cases, a snapshot can be taken of the resource prior to deletion // (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy // can be found in the following link:. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options // ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) // Returns a token for an runtime attribute of this resource. // // Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility // in case there is no generated attribute. GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference // Retrieve a value value from the CloudFormation Resource Metadata. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html // // Note that this is a different set of metadata from CDK node metadata; this // metadata ends up in the stack template under the resource, whereas CDK // node metadata ends up in the Cloud Assembly. // GetMetadata(key *string) interface{} // Examines the CloudFormation resource and discloses attributes. Inspect(inspector awscdk.TreeInspector) // Retrieves an array of resources this resource depends on. // // This assembles dependencies on resources across stacks (including nested stacks) // automatically. ObtainDependencies() *[]interface{} // Get a shallow copy of dependencies between this resource and other resources in the same stack. ObtainResourceDependencies() *[]awscdk.CfnResource // Overrides the auto-generated logical ID with a specific ID. OverrideLogicalId(newLogicalId *string) // Indicates that this resource no longer depends on another resource. // // This can be used for resources across stacks (including nested stacks) // and the dependency will automatically be removed from the relevant scope. RemoveDependency(target awscdk.CfnResource) RenderProperties(props *map[string]interface{}) *map[string]interface{} // Replaces one dependency with another. ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource) // Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template. // // Returns: `true` if the resource should be included or `false` is the resource // should be omitted. ShouldSynthesize() *bool // Returns a string representation of this construct. // // Returns: a string representation of this resource. ToString() *string ValidateProperties(_properties interface{}) }
Sets the rotation schedule and Lambda rotation function for a secret. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) .
For Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) .
For Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) .
For the rotation function, you have two options:
- You can create a new rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) by using `HostedRotationLambda` . - You can choose an existing rotation function by using `RotationLambdaARN` .
For database secrets, if you define both the secret and the database or service in the AWS CloudFormation template, then you need to define the [AWS::SecretsManager::SecretTargetAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html) resource to populate the secret with the connection details of the database or service before you attempt to configure rotation.
For a single secret, you can only define one rotation schedule with it.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" cfnRotationSchedule := awscdk.Aws_secretsmanager.NewCfnRotationSchedule(this, jsii.String("MyCfnRotationSchedule"), &CfnRotationScheduleProps{ SecretId: jsii.String("secretId"), // the properties below are optional HostedRotationLambda: &HostedRotationLambdaProperty{ RotationType: jsii.String("rotationType"), // the properties below are optional ExcludeCharacters: jsii.String("excludeCharacters"), KmsKeyArn: jsii.String("kmsKeyArn"), MasterSecretArn: jsii.String("masterSecretArn"), MasterSecretKmsKeyArn: jsii.String("masterSecretKmsKeyArn"), RotationLambdaName: jsii.String("rotationLambdaName"), Runtime: jsii.String("runtime"), SuperuserSecretArn: jsii.String("superuserSecretArn"), SuperuserSecretKmsKeyArn: jsii.String("superuserSecretKmsKeyArn"), VpcSecurityGroupIds: jsii.String("vpcSecurityGroupIds"), VpcSubnetIds: jsii.String("vpcSubnetIds"), }, RotateImmediatelyOnUpdate: jsii.Boolean(false), RotationLambdaArn: jsii.String("rotationLambdaArn"), RotationRules: &RotationRulesProperty{ AutomaticallyAfterDays: jsii.Number(123), Duration: jsii.String("duration"), ScheduleExpression: jsii.String("scheduleExpression"), }, })
func NewCfnRotationSchedule ¶
func NewCfnRotationSchedule(scope constructs.Construct, id *string, props *CfnRotationScheduleProps) CfnRotationSchedule
type CfnRotationScheduleProps ¶
type CfnRotationScheduleProps struct { // The ARN or name of the secret to rotate. This is unique for each rotation schedule definition. // // To reference a secret also created in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the secret's logical ID. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-secretid // SecretId *string `field:"required" json:"secretId" yaml:"secretId"` // Creates a new Lambda rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) . To use a rotation function that already exists, specify `RotationLambdaARN` instead. // // You must specify `Transform: AWS::SecretsManager-2024-09-16` at the beginning of the CloudFormation template. Transforms are macros hosted by AWS CloudFormation that help you create and manage complex infrastructure. The `Transform: AWS::SecretsManager-2024-09-16` transform automatically extends the CloudFormation stack to include a nested stack (of type `AWS::CloudFormation::Stack` ), which then creates and updates on your behalf during subsequent stack operations, the appropriate rotation Lambda function for your database or service. For general information on transforms, see the [AWS CloudFormation documentation.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-reference.html) // // For Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) . // // For Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) . // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda // HostedRotationLambda interface{} `field:"optional" json:"hostedRotationLambda" yaml:"hostedRotationLambda"` // Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. // // The rotation schedule is defined in `RotationRules` . // // If you don't immediately rotate the secret, Secrets Manager tests the rotation configuration by running the [`testSecret` step](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) of the Lambda rotation function. The test creates an `AWSPENDING` version of the secret and then removes it. // // If you don't specify this value, then by default, Secrets Manager rotates the secret immediately. // // Rotation is an asynchronous process. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) . // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-rotateimmediatelyonupdate // RotateImmediatelyOnUpdate interface{} `field:"optional" json:"rotateImmediatelyOnUpdate" yaml:"rotateImmediatelyOnUpdate"` // The ARN of an existing Lambda rotation function. // // To specify a rotation function that is also defined in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function. // // For Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) . // // For Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) . // // To create a new rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) , specify `HostedRotationLambda` instead. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-rotationlambdaarn // RotationLambdaArn *string `field:"optional" json:"rotationLambdaArn" yaml:"rotationLambdaArn"` // A structure that defines the rotation configuration for this secret. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-rotationrules // RotationRules interface{} `field:"optional" json:"rotationRules" yaml:"rotationRules"` }
Properties for defining a `CfnRotationSchedule`.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" cfnRotationScheduleProps := &CfnRotationScheduleProps{ SecretId: jsii.String("secretId"), // the properties below are optional HostedRotationLambda: &HostedRotationLambdaProperty{ RotationType: jsii.String("rotationType"), // the properties below are optional ExcludeCharacters: jsii.String("excludeCharacters"), KmsKeyArn: jsii.String("kmsKeyArn"), MasterSecretArn: jsii.String("masterSecretArn"), MasterSecretKmsKeyArn: jsii.String("masterSecretKmsKeyArn"), RotationLambdaName: jsii.String("rotationLambdaName"), Runtime: jsii.String("runtime"), SuperuserSecretArn: jsii.String("superuserSecretArn"), SuperuserSecretKmsKeyArn: jsii.String("superuserSecretKmsKeyArn"), VpcSecurityGroupIds: jsii.String("vpcSecurityGroupIds"), VpcSubnetIds: jsii.String("vpcSubnetIds"), }, RotateImmediatelyOnUpdate: jsii.Boolean(false), RotationLambdaArn: jsii.String("rotationLambdaArn"), RotationRules: &RotationRulesProperty{ AutomaticallyAfterDays: jsii.Number(123), Duration: jsii.String("duration"), ScheduleExpression: jsii.String("scheduleExpression"), }, }
type CfnRotationSchedule_HostedRotationLambdaProperty ¶
type CfnRotationSchedule_HostedRotationLambdaProperty struct { // The rotation template to base the rotation function on, one of the following:. // // - `Db2SingleUser` to use the template [SecretsManagerRDSDb2RotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-db2-singleuser) . // - `Db2MultiUser` to use the template [SecretsManagerRDSDb2RotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-db2-multiuser) . // - `MySQLSingleUser` to use the template [SecretsManagerRDSMySQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-singleuser) . // - `MySQLMultiUser` to use the template [SecretsManagerRDSMySQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-multiuser) . // - `PostgreSQLSingleUser` to use the template [SecretsManagerRDSPostgreSQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-singleuser) // - `PostgreSQLMultiUser` to use the template [SecretsManagerRDSPostgreSQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-multiuser) . // - `OracleSingleUser` to use the template [SecretsManagerRDSOracleRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-singleuser) . // - `OracleMultiUser` to use the template [SecretsManagerRDSOracleRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-multiuser) . // - `MariaDBSingleUser` to use the template [SecretsManagerRDSMariaDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-singleuser) . // - `MariaDBMultiUser` to use the template [SecretsManagerRDSMariaDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-multiuser) . // - `SQLServerSingleUser` to use the template [SecretsManagerRDSSQLServerRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-singleuser) . // - `SQLServerMultiUser` to use the template [SecretsManagerRDSSQLServerRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-multiuser) . // - `RedshiftSingleUser` to use the template [SecretsManagerRedshiftRotationSingleUsr](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-singleuser) . // - `RedshiftMultiUser` to use the template [SecretsManagerRedshiftRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-multiuser) . // - `MongoDBSingleUser` to use the template [SecretsManagerMongoDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-singleuser) . // - `MongoDBMultiUser` to use the template [SecretsManagerMongoDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-multiuser) . // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-rotationtype // RotationType *string `field:"required" json:"rotationType" yaml:"rotationType"` // A string of the characters that you don't want in the password. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-excludecharacters // ExcludeCharacters *string `field:"optional" json:"excludeCharacters" yaml:"excludeCharacters"` // The ARN of the KMS key that Secrets Manager uses to encrypt the secret. // // If you don't specify this value, then Secrets Manager uses the key `aws/secretsmanager` . If `aws/secretsmanager` doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-kmskeyarn // KmsKeyArn *string `field:"optional" json:"kmsKeyArn" yaml:"kmsKeyArn"` // The ARN of the secret that contains superuser credentials, if you use the [Alternating users rotation strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) . CloudFormation grants the execution role for the Lambda rotation function `GetSecretValue` permission to the secret in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html) . // // You must create the superuser secret before you can set this property. // // You must also include the superuser secret ARN as a key in the JSON of the rotating secret so that the Lambda rotation function can find it. CloudFormation does not hardcode secret ARNs in the Lambda rotation function, so you can use the function to rotate multiple secrets. For more information, see [JSON structure of Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html) . // // You can specify `MasterSecretArn` or `SuperuserSecretArn` but not both. They represent the same superuser secret. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-mastersecretarn // MasterSecretArn *string `field:"optional" json:"masterSecretArn" yaml:"masterSecretArn"` // The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the [alternating users strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key `aws/secretsmanager` . CloudFormation grants the execution role for the Lambda rotation function `Decrypt` , `DescribeKey` , and `GenerateDataKey` permission to the key in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html) . // // You can specify `MasterSecretKmsKeyArn` or `SuperuserSecretKmsKeyArn` but not both. They represent the same superuser secret KMS key . // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-mastersecretkmskeyarn // MasterSecretKmsKeyArn *string `field:"optional" json:"masterSecretKmsKeyArn" yaml:"masterSecretKmsKeyArn"` // The name of the Lambda rotation function. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-rotationlambdaname // RotationLambdaName *string `field:"optional" json:"rotationLambdaName" yaml:"rotationLambdaName"` // > Do not set this value if you are using `Transform: AWS::SecretsManager-2024-09-16` . // // Over time, the updated rotation lambda artifacts vended by AWS may not be compatible with the code or shared object files defined in the rotation function deployment package. // > // > Only define the `Runtime` key if: // > // > - You are using `Transform: AWS::SecretsManager-2020-07-23` . // > - The code or shared object files defined in the rotation function deployment package are incompatible with Python 3.9. // // The Python Runtime version for with the rotation function. By default, CloudFormation deploys Python 3.9 binaries for the rotation function. To use a different version of Python, you must do the following two steps: // // - Deploy the matching version Python binaries with your rotation function. // - Set the version number in this field. For example, for Python 3.7, enter *python3.7* . // // If you only do one of the steps, your rotation function will be incompatible with the binaries. For more information, see [Why did my Lambda rotation function fail with a "pg module not found" error](https://docs.aws.amazon.com/https://repost.aws/knowledge-center/secrets-manager-lambda-rotation) . // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-runtime // Runtime *string `field:"optional" json:"runtime" yaml:"runtime"` // The ARN of the secret that contains superuser credentials, if you use the [Alternating users rotation strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) . CloudFormation grants the execution role for the Lambda rotation function `GetSecretValue` permission to the secret in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html) . // // You must create the superuser secret before you can set this property. // // You must also include the superuser secret ARN as a key in the JSON of the rotating secret so that the Lambda rotation function can find it. CloudFormation does not hardcode secret ARNs in the Lambda rotation function, so you can use the function to rotate multiple secrets. For more information, see [JSON structure of Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html) . // // You can specify `MasterSecretArn` or `SuperuserSecretArn` but not both. They represent the same superuser secret. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-superusersecretarn // SuperuserSecretArn *string `field:"optional" json:"superuserSecretArn" yaml:"superuserSecretArn"` // The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the [alternating users strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key `aws/secretsmanager` . CloudFormation grants the execution role for the Lambda rotation function `Decrypt` , `DescribeKey` , and `GenerateDataKey` permission to the key in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html) . // // You can specify `MasterSecretKmsKeyArn` or `SuperuserSecretKmsKeyArn` but not both. They represent the same superuser secret KMS key . // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-superusersecretkmskeyarn // SuperuserSecretKmsKeyArn *string `field:"optional" json:"superuserSecretKmsKeyArn" yaml:"superuserSecretKmsKeyArn"` // A comma-separated list of security group IDs applied to the target database. // // The template applies the same security groups as on the Lambda rotation function that is created as part of this stack. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-vpcsecuritygroupids // VpcSecurityGroupIds *string `field:"optional" json:"vpcSecurityGroupIds" yaml:"vpcSecurityGroupIds"` // A comma separated list of VPC subnet IDs of the target database network. // // The Lambda rotation function is in the same subnet group. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-vpcsubnetids // VpcSubnetIds *string `field:"optional" json:"vpcSubnetIds" yaml:"vpcSubnetIds"` }
Creates a new Lambda rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) .
You must specify `Transform: AWS::SecretsManager-2024-09-16` at the beginning of the CloudFormation template.
For Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) .
For Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) .
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" hostedRotationLambdaProperty := &HostedRotationLambdaProperty{ RotationType: jsii.String("rotationType"), // the properties below are optional ExcludeCharacters: jsii.String("excludeCharacters"), KmsKeyArn: jsii.String("kmsKeyArn"), MasterSecretArn: jsii.String("masterSecretArn"), MasterSecretKmsKeyArn: jsii.String("masterSecretKmsKeyArn"), RotationLambdaName: jsii.String("rotationLambdaName"), Runtime: jsii.String("runtime"), SuperuserSecretArn: jsii.String("superuserSecretArn"), SuperuserSecretKmsKeyArn: jsii.String("superuserSecretKmsKeyArn"), VpcSecurityGroupIds: jsii.String("vpcSecurityGroupIds"), VpcSubnetIds: jsii.String("vpcSubnetIds"), }
type CfnRotationSchedule_RotationRulesProperty ¶
type CfnRotationSchedule_RotationRulesProperty struct { // The number of days between automatic scheduled rotations of the secret. // // You can use this value to check that your secret meets your compliance guidelines for how often secrets must be rotated. // // In `DescribeSecret` and `ListSecrets` , this value is calculated from the rotation schedule after every successful rotation. In `RotateSecret` , you can set the rotation schedule in `RotationRules` with `AutomaticallyAfterDays` or `ScheduleExpression` , but not both. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-rotationrules.html#cfn-secretsmanager-rotationschedule-rotationrules-automaticallyafterdays // AutomaticallyAfterDays *float64 `field:"optional" json:"automaticallyAfterDays" yaml:"automaticallyAfterDays"` // The length of the rotation window in hours, for example `3h` for a three hour window. // // Secrets Manager rotates your secret at any time during this window. The window must not extend into the next rotation window or the next UTC day. The window starts according to the `ScheduleExpression` . If you don't specify a `Duration` , for a `ScheduleExpression` in hours, the window automatically closes after one hour. For a `ScheduleExpression` in days, the window automatically closes at the end of the UTC day. For more information, including examples, see [Schedule expressions in Secrets Manager rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html) in the *Secrets Manager Users Guide* . // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-rotationrules.html#cfn-secretsmanager-rotationschedule-rotationrules-duration // Duration *string `field:"optional" json:"duration" yaml:"duration"` // A `cron()` or `rate()` expression that defines the schedule for rotating your secret. // // Secrets Manager rotation schedules use UTC time zone. Secrets Manager rotates your secret any time during a rotation window. // // Secrets Manager `rate()` expressions represent the interval in hours or days that you want to rotate your secret, for example `rate(12 hours)` or `rate(10 days)` . You can rotate a secret as often as every four hours. If you use a `rate()` expression, the rotation window starts at midnight. For a rate in hours, the default rotation window closes after one hour. For a rate in days, the default rotation window closes at the end of the day. You can set the `Duration` to change the rotation window. The rotation window must not extend into the next UTC day or into the next rotation window. // // You can use a `cron()` expression to create a rotation schedule that is more detailed than a rotation interval. For more information, including examples, see [Schedule expressions in Secrets Manager rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html) in the *Secrets Manager Users Guide* . For a cron expression that represents a schedule in hours, the default rotation window closes after one hour. For a cron expression that represents a schedule in days, the default rotation window closes at the end of the day. You can set the `Duration` to change the rotation window. The rotation window must not extend into the next UTC day or into the next rotation window. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-rotationrules.html#cfn-secretsmanager-rotationschedule-rotationrules-scheduleexpression // ScheduleExpression *string `field:"optional" json:"scheduleExpression" yaml:"scheduleExpression"` }
The rotation schedule and window.
We recommend you use `ScheduleExpression` to set a cron or rate expression for the schedule and `Duration` to set the length of the rotation window.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" rotationRulesProperty := &RotationRulesProperty{ AutomaticallyAfterDays: jsii.Number(123), Duration: jsii.String("duration"), ScheduleExpression: jsii.String("scheduleExpression"), }
type CfnSecret ¶
type CfnSecret interface { awscdk.CfnResource awscdk.IInspectable awscdk.ITaggable // The ARN of the secret. AttrId() *string // Options for this resource, such as condition, update policy etc. CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} // AWS resource type. CfnResourceType() *string // Returns: the stack trace of the point where this Resource was created from, sourced // from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most // node +internal+ entries filtered. CreationStack() *[]*string // The description of the secret. Description() *string SetDescription(val *string) // A structure that specifies how to generate a password to encrypt and store in the secret. GenerateSecretString() interface{} SetGenerateSecretString(val interface{}) // The ARN, key ID, or alias of the AWS KMS key that Secrets Manager uses to encrypt the secret value in the secret. KmsKeyId() *string SetKmsKeyId(val *string) // The logical ID for this CloudFormation stack element. // // The logical ID of the element // is calculated from the path of the resource node in the construct tree. // // To override this value, use `overrideLogicalId(newLogicalId)`. // // Returns: the logical ID as a stringified token. This value will only get // resolved during synthesis. LogicalId() *string // The name of the new secret. Name() *string SetName(val *string) // The tree node. Node() constructs.Node // Return a string that will be resolved to a CloudFormation `{ Ref }` for this element. // // If, by any chance, the intrinsic reference of a resource is not a string, you could // coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`. Ref() *string // A custom type that specifies a `Region` and the `KmsKeyId` for a replica secret. ReplicaRegions() interface{} SetReplicaRegions(val interface{}) // The text to encrypt and store in the secret. SecretString() *string SetSecretString(val *string) // The stack in which this element is defined. // // CfnElements must be defined within a stack scope (directly or indirectly). Stack() awscdk.Stack // Tag Manager which manages the tags for this resource. Tags() awscdk.TagManager // A list of tags to attach to the secret. TagsRaw() *[]*awscdk.CfnTag SetTagsRaw(val *[]*awscdk.CfnTag) // Deprecated. // Deprecated: use `updatedProperties` // // Return properties modified after initiation // // Resources that expose mutable properties should override this function to // collect and return the properties object for this resource. UpdatedProperites() *map[string]interface{} // Return properties modified after initiation. // // Resources that expose mutable properties should override this function to // collect and return the properties object for this resource. UpdatedProperties() *map[string]interface{} // Syntactic sugar for `addOverride(path, undefined)`. AddDeletionOverride(path *string) // Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned. // // This can be used for resources across stacks (or nested stack) boundaries // and the dependency will automatically be transferred to the relevant scope. AddDependency(target awscdk.CfnResource) // Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned. // Deprecated: use addDependency. AddDependsOn(target awscdk.CfnResource) // Add a value to the CloudFormation Resource Metadata. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html // // Note that this is a different set of metadata from CDK node metadata; this // metadata ends up in the stack template under the resource, whereas CDK // node metadata ends up in the Cloud Assembly. // AddMetadata(key *string, value interface{}) // Adds an override to the synthesized CloudFormation resource. // // To add a // property override, either use `addPropertyOverride` or prefix `path` with // "Properties." (i.e. `Properties.TopicName`). // // If the override is nested, separate each nested level using a dot (.) in the path parameter. // If there is an array as part of the nesting, specify the index in the path. // // To include a literal `.` in the property name, prefix with a `\`. In most // programming languages you will need to write this as `"\\."` because the // `\` itself will need to be escaped. // // For example, // “`typescript // cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']); // cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE'); // “` // would add the overrides // “`json // "Properties": { // "GlobalSecondaryIndexes": [ // { // "Projection": { // "NonKeyAttributes": [ "myattribute" ] // ... // } // ... // }, // { // "ProjectionType": "INCLUDE" // ... // }, // ] // ... // } // “` // // The `value` argument to `addOverride` will not be processed or translated // in any way. Pass raw JSON values in here with the correct capitalization // for CloudFormation. If you pass CDK classes or structs, they will be // rendered with lowercased key names, and CloudFormation will reject the // template. AddOverride(path *string, value interface{}) // Adds an override that deletes the value of a property from the resource definition. AddPropertyDeletionOverride(propertyPath *string) // Adds an override to a resource property. // // Syntactic sugar for `addOverride("Properties.<...>", value)`. AddPropertyOverride(propertyPath *string, value interface{}) // Sets the deletion policy of the resource based on the removal policy specified. // // The Removal Policy controls what happens to this resource when it stops // being managed by CloudFormation, either because you've removed it from the // CDK application or because you've made a change that requires the resource // to be replaced. // // The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS // account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some // cases, a snapshot can be taken of the resource prior to deletion // (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy // can be found in the following link:. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options // ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) // Returns a token for an runtime attribute of this resource. // // Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility // in case there is no generated attribute. GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference // Retrieve a value value from the CloudFormation Resource Metadata. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html // // Note that this is a different set of metadata from CDK node metadata; this // metadata ends up in the stack template under the resource, whereas CDK // node metadata ends up in the Cloud Assembly. // GetMetadata(key *string) interface{} // Examines the CloudFormation resource and discloses attributes. Inspect(inspector awscdk.TreeInspector) // Retrieves an array of resources this resource depends on. // // This assembles dependencies on resources across stacks (including nested stacks) // automatically. ObtainDependencies() *[]interface{} // Get a shallow copy of dependencies between this resource and other resources in the same stack. ObtainResourceDependencies() *[]awscdk.CfnResource // Overrides the auto-generated logical ID with a specific ID. OverrideLogicalId(newLogicalId *string) // Indicates that this resource no longer depends on another resource. // // This can be used for resources across stacks (including nested stacks) // and the dependency will automatically be removed from the relevant scope. RemoveDependency(target awscdk.CfnResource) RenderProperties(props *map[string]interface{}) *map[string]interface{} // Replaces one dependency with another. ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource) // Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template. // // Returns: `true` if the resource should be included or `false` is the resource // should be omitted. ShouldSynthesize() *bool // Returns a string representation of this construct. // // Returns: a string representation of this resource. ToString() *string ValidateProperties(_properties interface{}) }
Creates a new secret.
A *secret* can be a password, a set of credentials such as a user name and password, an OAuth token, or other secret information that you store in an encrypted form in Secrets Manager.
For Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) .
For Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) .
To retrieve a secret in a CloudFormation template, use a *dynamic reference* . For more information, see [Retrieve a secret in an AWS CloudFormation resource](https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html) .
For information about creating a secret in the console, see [Create a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) . For information about creating a secret using the CLI or SDK, see [CreateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html) .
For information about retrieving a secret in code, see [Retrieve secrets from Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html) .
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" cfnSecret := awscdk.Aws_secretsmanager.NewCfnSecret(this, jsii.String("MyCfnSecret"), &CfnSecretProps{ Description: jsii.String("description"), GenerateSecretString: &GenerateSecretStringProperty{ ExcludeCharacters: jsii.String("excludeCharacters"), ExcludeLowercase: jsii.Boolean(false), ExcludeNumbers: jsii.Boolean(false), ExcludePunctuation: jsii.Boolean(false), ExcludeUppercase: jsii.Boolean(false), GenerateStringKey: jsii.String("generateStringKey"), IncludeSpace: jsii.Boolean(false), PasswordLength: jsii.Number(123), RequireEachIncludedType: jsii.Boolean(false), SecretStringTemplate: jsii.String("secretStringTemplate"), }, KmsKeyId: jsii.String("kmsKeyId"), Name: jsii.String("name"), ReplicaRegions: []interface{}{ &ReplicaRegionProperty{ Region: jsii.String("region"), // the properties below are optional KmsKeyId: jsii.String("kmsKeyId"), }, }, SecretString: jsii.String("secretString"), Tags: []cfnTag{ &cfnTag{ Key: jsii.String("key"), Value: jsii.String("value"), }, }, })
func NewCfnSecret ¶
func NewCfnSecret(scope constructs.Construct, id *string, props *CfnSecretProps) CfnSecret
type CfnSecretProps ¶
type CfnSecretProps struct { // The description of the secret. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-description // Description *string `field:"optional" json:"description" yaml:"description"` // A structure that specifies how to generate a password to encrypt and store in the secret. // // To include a specific string in the secret, use `SecretString` instead. If you omit both `GenerateSecretString` and `SecretString` , you create an empty secret. When you make a change to this property, a new secret version is created. // // We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-generatesecretstring // GenerateSecretString interface{} `field:"optional" json:"generateSecretString" yaml:"generateSecretString"` // The ARN, key ID, or alias of the AWS KMS key that Secrets Manager uses to encrypt the secret value in the secret. // // An alias is always prefixed by `alias/` , for example `alias/aws/secretsmanager` . For more information, see [About aliases](https://docs.aws.amazon.com/kms/latest/developerguide/alias-about.html) . // // To use a AWS KMS key in a different account, use the key ARN or the alias ARN. // // If you don't specify this value, then Secrets Manager uses the key `aws/secretsmanager` . If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. // // If the secret is in a different AWS account from the credentials calling the API, then you can't use `aws/secretsmanager` to encrypt the secret, and you must create and use a customer managed AWS KMS key. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-kmskeyid // KmsKeyId *string `field:"optional" json:"kmsKeyId" yaml:"kmsKeyId"` // The name of the new secret. // // The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@- // // Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-name // Name *string `field:"optional" json:"name" yaml:"name"` // A custom type that specifies a `Region` and the `KmsKeyId` for a replica secret. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-replicaregions // ReplicaRegions interface{} `field:"optional" json:"replicaRegions" yaml:"replicaRegions"` // The text to encrypt and store in the secret. // // We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use `GenerateSecretString` instead. If you omit both `GenerateSecretString` and `SecretString` , you create an empty secret. When you make a change to this property, a new secret version is created. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-secretstring // SecretString *string `field:"optional" json:"secretString" yaml:"secretString"` // A list of tags to attach to the secret. // // Each tag is a key and value pair of strings in a JSON text string, for example: // // `[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]` // // Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc". // // Stack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret. // // If you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns an `Access Denied` error. For more information, see [Control access to secrets using tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac) and [Limit access to identities with tags that match secrets' tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2) . // // For information about how to format a JSON parameter for the various command line tool environments, see [Using JSON for Parameters](https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json) . If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text. // // The following restrictions apply to tags: // // - Maximum number of tags per secret: 50 // - Maximum key length: 127 Unicode characters in UTF-8 // - Maximum value length: 255 Unicode characters in UTF-8 // - Tag keys and values are case sensitive. // - Do not use the `aws:` prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit. // - If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-tags // Tags *[]*awscdk.CfnTag `field:"optional" json:"tags" yaml:"tags"` }
Properties for defining a `CfnSecret`.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" cfnSecretProps := &CfnSecretProps{ Description: jsii.String("description"), GenerateSecretString: &GenerateSecretStringProperty{ ExcludeCharacters: jsii.String("excludeCharacters"), ExcludeLowercase: jsii.Boolean(false), ExcludeNumbers: jsii.Boolean(false), ExcludePunctuation: jsii.Boolean(false), ExcludeUppercase: jsii.Boolean(false), GenerateStringKey: jsii.String("generateStringKey"), IncludeSpace: jsii.Boolean(false), PasswordLength: jsii.Number(123), RequireEachIncludedType: jsii.Boolean(false), SecretStringTemplate: jsii.String("secretStringTemplate"), }, KmsKeyId: jsii.String("kmsKeyId"), Name: jsii.String("name"), ReplicaRegions: []interface{}{ &ReplicaRegionProperty{ Region: jsii.String("region"), // the properties below are optional KmsKeyId: jsii.String("kmsKeyId"), }, }, SecretString: jsii.String("secretString"), Tags: []cfnTag{ &cfnTag{ Key: jsii.String("key"), Value: jsii.String("value"), }, }, }
type CfnSecretTargetAttachment ¶
type CfnSecretTargetAttachment interface { awscdk.CfnResource awscdk.IInspectable AttrId() *string // Options for this resource, such as condition, update policy etc. CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} // AWS resource type. CfnResourceType() *string // Returns: the stack trace of the point where this Resource was created from, sourced // from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most // node +internal+ entries filtered. CreationStack() *[]*string // The logical ID for this CloudFormation stack element. // // The logical ID of the element // is calculated from the path of the resource node in the construct tree. // // To override this value, use `overrideLogicalId(newLogicalId)`. // // Returns: the logical ID as a stringified token. This value will only get // resolved during synthesis. LogicalId() *string // The tree node. Node() constructs.Node // Return a string that will be resolved to a CloudFormation `{ Ref }` for this element. // // If, by any chance, the intrinsic reference of a resource is not a string, you could // coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`. Ref() *string // The ARN or name of the secret. SecretId() *string SetSecretId(val *string) // The stack in which this element is defined. // // CfnElements must be defined within a stack scope (directly or indirectly). Stack() awscdk.Stack // The ID of the database or cluster. TargetId() *string SetTargetId(val *string) // A string that defines the type of service or database associated with the secret. TargetType() *string SetTargetType(val *string) // Deprecated. // Deprecated: use `updatedProperties` // // Return properties modified after initiation // // Resources that expose mutable properties should override this function to // collect and return the properties object for this resource. UpdatedProperites() *map[string]interface{} // Return properties modified after initiation. // // Resources that expose mutable properties should override this function to // collect and return the properties object for this resource. UpdatedProperties() *map[string]interface{} // Syntactic sugar for `addOverride(path, undefined)`. AddDeletionOverride(path *string) // Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned. // // This can be used for resources across stacks (or nested stack) boundaries // and the dependency will automatically be transferred to the relevant scope. AddDependency(target awscdk.CfnResource) // Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned. // Deprecated: use addDependency. AddDependsOn(target awscdk.CfnResource) // Add a value to the CloudFormation Resource Metadata. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html // // Note that this is a different set of metadata from CDK node metadata; this // metadata ends up in the stack template under the resource, whereas CDK // node metadata ends up in the Cloud Assembly. // AddMetadata(key *string, value interface{}) // Adds an override to the synthesized CloudFormation resource. // // To add a // property override, either use `addPropertyOverride` or prefix `path` with // "Properties." (i.e. `Properties.TopicName`). // // If the override is nested, separate each nested level using a dot (.) in the path parameter. // If there is an array as part of the nesting, specify the index in the path. // // To include a literal `.` in the property name, prefix with a `\`. In most // programming languages you will need to write this as `"\\."` because the // `\` itself will need to be escaped. // // For example, // “`typescript // cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']); // cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE'); // “` // would add the overrides // “`json // "Properties": { // "GlobalSecondaryIndexes": [ // { // "Projection": { // "NonKeyAttributes": [ "myattribute" ] // ... // } // ... // }, // { // "ProjectionType": "INCLUDE" // ... // }, // ] // ... // } // “` // // The `value` argument to `addOverride` will not be processed or translated // in any way. Pass raw JSON values in here with the correct capitalization // for CloudFormation. If you pass CDK classes or structs, they will be // rendered with lowercased key names, and CloudFormation will reject the // template. AddOverride(path *string, value interface{}) // Adds an override that deletes the value of a property from the resource definition. AddPropertyDeletionOverride(propertyPath *string) // Adds an override to a resource property. // // Syntactic sugar for `addOverride("Properties.<...>", value)`. AddPropertyOverride(propertyPath *string, value interface{}) // Sets the deletion policy of the resource based on the removal policy specified. // // The Removal Policy controls what happens to this resource when it stops // being managed by CloudFormation, either because you've removed it from the // CDK application or because you've made a change that requires the resource // to be replaced. // // The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS // account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some // cases, a snapshot can be taken of the resource prior to deletion // (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy // can be found in the following link:. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options // ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) // Returns a token for an runtime attribute of this resource. // // Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility // in case there is no generated attribute. GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference // Retrieve a value value from the CloudFormation Resource Metadata. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html // // Note that this is a different set of metadata from CDK node metadata; this // metadata ends up in the stack template under the resource, whereas CDK // node metadata ends up in the Cloud Assembly. // GetMetadata(key *string) interface{} // Examines the CloudFormation resource and discloses attributes. Inspect(inspector awscdk.TreeInspector) // Retrieves an array of resources this resource depends on. // // This assembles dependencies on resources across stacks (including nested stacks) // automatically. ObtainDependencies() *[]interface{} // Get a shallow copy of dependencies between this resource and other resources in the same stack. ObtainResourceDependencies() *[]awscdk.CfnResource // Overrides the auto-generated logical ID with a specific ID. OverrideLogicalId(newLogicalId *string) // Indicates that this resource no longer depends on another resource. // // This can be used for resources across stacks (including nested stacks) // and the dependency will automatically be removed from the relevant scope. RemoveDependency(target awscdk.CfnResource) RenderProperties(props *map[string]interface{}) *map[string]interface{} // Replaces one dependency with another. ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource) // Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template. // // Returns: `true` if the resource should be included or `false` is the resource // should be omitted. ShouldSynthesize() *bool // Returns a string representation of this construct. // // Returns: a string representation of this resource. ToString() *string ValidateProperties(_properties interface{}) }
The `AWS::SecretsManager::SecretTargetAttachment` resource completes the final link between a Secrets Manager secret and the associated database by adding the database connection information to the secret JSON.
If you want to turn on automatic rotation for a database credential secret, the secret must contain the database connection information. For more information, see [JSON structure of Secrets Manager database credential secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html) .
A single secret resource can only have one target attached to it.
When you remove a `SecretTargetAttachment` from a stack, Secrets Manager removes the database connection information from the secret with a `PutSecretValue` call.
For Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) .
For Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) .
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" cfnSecretTargetAttachment := awscdk.Aws_secretsmanager.NewCfnSecretTargetAttachment(this, jsii.String("MyCfnSecretTargetAttachment"), &CfnSecretTargetAttachmentProps{ SecretId: jsii.String("secretId"), TargetId: jsii.String("targetId"), TargetType: jsii.String("targetType"), })
func NewCfnSecretTargetAttachment ¶
func NewCfnSecretTargetAttachment(scope constructs.Construct, id *string, props *CfnSecretTargetAttachmentProps) CfnSecretTargetAttachment
type CfnSecretTargetAttachmentProps ¶
type CfnSecretTargetAttachmentProps struct { // The ARN or name of the secret. // // To reference a secret also created in this template, use the see [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the secret's logical ID. This field is unique for each target attachment definition. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html#cfn-secretsmanager-secrettargetattachment-secretid // SecretId *string `field:"required" json:"secretId" yaml:"secretId"` // The ID of the database or cluster. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html#cfn-secretsmanager-secrettargetattachment-targetid // TargetId *string `field:"required" json:"targetId" yaml:"targetId"` // A string that defines the type of service or database associated with the secret. // // This value instructs Secrets Manager how to update the secret with the details of the service or database. This value must be one of the following: // // - AWS::RDS::DBInstance // - AWS::RDS::DBCluster // - AWS::Redshift::Cluster // - AWS::RedshiftServerless::Namespace // - AWS::DocDB::DBInstance // - AWS::DocDB::DBCluster // - AWS::DocDBElastic::Cluster. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html#cfn-secretsmanager-secrettargetattachment-targettype // TargetType *string `field:"required" json:"targetType" yaml:"targetType"` }
Properties for defining a `CfnSecretTargetAttachment`.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" cfnSecretTargetAttachmentProps := &CfnSecretTargetAttachmentProps{ SecretId: jsii.String("secretId"), TargetId: jsii.String("targetId"), TargetType: jsii.String("targetType"), }
type CfnSecret_GenerateSecretStringProperty ¶
type CfnSecret_GenerateSecretStringProperty struct { // A string of the characters that you don't want in the password. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-excludecharacters // ExcludeCharacters *string `field:"optional" json:"excludeCharacters" yaml:"excludeCharacters"` // Specifies whether to exclude lowercase letters from the password. // // If you don't include this switch, the password can contain lowercase letters. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-excludelowercase // ExcludeLowercase interface{} `field:"optional" json:"excludeLowercase" yaml:"excludeLowercase"` // Specifies whether to exclude numbers from the password. // // If you don't include this switch, the password can contain numbers. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-excludenumbers // ExcludeNumbers interface{} `field:"optional" json:"excludeNumbers" yaml:"excludeNumbers"` // Specifies whether to exclude the following punctuation characters from the password: `! // // " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~` . If you don't include this switch, the password can contain punctuation. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-excludepunctuation // ExcludePunctuation interface{} `field:"optional" json:"excludePunctuation" yaml:"excludePunctuation"` // Specifies whether to exclude uppercase letters from the password. // // If you don't include this switch, the password can contain uppercase letters. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-excludeuppercase // ExcludeUppercase interface{} `field:"optional" json:"excludeUppercase" yaml:"excludeUppercase"` // The JSON key name for the key/value pair, where the value is the generated password. // // This pair is added to the JSON structure specified by the `SecretStringTemplate` parameter. If you specify this parameter, then you must also specify `SecretStringTemplate` . // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-generatestringkey // GenerateStringKey *string `field:"optional" json:"generateStringKey" yaml:"generateStringKey"` // Specifies whether to include the space character. // // If you include this switch, the password can contain space characters. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-includespace // IncludeSpace interface{} `field:"optional" json:"includeSpace" yaml:"includeSpace"` // The length of the password. // // If you don't include this parameter, the default length is 32 characters. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-passwordlength // PasswordLength *float64 `field:"optional" json:"passwordLength" yaml:"passwordLength"` // Specifies whether to include at least one upper and lowercase letter, one number, and one punctuation. // // If you don't include this switch, the password contains at least one of every character type. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-requireeachincludedtype // RequireEachIncludedType interface{} `field:"optional" json:"requireEachIncludedType" yaml:"requireEachIncludedType"` // A template that the generated string must match. // // When you make a change to this property, a new secret version is created. // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-secretstringtemplate // SecretStringTemplate *string `field:"optional" json:"secretStringTemplate" yaml:"secretStringTemplate"` }
Generates a random password.
We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.
*Required permissions:* `secretsmanager:GetRandomPassword` . For more information, see [IAM policy actions for Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) and [Authentication and access control in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) .
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" generateSecretStringProperty := &GenerateSecretStringProperty{ ExcludeCharacters: jsii.String("excludeCharacters"), ExcludeLowercase: jsii.Boolean(false), ExcludeNumbers: jsii.Boolean(false), ExcludePunctuation: jsii.Boolean(false), ExcludeUppercase: jsii.Boolean(false), GenerateStringKey: jsii.String("generateStringKey"), IncludeSpace: jsii.Boolean(false), PasswordLength: jsii.Number(123), RequireEachIncludedType: jsii.Boolean(false), SecretStringTemplate: jsii.String("secretStringTemplate"), }
type CfnSecret_ReplicaRegionProperty ¶
type CfnSecret_ReplicaRegionProperty struct { // A string that represents a `Region` , for example "us-east-1". // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-replicaregion.html#cfn-secretsmanager-secret-replicaregion-region // Region *string `field:"required" json:"region" yaml:"region"` // The ARN, key ID, or alias of the KMS key to encrypt the secret. // // If you don't include this field, Secrets Manager uses `aws/secretsmanager` . // See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-replicaregion.html#cfn-secretsmanager-secret-replicaregion-kmskeyid // KmsKeyId *string `field:"optional" json:"kmsKeyId" yaml:"kmsKeyId"` }
Specifies a `Region` and the `KmsKeyId` for a replica secret.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" replicaRegionProperty := &ReplicaRegionProperty{ Region: jsii.String("region"), // the properties below are optional KmsKeyId: jsii.String("kmsKeyId"), }
type HostedRotation ¶
type HostedRotation interface { awsec2.IConnectable // Security group connections for this hosted rotation. Connections() awsec2.Connections // Binds this hosted rotation to a secret. Bind(secret ISecret, scope constructs.Construct) *CfnRotationSchedule_HostedRotationLambdaProperty }
A hosted rotation.
Example:
secret := secretsmanager.NewSecret(this, jsii.String("Secret")) secret.addRotationSchedule(jsii.String("RotationSchedule"), &RotationScheduleOptions{ HostedRotation: secretsmanager.HostedRotation_MysqlSingleUser(), })
func HostedRotation_MariaDbMultiUser ¶
func HostedRotation_MariaDbMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
MariaDB Multi User.
func HostedRotation_MariaDbSingleUser ¶
func HostedRotation_MariaDbSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
MariaDB Single User.
func HostedRotation_MongoDbMultiUser ¶
func HostedRotation_MongoDbMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
MongoDB Multi User.
func HostedRotation_MongoDbSingleUser ¶
func HostedRotation_MongoDbSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
MongoDB Single User.
func HostedRotation_MysqlMultiUser ¶
func HostedRotation_MysqlMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
MySQL Multi User.
func HostedRotation_MysqlSingleUser ¶
func HostedRotation_MysqlSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
MySQL Single User.
func HostedRotation_OracleMultiUser ¶
func HostedRotation_OracleMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
Oracle Multi User.
func HostedRotation_OracleSingleUser ¶
func HostedRotation_OracleSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
Oracle Single User.
func HostedRotation_PostgreSqlMultiUser ¶
func HostedRotation_PostgreSqlMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
PostgreSQL Multi User.
func HostedRotation_PostgreSqlSingleUser ¶
func HostedRotation_PostgreSqlSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
PostgreSQL Single User.
func HostedRotation_RedshiftMultiUser ¶
func HostedRotation_RedshiftMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
Redshift Multi User.
func HostedRotation_RedshiftSingleUser ¶
func HostedRotation_RedshiftSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
Redshift Single User.
func HostedRotation_SqlServerMultiUser ¶
func HostedRotation_SqlServerMultiUser(options *MultiUserHostedRotationOptions) HostedRotation
SQL Server Multi User.
func HostedRotation_SqlServerSingleUser ¶
func HostedRotation_SqlServerSingleUser(options *SingleUserHostedRotationOptions) HostedRotation
SQL Server Single User.
type HostedRotationType ¶
type HostedRotationType interface { // Whether the rotation uses the mutli user scheme. IsMultiUser() *bool // The type of rotation. Name() *string }
Hosted rotation type.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" hostedRotationType := awscdk.Aws_secretsmanager.HostedRotationType_MARIADB_MULTI_USER()
func HostedRotationType_MARIADB_MULTI_USER ¶
func HostedRotationType_MARIADB_MULTI_USER() HostedRotationType
func HostedRotationType_MARIADB_SINGLE_USER ¶
func HostedRotationType_MARIADB_SINGLE_USER() HostedRotationType
func HostedRotationType_MONGODB_MULTI_USER ¶
func HostedRotationType_MONGODB_MULTI_USER() HostedRotationType
func HostedRotationType_MONGODB_SINGLE_USER ¶
func HostedRotationType_MONGODB_SINGLE_USER() HostedRotationType
func HostedRotationType_MYSQL_MULTI_USER ¶
func HostedRotationType_MYSQL_MULTI_USER() HostedRotationType
func HostedRotationType_MYSQL_SINGLE_USER ¶
func HostedRotationType_MYSQL_SINGLE_USER() HostedRotationType
func HostedRotationType_ORACLE_MULTI_USER ¶
func HostedRotationType_ORACLE_MULTI_USER() HostedRotationType
func HostedRotationType_ORACLE_SINGLE_USER ¶
func HostedRotationType_ORACLE_SINGLE_USER() HostedRotationType
func HostedRotationType_POSTGRESQL_MULTI_USER ¶
func HostedRotationType_POSTGRESQL_MULTI_USER() HostedRotationType
func HostedRotationType_POSTGRESQL_SINGLE_USER ¶
func HostedRotationType_POSTGRESQL_SINGLE_USER() HostedRotationType
func HostedRotationType_REDSHIFT_MULTI_USER ¶
func HostedRotationType_REDSHIFT_MULTI_USER() HostedRotationType
func HostedRotationType_REDSHIFT_SINGLE_USER ¶
func HostedRotationType_REDSHIFT_SINGLE_USER() HostedRotationType
func HostedRotationType_SQLSERVER_MULTI_USER ¶
func HostedRotationType_SQLSERVER_MULTI_USER() HostedRotationType
func HostedRotationType_SQLSERVER_SINGLE_USER ¶
func HostedRotationType_SQLSERVER_SINGLE_USER() HostedRotationType
type ISecret ¶
type ISecret interface { awscdk.IResource // Adds a rotation schedule to the secret. AddRotationSchedule(id *string, options *RotationScheduleOptions) RotationSchedule // Adds a statement to the IAM resource policy associated with this secret. // // If this secret was created in this stack, a resource policy will be // automatically created upon the first call to `addToResourcePolicy`. If // the secret is imported, then this is a no-op. AddToResourcePolicy(statement awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult // Attach a target to this secret. // // Returns: An attached secret. Attach(target ISecretAttachmentTarget) ISecret // Denies the `DeleteSecret` action to all principals within the current account. DenyAccountRootDelete() // Grants reading the secret value to some role. GrantRead(grantee awsiam.IGrantable, versionStages *[]*string) awsiam.Grant // Grants writing and updating the secret value to some role. GrantWrite(grantee awsiam.IGrantable) awsiam.Grant // Interpret the secret as a JSON object and return a field's value from it as a `SecretValue`. SecretValueFromJson(key *string) awscdk.SecretValue // The customer-managed encryption key that is used to encrypt this secret, if any. // // When not specified, the default // KMS key for the account and region is being used. EncryptionKey() awskms.IKey // The ARN of the secret in AWS Secrets Manager. // // Will return the full ARN if available, otherwise a partial arn. // For secrets imported by the deprecated `fromSecretName`, it will return the `secretName`. SecretArn() *string // The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix. // // This is equal to `secretArn` in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name). SecretFullArn() *string // The name of the secret. // // For "owned" secrets, this will be the full resource name (secret name + suffix), unless the // '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set. SecretName() *string // Retrieve the value of the stored secret as a `SecretValue`. SecretValue() awscdk.SecretValue }
A secret in AWS Secrets Manager.
func Secret_FromSecretAttributes ¶
func Secret_FromSecretAttributes(scope constructs.Construct, id *string, attrs *SecretAttributes) ISecret
Import an existing secret into the Stack.
func Secret_FromSecretCompleteArn ¶
func Secret_FromSecretCompleteArn(scope constructs.Construct, id *string, secretCompleteArn *string) ISecret
Imports a secret by complete ARN.
The complete ARN is the ARN with the Secrets Manager-supplied suffix.
func Secret_FromSecretNameV2 ¶
Imports a secret by secret name.
A secret with this name must exist in the same account & region. Replaces the deprecated `fromSecretName`. Please note this method returns ISecret that only contains partial ARN and could lead to AccessDeniedException when you pass the partial ARN to CLI or SDK to get the secret value. If your secret name ends with a hyphen and 6 characters, you should always use fromSecretCompleteArn() to avoid potential AccessDeniedException. See: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
func Secret_FromSecretPartialArn ¶
func Secret_FromSecretPartialArn(scope constructs.Construct, id *string, secretPartialArn *string) ISecret
Imports a secret by partial ARN.
The partial ARN is the ARN without the Secrets Manager-supplied suffix.
type ISecretAttachmentTarget ¶
type ISecretAttachmentTarget interface { // Renders the target specifications. AsSecretAttachmentTarget() *SecretAttachmentTargetProps }
A secret attachment target.
type ISecretTargetAttachment ¶
type ISecretTargetAttachment interface { ISecret // Same as `secretArn`. SecretTargetAttachmentSecretArn() *string }
func SecretTargetAttachment_FromSecretTargetAttachmentSecretArn ¶
func SecretTargetAttachment_FromSecretTargetAttachmentSecretArn(scope constructs.Construct, id *string, secretTargetAttachmentSecretArn *string) ISecretTargetAttachment
type MultiUserHostedRotationOptions ¶
type MultiUserHostedRotationOptions struct { // A string of the characters that you don't want in the password. // Default: the same exclude characters as the ones used for the // secret or " %+~`#$&*()|[]{}:;<>?!'/@\"\\" // ExcludeCharacters *string `field:"optional" json:"excludeCharacters" yaml:"excludeCharacters"` // A name for the Lambda created to rotate the secret. // Default: - a CloudFormation generated name. // FunctionName *string `field:"optional" json:"functionName" yaml:"functionName"` // A list of security groups for the Lambda created to rotate the secret. // Default: - a new security group is created. // SecurityGroups *[]awsec2.ISecurityGroup `field:"optional" json:"securityGroups" yaml:"securityGroups"` // The VPC where the Lambda rotation function will run. // Default: - the Lambda is not deployed in a VPC. // Vpc awsec2.IVpc `field:"optional" json:"vpc" yaml:"vpc"` // The type of subnets in the VPC where the Lambda rotation function will run. // Default: - the Vpc default strategy if not specified. // VpcSubnets *awsec2.SubnetSelection `field:"optional" json:"vpcSubnets" yaml:"vpcSubnets"` // The master secret for a multi user rotation scheme. MasterSecret ISecret `field:"required" json:"masterSecret" yaml:"masterSecret"` }
Multi user hosted rotation options.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" import "github.com/aws/aws-cdk-go/awscdk" var secret secret var securityGroup securityGroup var subnet subnet var subnetFilter subnetFilter var vpc vpc multiUserHostedRotationOptions := &MultiUserHostedRotationOptions{ MasterSecret: secret, // the properties below are optional ExcludeCharacters: jsii.String("excludeCharacters"), FunctionName: jsii.String("functionName"), SecurityGroups: []iSecurityGroup{ securityGroup, }, Vpc: vpc, VpcSubnets: &SubnetSelection{ AvailabilityZones: []*string{ jsii.String("availabilityZones"), }, OnePerAz: jsii.Boolean(false), SubnetFilters: []*subnetFilter{ subnetFilter, }, SubnetGroupName: jsii.String("subnetGroupName"), Subnets: []iSubnet{ subnet, }, SubnetType: awscdk.Aws_ec2.SubnetType_PRIVATE_ISOLATED, }, }
type ReplicaRegion ¶
type ReplicaRegion struct { // The name of the region. Region *string `field:"required" json:"region" yaml:"region"` // The customer-managed encryption key to use for encrypting the secret value. // Default: - A default KMS key for the account and region is used. // EncryptionKey awskms.IKey `field:"optional" json:"encryptionKey" yaml:"encryptionKey"` }
Secret replica region.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" import "github.com/aws/aws-cdk-go/awscdk" var key key replicaRegion := &ReplicaRegion{ Region: jsii.String("region"), // the properties below are optional EncryptionKey: key, }
type ResourcePolicy ¶
type ResourcePolicy interface { awscdk.Resource // The IAM policy document for this policy. Document() awsiam.PolicyDocument // The environment this resource belongs to. // // For resources that are created and managed by the CDK // (generally, those created by creating new class instances like Role, Bucket, etc.), // this is always the same as the environment of the stack they belong to; // however, for imported resources // (those obtained from static methods like fromRoleArn, fromBucketName, etc.), // that might be different than the stack they were imported into. Env() *awscdk.ResourceEnvironment // The tree node. Node() constructs.Node // Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource. // // This value will resolve to one of the following: // - a concrete value (e.g. `"my-awesome-bucket"`) // - `undefined`, when a name should be generated by CloudFormation // - a concrete name generated automatically during synthesis, in // cross-environment scenarios. PhysicalName() *string // The stack in which this resource is defined. Stack() awscdk.Stack // Apply the given removal policy to this resource. // // The Removal Policy controls what happens to this resource when it stops // being managed by CloudFormation, either because you've removed it from the // CDK application or because you've made a change that requires the resource // to be replaced. // // The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS // account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). ApplyRemovalPolicy(policy awscdk.RemovalPolicy) GeneratePhysicalName() *string // Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`). // // Normally, this token will resolve to `arnAttr`, but if the resource is // referenced across environments, `arnComponents` will be used to synthesize // a concrete ARN with the resource's physical name. Make sure to reference // `this.physicalName` in `arnComponents`. GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string // Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`). // // Normally, this token will resolve to `nameAttr`, but if the resource is // referenced across environments, it will be resolved to `this.physicalName`, // which will be a concrete name. GetResourceNameAttribute(nameAttr *string) *string // Returns a string representation of this construct. ToString() *string }
Resource Policy for SecretsManager Secrets.
Policies define the operations that are allowed on this resource.
You almost never need to define this construct directly.
All AWS resources that support resource policies have a method called `addToResourcePolicy()`, which will automatically create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.
Prefer to use `addToResourcePolicy()` instead.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" var secret secret resourcePolicy := awscdk.Aws_secretsmanager.NewResourcePolicy(this, jsii.String("MyResourcePolicy"), &ResourcePolicyProps{ Secret: secret, })
func NewResourcePolicy ¶
func NewResourcePolicy(scope constructs.Construct, id *string, props *ResourcePolicyProps) ResourcePolicy
type ResourcePolicyProps ¶
type ResourcePolicyProps struct { // The secret to attach a resource-based permissions policy. Secret ISecret `field:"required" json:"secret" yaml:"secret"` }
Construction properties for a ResourcePolicy.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" var secret secret resourcePolicyProps := &ResourcePolicyProps{ Secret: secret, }
type RotationSchedule ¶
type RotationSchedule interface { awscdk.Resource // The environment this resource belongs to. // // For resources that are created and managed by the CDK // (generally, those created by creating new class instances like Role, Bucket, etc.), // this is always the same as the environment of the stack they belong to; // however, for imported resources // (those obtained from static methods like fromRoleArn, fromBucketName, etc.), // that might be different than the stack they were imported into. Env() *awscdk.ResourceEnvironment // The tree node. Node() constructs.Node // Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource. // // This value will resolve to one of the following: // - a concrete value (e.g. `"my-awesome-bucket"`) // - `undefined`, when a name should be generated by CloudFormation // - a concrete name generated automatically during synthesis, in // cross-environment scenarios. PhysicalName() *string // The stack in which this resource is defined. Stack() awscdk.Stack // Apply the given removal policy to this resource. // // The Removal Policy controls what happens to this resource when it stops // being managed by CloudFormation, either because you've removed it from the // CDK application or because you've made a change that requires the resource // to be replaced. // // The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS // account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). ApplyRemovalPolicy(policy awscdk.RemovalPolicy) GeneratePhysicalName() *string // Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`). // // Normally, this token will resolve to `arnAttr`, but if the resource is // referenced across environments, `arnComponents` will be used to synthesize // a concrete ARN with the resource's physical name. Make sure to reference // `this.physicalName` in `arnComponents`. GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string // Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`). // // Normally, this token will resolve to `nameAttr`, but if the resource is // referenced across environments, it will be resolved to `this.physicalName`, // which will be a concrete name. GetResourceNameAttribute(nameAttr *string) *string // Returns a string representation of this construct. ToString() *string }
A rotation schedule.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import cdk "github.com/aws/aws-cdk-go/awscdk" import "github.com/aws/aws-cdk-go/awscdk" import "github.com/aws/aws-cdk-go/awscdk" var function_ function var hostedRotation hostedRotation var secret secret rotationSchedule := awscdk.Aws_secretsmanager.NewRotationSchedule(this, jsii.String("MyRotationSchedule"), &RotationScheduleProps{ Secret: secret, // the properties below are optional AutomaticallyAfter: cdk.Duration_Minutes(jsii.Number(30)), HostedRotation: hostedRotation, RotateImmediatelyOnUpdate: jsii.Boolean(false), RotationLambda: function_, })
func NewRotationSchedule ¶
func NewRotationSchedule(scope constructs.Construct, id *string, props *RotationScheduleProps) RotationSchedule
type RotationScheduleOptions ¶
type RotationScheduleOptions struct { // Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation. // // The minimum value is 4 hours. // The maximum value is 1000 days. // // A value of zero (`Duration.days(0)`) will not create RotationRules. // Default: Duration.days(30) // AutomaticallyAfter awscdk.Duration `field:"optional" json:"automaticallyAfter" yaml:"automaticallyAfter"` // Hosted rotation. // Default: - either `rotationLambda` or `hostedRotation` must be specified. // HostedRotation HostedRotation `field:"optional" json:"hostedRotation" yaml:"hostedRotation"` // Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. // Default: true. // RotateImmediatelyOnUpdate *bool `field:"optional" json:"rotateImmediatelyOnUpdate" yaml:"rotateImmediatelyOnUpdate"` // A Lambda function that can rotate the secret. // Default: - either `rotationLambda` or `hostedRotation` must be specified. // RotationLambda awslambda.IFunction `field:"optional" json:"rotationLambda" yaml:"rotationLambda"` }
Options to add a rotation schedule to a secret.
Example:
import lambda "github.com/aws/aws-cdk-go/awscdk" var fn function secret := secretsmanager.NewSecret(this, jsii.String("Secret")) secret.addRotationSchedule(jsii.String("RotationSchedule"), &RotationScheduleOptions{ RotationLambda: fn, AutomaticallyAfter: awscdk.Duration_Days(jsii.Number(15)), RotateImmediatelyOnUpdate: jsii.Boolean(false), })
type RotationScheduleProps ¶
type RotationScheduleProps struct { // Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation. // // The minimum value is 4 hours. // The maximum value is 1000 days. // // A value of zero (`Duration.days(0)`) will not create RotationRules. // Default: Duration.days(30) // AutomaticallyAfter awscdk.Duration `field:"optional" json:"automaticallyAfter" yaml:"automaticallyAfter"` // Hosted rotation. // Default: - either `rotationLambda` or `hostedRotation` must be specified. // HostedRotation HostedRotation `field:"optional" json:"hostedRotation" yaml:"hostedRotation"` // Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. // Default: true. // RotateImmediatelyOnUpdate *bool `field:"optional" json:"rotateImmediatelyOnUpdate" yaml:"rotateImmediatelyOnUpdate"` // A Lambda function that can rotate the secret. // Default: - either `rotationLambda` or `hostedRotation` must be specified. // RotationLambda awslambda.IFunction `field:"optional" json:"rotationLambda" yaml:"rotationLambda"` // The secret to rotate. // // If hosted rotation is used, this must be a JSON string with the following format: // // “` // { // "engine": <required: database engine>, // "host": <required: instance host name>, // "username": <required: username>, // "password": <required: password>, // "dbname": <optional: database name>, // "port": <optional: if not specified, default port will be used>, // "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords> // } // “` // // This is typically the case for a secret referenced from an `AWS::SecretsManager::SecretTargetAttachment` // or an `ISecret` returned by the `attach()` method of `Secret`. Secret ISecret `field:"required" json:"secret" yaml:"secret"` }
Construction properties for a RotationSchedule.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import cdk "github.com/aws/aws-cdk-go/awscdk" import "github.com/aws/aws-cdk-go/awscdk" import "github.com/aws/aws-cdk-go/awscdk" var function_ function var hostedRotation hostedRotation var secret secret rotationScheduleProps := &RotationScheduleProps{ Secret: secret, // the properties below are optional AutomaticallyAfter: cdk.Duration_Minutes(jsii.Number(30)), HostedRotation: hostedRotation, RotateImmediatelyOnUpdate: jsii.Boolean(false), RotationLambda: function_, }
type Secret ¶
type Secret interface { awscdk.Resource ISecret // Provides an identifier for this secret for use in IAM policies. // // If there is a full ARN, this is just the ARN; // if we have a partial ARN -- due to either importing by secret name or partial ARN -- // then we need to add a suffix to capture the full ARN's format. ArnForPolicies() *string AutoCreatePolicy() *bool // The customer-managed encryption key that is used to encrypt this secret, if any. // // When not specified, the default // KMS key for the account and region is being used. EncryptionKey() awskms.IKey // The environment this resource belongs to. // // For resources that are created and managed by the CDK // (generally, those created by creating new class instances like Role, Bucket, etc.), // this is always the same as the environment of the stack they belong to; // however, for imported resources // (those obtained from static methods like fromRoleArn, fromBucketName, etc.), // that might be different than the stack they were imported into. Env() *awscdk.ResourceEnvironment // The string of the characters that are excluded in this secret when it is generated. ExcludeCharacters() *string // The tree node. Node() constructs.Node // Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource. // // This value will resolve to one of the following: // - a concrete value (e.g. `"my-awesome-bucket"`) // - `undefined`, when a name should be generated by CloudFormation // - a concrete name generated automatically during synthesis, in // cross-environment scenarios. PhysicalName() *string // The ARN of the secret in AWS Secrets Manager. // // Will return the full ARN if available, otherwise a partial arn. // For secrets imported by the deprecated `fromSecretName`, it will return the `secretName`. SecretArn() *string // The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix. // // This is equal to `secretArn` in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name). SecretFullArn() *string // The name of the secret. // // For "owned" secrets, this will be the full resource name (secret name + suffix), unless the // '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set. SecretName() *string // Retrieve the value of the stored secret as a `SecretValue`. SecretValue() awscdk.SecretValue // The stack in which this resource is defined. Stack() awscdk.Stack // Adds a replica region for the secret. AddReplicaRegion(region *string, encryptionKey awskms.IKey) // Adds a rotation schedule to the secret. AddRotationSchedule(id *string, options *RotationScheduleOptions) RotationSchedule // Adds a statement to the IAM resource policy associated with this secret. // // If this secret was created in this stack, a resource policy will be // automatically created upon the first call to `addToResourcePolicy`. If // the secret is imported, then this is a no-op. AddToResourcePolicy(statement awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult // Apply the given removal policy to this resource. // // The Removal Policy controls what happens to this resource when it stops // being managed by CloudFormation, either because you've removed it from the // CDK application or because you've made a change that requires the resource // to be replaced. // // The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS // account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). ApplyRemovalPolicy(policy awscdk.RemovalPolicy) // Attach a target to this secret. // // Returns: An attached secret. Attach(target ISecretAttachmentTarget) ISecret // Denies the `DeleteSecret` action to all principals within the current account. DenyAccountRootDelete() GeneratePhysicalName() *string // Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`). // // Normally, this token will resolve to `arnAttr`, but if the resource is // referenced across environments, `arnComponents` will be used to synthesize // a concrete ARN with the resource's physical name. Make sure to reference // `this.physicalName` in `arnComponents`. GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string // Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`). // // Normally, this token will resolve to `nameAttr`, but if the resource is // referenced across environments, it will be resolved to `this.physicalName`, // which will be a concrete name. GetResourceNameAttribute(nameAttr *string) *string // Grants reading the secret value to some role. GrantRead(grantee awsiam.IGrantable, versionStages *[]*string) awsiam.Grant // Grants writing and updating the secret value to some role. GrantWrite(grantee awsiam.IGrantable) awsiam.Grant // Interpret the secret as a JSON object and return a field's value from it as a `SecretValue`. SecretValueFromJson(jsonField *string) awscdk.SecretValue // Returns a string representation of this construct. ToString() *string }
Creates a new secret in AWS SecretsManager.
Example:
var stack stack user := iam.NewUser(this, jsii.String("User")) accessKey := iam.NewAccessKey(this, jsii.String("AccessKey"), &AccessKeyProps{ User: User, }) secretsmanager.NewSecret(this, jsii.String("Secret"), &SecretProps{ SecretObjectValue: map[string]secretValue{ "username": awscdk.SecretValue_unsafePlainText(user.userName), "database": awscdk.SecretValue_unsafePlainText(jsii.String("foo")), "password": accessKey.secretAccessKey, }, })
func NewSecret ¶
func NewSecret(scope constructs.Construct, id *string, props *SecretProps) Secret
type SecretAttachmentTargetProps ¶
type SecretAttachmentTargetProps struct { // The id of the target to attach the secret to. TargetId *string `field:"required" json:"targetId" yaml:"targetId"` // The type of the target to attach the secret to. TargetType AttachmentTargetType `field:"required" json:"targetType" yaml:"targetType"` }
Attachment target specifications.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" secretAttachmentTargetProps := &SecretAttachmentTargetProps{ TargetId: jsii.String("targetId"), TargetType: awscdk.Aws_secretsmanager.AttachmentTargetType_RDS_DB_INSTANCE, }
type SecretAttributes ¶
type SecretAttributes struct { // The encryption key that is used to encrypt the secret, unless the default SecretsManager key is used. EncryptionKey awskms.IKey `field:"optional" json:"encryptionKey" yaml:"encryptionKey"` // The complete ARN of the secret in SecretsManager. // // This is the ARN including the Secrets Manager 6-character suffix. // Cannot be used with `secretArn` or `secretPartialArn`. SecretCompleteArn *string `field:"optional" json:"secretCompleteArn" yaml:"secretCompleteArn"` // The partial ARN of the secret in SecretsManager. // // This is the ARN without the Secrets Manager 6-character suffix. // Cannot be used with `secretArn` or `secretCompleteArn`. SecretPartialArn *string `field:"optional" json:"secretPartialArn" yaml:"secretPartialArn"` }
Attributes required to import an existing secret into the Stack.
One ARN format (`secretArn`, `secretCompleteArn`, `secretPartialArn`) must be provided.
Example:
userpool := cognito.NewUserPool(this, jsii.String("Pool")) secret := secretsmanager.Secret_FromSecretAttributes(this, jsii.String("CognitoClientSecret"), &SecretAttributes{ SecretCompleteArn: jsii.String("arn:aws:secretsmanager:xxx:xxx:secret:xxx-xxx"), }).SecretValue provider := cognito.NewUserPoolIdentityProviderGoogle(this, jsii.String("Google"), &UserPoolIdentityProviderGoogleProps{ ClientId: jsii.String("amzn-client-id"), ClientSecretValue: secret, UserPool: userpool, })
type SecretProps ¶
type SecretProps struct { // An optional, human-friendly description of the secret. // Default: - No description. // Description *string `field:"optional" json:"description" yaml:"description"` // The customer-managed encryption key to use for encrypting the secret value. // Default: - A default KMS key for the account and region is used. // EncryptionKey awskms.IKey `field:"optional" json:"encryptionKey" yaml:"encryptionKey"` // Configuration for how to generate a secret value. // // Only one of `secretString` and `generateSecretString` can be provided. // Default: - 32 characters with upper-case letters, lower-case letters, punctuation and numbers (at least one from each // category), per the default values of “SecretStringGenerator“. // GenerateSecretString *SecretStringGenerator `field:"optional" json:"generateSecretString" yaml:"generateSecretString"` // Policy to apply when the secret is removed from this stack. // Default: - Not set. // RemovalPolicy awscdk.RemovalPolicy `field:"optional" json:"removalPolicy" yaml:"removalPolicy"` // A list of regions where to replicate this secret. // Default: - Secret is not replicated. // ReplicaRegions *[]*ReplicaRegion `field:"optional" json:"replicaRegions" yaml:"replicaRegions"` // A name for the secret. // // Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to // 30 days blackout period. During that period, it is not possible to create another secret that shares the same name. // Default: - A name is generated by CloudFormation. // SecretName *string `field:"optional" json:"secretName" yaml:"secretName"` // Initial value for a JSON secret. // // **NOTE:** *It is **highly** encouraged to leave this field undefined and allow SecretsManager to create the secret value. // The secret object -- if provided -- will be included in the output of the cdk as part of synthesis, // and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to // another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access // to the CloudFormation template (via the AWS Console, SDKs, or CLI). // // Specifies a JSON object that you want to encrypt and store in this new version of the secret. // To specify a simple string value instead, use `SecretProps.secretStringValue` // // Only one of `secretStringBeta1`, `secretStringValue`, 'secretObjectValue', and `generateSecretString` can be provided. // // Example: // var user user // var accessKey accessKey // var stack stack // // secretsmanager.NewSecret(stack, jsii.String("JSONSecret"), &SecretProps{ // SecretObjectValue: map[string]secretValue{ // "username": awscdk.SecretValue_unsafePlainText(user.userName), // // intrinsic reference, not exposed as plaintext // "database": awscdk.SecretValue_unsafePlainText(jsii.String("foo")), // // rendered as plain text, but not a secret // "password": accessKey.secretAccessKey, // }, // }) // // Default: - SecretsManager generates a new secret value. // SecretObjectValue *map[string]awscdk.SecretValue `field:"optional" json:"secretObjectValue" yaml:"secretObjectValue"` // Initial value for the secret. // // **NOTE:** *It is **highly** encouraged to leave this field undefined and allow SecretsManager to create the secret value. // The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, // and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to // another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access // to the CloudFormation template (via the AWS Console, SDKs, or CLI). // // Specifies text data that you want to encrypt and store in this new version of the secret. // May be a simple string value, or a string representation of a JSON structure. // // Only one of `secretStringBeta1`, `secretStringValue`, and `generateSecretString` can be provided. // Default: - SecretsManager generates a new secret value. // // Deprecated: Use `secretStringValue` instead. SecretStringBeta1 SecretStringValueBeta1 `field:"optional" json:"secretStringBeta1" yaml:"secretStringBeta1"` // Initial value for the secret. // // **NOTE:** *It is **highly** encouraged to leave this field undefined and allow SecretsManager to create the secret value. // The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, // and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to // another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access // to the CloudFormation template (via the AWS Console, SDKs, or CLI). // // Specifies text data that you want to encrypt and store in this new version of the secret. // May be a simple string value. To provide a string representation of JSON structure, use `SecretProps.secretObjectValue` instead. // // Only one of `secretStringBeta1`, `secretStringValue`, 'secretObjectValue', and `generateSecretString` can be provided. // Default: - SecretsManager generates a new secret value. // SecretStringValue awscdk.SecretValue `field:"optional" json:"secretStringValue" yaml:"secretStringValue"` }
The properties required to create a new secret in AWS Secrets Manager.
Example:
var stack stack user := iam.NewUser(this, jsii.String("User")) accessKey := iam.NewAccessKey(this, jsii.String("AccessKey"), &AccessKeyProps{ User: User, }) secretsmanager.NewSecret(this, jsii.String("Secret"), &SecretProps{ SecretObjectValue: map[string]secretValue{ "username": awscdk.SecretValue_unsafePlainText(user.userName), "database": awscdk.SecretValue_unsafePlainText(jsii.String("foo")), "password": accessKey.secretAccessKey, }, })
type SecretRotation ¶
type SecretRotation interface { constructs.Construct // The tree node. Node() constructs.Node // Returns a string representation of this construct. ToString() *string }
Secret rotation for a service or database.
Example:
var myUserSecret secret var myMasterSecret secret var myDatabase iConnectable var myVpc vpc secretsmanager.NewSecretRotation(this, jsii.String("SecretRotation"), &SecretRotationProps{ Application: secretsmanager.SecretRotationApplication_MYSQL_ROTATION_MULTI_USER(), Secret: myUserSecret, // The secret that will be rotated MasterSecret: myMasterSecret, // The secret used for the rotation Target: myDatabase, Vpc: myVpc, })
func NewSecretRotation ¶
func NewSecretRotation(scope constructs.Construct, id *string, props *SecretRotationProps) SecretRotation
type SecretRotationApplication ¶
type SecretRotationApplication interface { // Whether the rotation application uses the mutli user scheme. IsMultiUser() *bool // Returns the application ARN for the current partition. // // Can be used in combination with a `CfnMapping` to automatically select the correct ARN based on the current partition. ApplicationArnForPartition(partition *string) *string // The semantic version of the app for the current partition. // // Can be used in combination with a `CfnMapping` to automatically select the correct version based on the current partition. SemanticVersionForPartition(partition *string) *string }
A secret rotation serverless application.
Example:
var myUserSecret secret var myMasterSecret secret var myDatabase iConnectable var myVpc vpc secretsmanager.NewSecretRotation(this, jsii.String("SecretRotation"), &SecretRotationProps{ Application: secretsmanager.SecretRotationApplication_MYSQL_ROTATION_MULTI_USER(), Secret: myUserSecret, // The secret that will be rotated MasterSecret: myMasterSecret, // The secret used for the rotation Target: myDatabase, Vpc: myVpc, })
func NewSecretRotationApplication ¶
func NewSecretRotationApplication(applicationId *string, semanticVersion *string, options *SecretRotationApplicationOptions) SecretRotationApplication
func SecretRotationApplication_MARIADB_ROTATION_MULTI_USER ¶
func SecretRotationApplication_MARIADB_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_MARIADB_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_MARIADB_ROTATION_SINGLE_USER() SecretRotationApplication
func SecretRotationApplication_MONGODB_ROTATION_MULTI_USER ¶
func SecretRotationApplication_MONGODB_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_MONGODB_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_MONGODB_ROTATION_SINGLE_USER() SecretRotationApplication
func SecretRotationApplication_MYSQL_ROTATION_MULTI_USER ¶
func SecretRotationApplication_MYSQL_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_MYSQL_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_MYSQL_ROTATION_SINGLE_USER() SecretRotationApplication
func SecretRotationApplication_ORACLE_ROTATION_MULTI_USER ¶
func SecretRotationApplication_ORACLE_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_ORACLE_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_ORACLE_ROTATION_SINGLE_USER() SecretRotationApplication
func SecretRotationApplication_POSTGRES_ROTATION_MULTI_USER ¶
func SecretRotationApplication_POSTGRES_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_POSTGRES_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_POSTGRES_ROTATION_SINGLE_USER() SecretRotationApplication
func SecretRotationApplication_REDSHIFT_ROTATION_MULTI_USER ¶
func SecretRotationApplication_REDSHIFT_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_REDSHIFT_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_REDSHIFT_ROTATION_SINGLE_USER() SecretRotationApplication
func SecretRotationApplication_SQLSERVER_ROTATION_MULTI_USER ¶
func SecretRotationApplication_SQLSERVER_ROTATION_MULTI_USER() SecretRotationApplication
func SecretRotationApplication_SQLSERVER_ROTATION_SINGLE_USER ¶
func SecretRotationApplication_SQLSERVER_ROTATION_SINGLE_USER() SecretRotationApplication
type SecretRotationApplicationOptions ¶
type SecretRotationApplicationOptions struct { // Whether the rotation application uses the mutli user scheme. // Default: false. // IsMultiUser *bool `field:"optional" json:"isMultiUser" yaml:"isMultiUser"` }
Options for a SecretRotationApplication.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" secretRotationApplicationOptions := &SecretRotationApplicationOptions{ IsMultiUser: jsii.Boolean(false), }
type SecretRotationProps ¶
type SecretRotationProps struct { // The serverless application for the rotation. Application SecretRotationApplication `field:"required" json:"application" yaml:"application"` // The secret to rotate. It must be a JSON string with the following format:. // // “` // { // "engine": <required: database engine>, // "host": <required: instance host name>, // "username": <required: username>, // "password": <required: password>, // "dbname": <optional: database name>, // "port": <optional: if not specified, default port will be used>, // "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords> // } // “` // // This is typically the case for a secret referenced from an `AWS::SecretsManager::SecretTargetAttachment` // or an `ISecret` returned by the `attach()` method of `Secret`. // See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html // Secret ISecret `field:"required" json:"secret" yaml:"secret"` // The target service or database. Target awsec2.IConnectable `field:"required" json:"target" yaml:"target"` // The VPC where the Lambda rotation function will run. Vpc awsec2.IVpc `field:"required" json:"vpc" yaml:"vpc"` // Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation. // Default: Duration.days(30) // AutomaticallyAfter awscdk.Duration `field:"optional" json:"automaticallyAfter" yaml:"automaticallyAfter"` // The VPC interface endpoint to use for the Secrets Manager API. // // If you enable private DNS hostnames for your VPC private endpoint (the default), you don't // need to specify an endpoint. The standard Secrets Manager DNS hostname the Secrets Manager // CLI and SDKs use by default (https://secretsmanager.<region>.amazonaws.com) automatically // resolves to your VPC endpoint. // Default: https://secretsmanager.<region>.amazonaws.com // Endpoint awsec2.IInterfaceVpcEndpoint `field:"optional" json:"endpoint" yaml:"endpoint"` // Characters which should not appear in the generated password. // Default: - no additional characters are explicitly excluded. // ExcludeCharacters *string `field:"optional" json:"excludeCharacters" yaml:"excludeCharacters"` // The master secret for a multi user rotation scheme. // Default: - single user rotation scheme. // MasterSecret ISecret `field:"optional" json:"masterSecret" yaml:"masterSecret"` // Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. // Default: true. // RotateImmediatelyOnUpdate *bool `field:"optional" json:"rotateImmediatelyOnUpdate" yaml:"rotateImmediatelyOnUpdate"` // The security group for the Lambda rotation function. // Default: - a new security group is created. // SecurityGroup awsec2.ISecurityGroup `field:"optional" json:"securityGroup" yaml:"securityGroup"` // The type of subnets in the VPC where the Lambda rotation function will run. // Default: - the Vpc default strategy if not specified. // VpcSubnets *awsec2.SubnetSelection `field:"optional" json:"vpcSubnets" yaml:"vpcSubnets"` }
Construction properties for a SecretRotation.
Example:
var myUserSecret secret var myMasterSecret secret var myDatabase iConnectable var myVpc vpc secretsmanager.NewSecretRotation(this, jsii.String("SecretRotation"), &SecretRotationProps{ Application: secretsmanager.SecretRotationApplication_MYSQL_ROTATION_MULTI_USER(), Secret: myUserSecret, // The secret that will be rotated MasterSecret: myMasterSecret, // The secret used for the rotation Target: myDatabase, Vpc: myVpc, })
type SecretStringGenerator ¶
type SecretStringGenerator struct { // A string that includes characters that shouldn't be included in the generated password. // // The string can be a minimum // of “0“ and a maximum of “4096“ characters long. // Default: no exclusions. // ExcludeCharacters *string `field:"optional" json:"excludeCharacters" yaml:"excludeCharacters"` // Specifies that the generated password shouldn't include lowercase letters. // Default: false. // ExcludeLowercase *bool `field:"optional" json:"excludeLowercase" yaml:"excludeLowercase"` // Specifies that the generated password shouldn't include digits. // Default: false. // ExcludeNumbers *bool `field:"optional" json:"excludeNumbers" yaml:"excludeNumbers"` // Specifies that the generated password shouldn't include punctuation characters. // Default: false. // ExcludePunctuation *bool `field:"optional" json:"excludePunctuation" yaml:"excludePunctuation"` // Specifies that the generated password shouldn't include uppercase letters. // Default: false. // ExcludeUppercase *bool `field:"optional" json:"excludeUppercase" yaml:"excludeUppercase"` // The JSON key name that's used to add the generated password to the JSON structure specified by the “secretStringTemplate“ parameter. // // If you specify “generateStringKey“ then “secretStringTemplate“ // must be also be specified. GenerateStringKey *string `field:"optional" json:"generateStringKey" yaml:"generateStringKey"` // Specifies that the generated password can include the space character. // Default: false. // IncludeSpace *bool `field:"optional" json:"includeSpace" yaml:"includeSpace"` // The desired length of the generated password. // Default: 32. // PasswordLength *float64 `field:"optional" json:"passwordLength" yaml:"passwordLength"` // Specifies whether the generated password must include at least one of every allowed character type. // Default: true. // RequireEachIncludedType *bool `field:"optional" json:"requireEachIncludedType" yaml:"requireEachIncludedType"` // A properly structured JSON string that the generated password can be added to. // // The “generateStringKey“ is // combined with the generated random string and inserted into the JSON structure that's specified by this parameter. // The merged JSON string is returned as the completed SecretString of the secret. If you specify “secretStringTemplate“ // then “generateStringKey“ must be also be specified. SecretStringTemplate *string `field:"optional" json:"secretStringTemplate" yaml:"secretStringTemplate"` }
Configuration to generate secrets such as passwords automatically.
Example:
var vpc iVpc instance1 := rds.NewDatabaseInstance(this, jsii.String("PostgresInstance1"), &DatabaseInstanceProps{ Engine: rds.DatabaseInstanceEngine_POSTGRES(), // Generate the secret with admin username `postgres` and random password Credentials: rds.Credentials_FromGeneratedSecret(jsii.String("postgres")), Vpc: Vpc, }) // Templated secret with username and password fields templatedSecret := secretsmanager.NewSecret(this, jsii.String("TemplatedSecret"), &SecretProps{ GenerateSecretString: &SecretStringGenerator{ SecretStringTemplate: jSON.stringify(map[string]*string{ "username": jsii.String("postgres"), }), GenerateStringKey: jsii.String("password"), ExcludeCharacters: jsii.String("/@\""), }, }) // Using the templated secret as credentials instance2 := rds.NewDatabaseInstance(this, jsii.String("PostgresInstance2"), &DatabaseInstanceProps{ Engine: rds.DatabaseInstanceEngine_POSTGRES(), Credentials: map[string]interface{}{ "username": templatedSecret.secretValueFromJson(jsii.String("username")).toString(), "password": templatedSecret.secretValueFromJson(jsii.String("password")), }, Vpc: Vpc, })
type SecretStringValueBeta1
deprecated
added in
v2.4.0
type SecretStringValueBeta1 interface { // Returns the secret value. // Deprecated: Use `cdk.SecretValue` instead. SecretValue() *string }
An experimental class used to specify an initial secret value for a Secret.
The class wraps a simple string (or JSON representation) in order to provide some safety checks and warnings about the dangers of using plaintext strings as initial secret seed values via CDK/CloudFormation.
Example:
user := iam.NewUser(this, jsii.String("User")) accessKey := iam.NewAccessKey(this, jsii.String("AccessKey"), &AccessKeyProps{ User: User, }) secretValue := secretsmanager.SecretStringValueBeta1_FromToken(jSON.stringify(map[string]interface{}{ "username": user.userName, "database": jsii.String("foo"), "password": accessKey.secretAccessKey.unsafeUnwrap(), }))
Deprecated: Use `cdk.SecretValue` instead.
func SecretStringValueBeta1_FromToken ¶ added in v2.4.0
func SecretStringValueBeta1_FromToken(secretValueFromToken *string) SecretStringValueBeta1
Creates a `SecretValueValueBeta1` from a string value coming from a Token.
The intent is to enable creating secrets from references (e.g., `Ref`, `Fn::GetAtt`) from other resources. This might be the direct output of another Construct, or the output of a Custom Resource. This method throws if it determines the input is an unsafe plaintext string.
For example:
```ts // Creates a new IAM user, access and secret keys, and stores the secret access key in a Secret. const user = new iam.User(this, 'User'); const accessKey = new iam.AccessKey(this, 'AccessKey', { user });
const secret = new secretsmanager.Secret(this, 'Secret', { secretStringValue: accessKey.secretAccessKey, });
```
The secret may also be embedded in a string representation of a JSON structure:
```ts const user = new iam.User(this, 'User'); const accessKey = new iam.AccessKey(this, 'AccessKey', { user });
const secretValue = secretsmanager.SecretStringValueBeta1.fromToken(JSON.stringify({ username: user.userName, database: 'foo', password: accessKey.secretAccessKey.unsafeUnwrap(), }));
```
Note that the value being a Token does *not* guarantee safety. For example, a Lazy-evaluated string (e.g., `Lazy.string({ produce: () => 'myInsecurePassword' }))`) is a Token, but as the output is ultimately a plaintext string, and so insecure. Deprecated: Use `cdk.SecretValue` instead.
func SecretStringValueBeta1_FromUnsafePlaintext ¶ added in v2.4.0
func SecretStringValueBeta1_FromUnsafePlaintext(secretValue *string) SecretStringValueBeta1
Creates a `SecretStringValueBeta1` from a plaintext value.
This approach is inherently unsafe, as the secret value may be visible in your source control repository and will also appear in plaintext in the resulting CloudFormation template, including in the AWS Console or APIs. Usage of this method is discouraged, especially for production workloads. Deprecated: Use `cdk.SecretValue` instead.
type SecretTargetAttachment ¶
type SecretTargetAttachment interface { awscdk.Resource ISecret ISecretTargetAttachment // Provides an identifier for this secret for use in IAM policies. // // If there is a full ARN, this is just the ARN; // if we have a partial ARN -- due to either importing by secret name or partial ARN -- // then we need to add a suffix to capture the full ARN's format. ArnForPolicies() *string AutoCreatePolicy() *bool // The customer-managed encryption key that is used to encrypt this secret, if any. // // When not specified, the default // KMS key for the account and region is being used. EncryptionKey() awskms.IKey // The environment this resource belongs to. // // For resources that are created and managed by the CDK // (generally, those created by creating new class instances like Role, Bucket, etc.), // this is always the same as the environment of the stack they belong to; // however, for imported resources // (those obtained from static methods like fromRoleArn, fromBucketName, etc.), // that might be different than the stack they were imported into. Env() *awscdk.ResourceEnvironment // The tree node. Node() constructs.Node // Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource. // // This value will resolve to one of the following: // - a concrete value (e.g. `"my-awesome-bucket"`) // - `undefined`, when a name should be generated by CloudFormation // - a concrete name generated automatically during synthesis, in // cross-environment scenarios. PhysicalName() *string // The ARN of the secret in AWS Secrets Manager. // // Will return the full ARN if available, otherwise a partial arn. // For secrets imported by the deprecated `fromSecretName`, it will return the `secretName`. SecretArn() *string // The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix. // // This is equal to `secretArn` in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name). SecretFullArn() *string // The name of the secret. // // For "owned" secrets, this will be the full resource name (secret name + suffix), unless the // '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set. SecretName() *string // Same as `secretArn`. SecretTargetAttachmentSecretArn() *string // Retrieve the value of the stored secret as a `SecretValue`. SecretValue() awscdk.SecretValue // The stack in which this resource is defined. Stack() awscdk.Stack // Adds a rotation schedule to the secret. AddRotationSchedule(id *string, options *RotationScheduleOptions) RotationSchedule // Forward any additions to the resource policy to the original secret. // // This is required because a secret can only have a single resource policy. // If we do not forward policy additions, a new policy resource is created using the secret attachment ARN. // This ends up being rejected by CloudFormation. AddToResourcePolicy(statement awsiam.PolicyStatement) *awsiam.AddToResourcePolicyResult // Apply the given removal policy to this resource. // // The Removal Policy controls what happens to this resource when it stops // being managed by CloudFormation, either because you've removed it from the // CDK application or because you've made a change that requires the resource // to be replaced. // // The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS // account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). ApplyRemovalPolicy(policy awscdk.RemovalPolicy) // Attach a target to this secret. // // Returns: An attached secret. Attach(target ISecretAttachmentTarget) ISecret // Denies the `DeleteSecret` action to all principals within the current account. DenyAccountRootDelete() GeneratePhysicalName() *string // Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`). // // Normally, this token will resolve to `arnAttr`, but if the resource is // referenced across environments, `arnComponents` will be used to synthesize // a concrete ARN with the resource's physical name. Make sure to reference // `this.physicalName` in `arnComponents`. GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string // Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`). // // Normally, this token will resolve to `nameAttr`, but if the resource is // referenced across environments, it will be resolved to `this.physicalName`, // which will be a concrete name. GetResourceNameAttribute(nameAttr *string) *string // Grants reading the secret value to some role. GrantRead(grantee awsiam.IGrantable, versionStages *[]*string) awsiam.Grant // Grants writing and updating the secret value to some role. GrantWrite(grantee awsiam.IGrantable) awsiam.Grant // Interpret the secret as a JSON object and return a field's value from it as a `SecretValue`. SecretValueFromJson(jsonField *string) awscdk.SecretValue // Returns a string representation of this construct. ToString() *string }
An attached secret.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" var secret secret var secretAttachmentTarget iSecretAttachmentTarget secretTargetAttachment := awscdk.Aws_secretsmanager.NewSecretTargetAttachment(this, jsii.String("MySecretTargetAttachment"), &SecretTargetAttachmentProps{ Secret: secret, Target: secretAttachmentTarget, })
func NewSecretTargetAttachment ¶
func NewSecretTargetAttachment(scope constructs.Construct, id *string, props *SecretTargetAttachmentProps) SecretTargetAttachment
type SecretTargetAttachmentProps ¶
type SecretTargetAttachmentProps struct { // The target to attach the secret to. Target ISecretAttachmentTarget `field:"required" json:"target" yaml:"target"` // The secret to attach to the target. Secret ISecret `field:"required" json:"secret" yaml:"secret"` }
Construction properties for an AttachedSecret.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import "github.com/aws/aws-cdk-go/awscdk" var secret secret var secretAttachmentTarget iSecretAttachmentTarget secretTargetAttachmentProps := &SecretTargetAttachmentProps{ Secret: secret, Target: secretAttachmentTarget, }
type SingleUserHostedRotationOptions ¶
type SingleUserHostedRotationOptions struct { // A string of the characters that you don't want in the password. // Default: the same exclude characters as the ones used for the // secret or " %+~`#$&*()|[]{}:;<>?!'/@\"\\" // ExcludeCharacters *string `field:"optional" json:"excludeCharacters" yaml:"excludeCharacters"` // A name for the Lambda created to rotate the secret. // Default: - a CloudFormation generated name. // FunctionName *string `field:"optional" json:"functionName" yaml:"functionName"` // A list of security groups for the Lambda created to rotate the secret. // Default: - a new security group is created. // SecurityGroups *[]awsec2.ISecurityGroup `field:"optional" json:"securityGroups" yaml:"securityGroups"` // The VPC where the Lambda rotation function will run. // Default: - the Lambda is not deployed in a VPC. // Vpc awsec2.IVpc `field:"optional" json:"vpc" yaml:"vpc"` // The type of subnets in the VPC where the Lambda rotation function will run. // Default: - the Vpc default strategy if not specified. // VpcSubnets *awsec2.SubnetSelection `field:"optional" json:"vpcSubnets" yaml:"vpcSubnets"` }
Single user hosted rotation options.
Example:
var myVpc iVpc var dbConnections connections var secret secret myHostedRotation := secretsmanager.HostedRotation_MysqlSingleUser(&SingleUserHostedRotationOptions{ Vpc: myVpc, }) secret.addRotationSchedule(jsii.String("RotationSchedule"), &RotationScheduleOptions{ HostedRotation: myHostedRotation, }) dbConnections.AllowDefaultPortFrom(myHostedRotation)
Source Files ¶
- AttachedSecretOptions.go
- AttachmentTargetType.go
- CfnResourcePolicy.go
- CfnResourcePolicyProps.go
- CfnResourcePolicy__checks.go
- CfnRotationSchedule.go
- CfnRotationScheduleProps.go
- CfnRotationSchedule_HostedRotationLambdaProperty.go
- CfnRotationSchedule_RotationRulesProperty.go
- CfnRotationSchedule__checks.go
- CfnSecret.go
- CfnSecretProps.go
- CfnSecretTargetAttachment.go
- CfnSecretTargetAttachmentProps.go
- CfnSecretTargetAttachment__checks.go
- CfnSecret_GenerateSecretStringProperty.go
- CfnSecret_ReplicaRegionProperty.go
- CfnSecret__checks.go
- HostedRotation.go
- HostedRotationType.go
- HostedRotation__checks.go
- ISecret.go
- ISecretAttachmentTarget.go
- ISecretTargetAttachment.go
- ISecret__checks.go
- MultiUserHostedRotationOptions.go
- ReplicaRegion.go
- ResourcePolicy.go
- ResourcePolicyProps.go
- ResourcePolicy__checks.go
- RotationSchedule.go
- RotationScheduleOptions.go
- RotationScheduleProps.go
- RotationSchedule__checks.go
- Secret.go
- SecretAttachmentTargetProps.go
- SecretAttributes.go
- SecretProps.go
- SecretRotation.go
- SecretRotationApplication.go
- SecretRotationApplicationOptions.go
- SecretRotationApplication__checks.go
- SecretRotationProps.go
- SecretRotation__checks.go
- SecretStringGenerator.go
- SecretStringValueBeta1.go
- SecretStringValueBeta1__checks.go
- SecretTargetAttachment.go
- SecretTargetAttachmentProps.go
- SecretTargetAttachment__checks.go
- Secret__checks.go
- SingleUserHostedRotationOptions.go
- main.go