From 752c8d4fff8f2b92db5cecf86b3c7b199363af78 Mon Sep 17 00:00:00 2001 From: Justin Debuse Date: Mon, 28 Jul 2025 15:03:43 +0100 Subject: [PATCH 1/2] feat(core): add methods to SecretValue and aws-secretsmanager Secret to obtain a literal (unresolved by CloudFormation) dynamic reference key --- ...-secrets-dynamic-reference-key.assets.json | 20 + ...ecrets-dynamic-reference-key.template.json | 73 +++ .../cdk.out | 1 + ...efaultTestDeployAssert14A59A81.assets.json | 20 + ...aultTestDeployAssert14A59A81.template.json | 36 ++ .../integ.json | 13 + .../manifest.json | 602 ++++++++++++++++++ .../tree.json | 1 + .../integ.secret.dynamic-reference-key.ts | 38 ++ .../aws-secretsmanager/lib/secret.ts | 24 +- .../aws-secretsmanager/test/secret.test.ts | 55 ++ packages/aws-cdk-lib/core/lib/secret-value.ts | 17 +- .../core/test/secret-value.test.ts | 112 ++++ 13 files changed, 1009 insertions(+), 3 deletions(-) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdk-integ-secrets-dynamic-reference-key.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdk-integ-secrets-dynamic-reference-key.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdk-integ-secrets-dynamic-reference-key.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdk-integ-secrets-dynamic-reference-key.assets.json new file mode 100644 index 0000000000000..f2b8b5402082c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdk-integ-secrets-dynamic-reference-key.assets.json @@ -0,0 +1,20 @@ +{ + "version": "45.0.0", + "files": { + "b9a847e4f287bb981a1f9425d6f16b303a242c9278d9bed64f21b4dcc53a1284": { + "displayName": "cdk-integ-secrets-dynamic-reference-key Template", + "source": { + "path": "cdk-integ-secrets-dynamic-reference-key.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-c91860d5": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "b9a847e4f287bb981a1f9425d6f16b303a242c9278d9bed64f21b4dcc53a1284.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdk-integ-secrets-dynamic-reference-key.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdk-integ-secrets-dynamic-reference-key.template.json new file mode 100644 index 0000000000000..9aa840314023d --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdk-integ-secrets-dynamic-reference-key.template.json @@ -0,0 +1,73 @@ +{ + "Resources": { + "SecretA720EF05": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "GenerateSecretString": {} + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "JSONSecret6FE68AEF": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "SecretString": { + "Fn::Join": [ + "", + [ + "{\"cfnDynamicReferenceKeyWithDefaults\":\"", + { + "Ref": "SecretA720EF05" + }, + ":SecretString:::\",\"cfnDynamicReferenceKeyWithJsonFieldAndVersionStage\":\"", + { + "Ref": "SecretA720EF05" + }, + ":SecretString:json-key:version-stage:\",\"cfnDynamicReferenceKeyWithJsonFieldAndVersionId\":\"", + { + "Ref": "SecretA720EF05" + }, + ":SecretString:json-key::version-id\"}" + ] + ] + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdk.out new file mode 100644 index 0000000000000..3704a1b682acf --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"45.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.assets.json new file mode 100644 index 0000000000000..22ea65384b664 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.assets.json @@ -0,0 +1,20 @@ +{ + "version": "45.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81 Template", + "source": { + "path": "cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-d8d86b35": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/integ.json new file mode 100644 index 0000000000000..54975d3966b4c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "45.0.0", + "testCases": { + "cdk-integ-secrets-dynamic-reference-key-test/DefaultTest": { + "stacks": [ + "cdk-integ-secrets-dynamic-reference-key" + ], + "assertionStack": "cdk-integ-secrets-dynamic-reference-key-test/DefaultTest/DeployAssert", + "assertionStackName": "cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81" + } + }, + "minimumCliVersion": "2.1020.2" +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/manifest.json new file mode 100644 index 0000000000000..9e166bd9f5a73 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/manifest.json @@ -0,0 +1,602 @@ +{ + "version": "45.0.0", + "artifacts": { + "cdk-integ-secrets-dynamic-reference-key.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "cdk-integ-secrets-dynamic-reference-key.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "cdk-integ-secrets-dynamic-reference-key": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "cdk-integ-secrets-dynamic-reference-key.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b9a847e4f287bb981a1f9425d6f16b303a242c9278d9bed64f21b4dcc53a1284.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "cdk-integ-secrets-dynamic-reference-key.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "cdk-integ-secrets-dynamic-reference-key.assets" + ], + "metadata": { + "/cdk-integ-secrets-dynamic-reference-key/Secret": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/cdk-integ-secrets-dynamic-reference-key/Secret/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "SecretA720EF05" + } + ], + "/cdk-integ-secrets-dynamic-reference-key/JSONSecret": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "secretObjectValue": "*" + } + } + ], + "/cdk-integ-secrets-dynamic-reference-key/JSONSecret/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "JSONSecret6FE68AEF" + } + ], + "/cdk-integ-secrets-dynamic-reference-key/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/cdk-integ-secrets-dynamic-reference-key/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "cdk-integ-secrets-dynamic-reference-key" + }, + "cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "cdkintegsecretsdynamicreferencekeytestDefaultTestDeployAssert14A59A81.assets" + ], + "metadata": { + "/cdk-integ-secrets-dynamic-reference-key-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/cdk-integ-secrets-dynamic-reference-key-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "cdk-integ-secrets-dynamic-reference-key-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/core:enableStackNameDuplicates": { + "recommendedValue": true, + "explanation": "Allow multiple stacks with the same name" + }, + "aws-cdk:enableDiffNoFail": { + "recommendedValue": true, + "explanation": "Make `cdk diff` not fail when there are differences" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD" + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path" + }, + "@aws-cdk/aws-ecr-assets:dockerIgnoreSupport": { + "recommendedValue": true, + "explanation": "DockerImageAsset properly supports `.dockerignore` files by default" + }, + "@aws-cdk/aws-secretsmanager:parseOwnedSecretName": { + "recommendedValue": true, + "explanation": "Fix the referencing of SecretsManager names from ARNs" + }, + "@aws-cdk/aws-kms:defaultKeyPolicies": { + "recommendedValue": true, + "explanation": "Tighten default KMS key policies" + }, + "@aws-cdk/aws-s3:grantWriteWithoutAcl": { + "recommendedValue": true, + "explanation": "Remove `PutObjectAcl` from Bucket.grantWrite" + }, + "@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount": { + "recommendedValue": true, + "explanation": "Do not specify a default DesiredCount for ECS services" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK" + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently" + }, + "@aws-cdk/aws-efs:defaultEncryptionAtRest": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have elastic file systems encrypted at rest by default." + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default." + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy" + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model." + }, + "@aws-cdk/core:explicitStackTags": { + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis." + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy" + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role" + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + } + } + } + } + }, + "minimumCliVersion": "2.1020.2" +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/tree.json new file mode 100644 index 0000000000000..90ac67740ccd5 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.js.snapshot/tree.json @@ -0,0 +1 @@ +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"cdk-integ-secrets-dynamic-reference-key":{"id":"cdk-integ-secrets-dynamic-reference-key","path":"cdk-integ-secrets-dynamic-reference-key","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"Secret":{"id":"Secret","path":"cdk-integ-secrets-dynamic-reference-key/Secret","constructInfo":{"fqn":"aws-cdk-lib.aws_secretsmanager.Secret","version":"0.0.0","metadata":["*"]},"children":{"Resource":{"id":"Resource","path":"cdk-integ-secrets-dynamic-reference-key/Secret/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_secretsmanager.CfnSecret","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::SecretsManager::Secret","aws:cdk:cloudformation:props":{"generateSecretString":{}}}}}},"JSONSecret":{"id":"JSONSecret","path":"cdk-integ-secrets-dynamic-reference-key/JSONSecret","constructInfo":{"fqn":"aws-cdk-lib.aws_secretsmanager.Secret","version":"0.0.0","metadata":[{"secretObjectValue":"*"}]},"children":{"Resource":{"id":"Resource","path":"cdk-integ-secrets-dynamic-reference-key/JSONSecret/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_secretsmanager.CfnSecret","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::SecretsManager::Secret","aws:cdk:cloudformation:props":{"secretString":{"Fn::Join":["",["{\"cfnDynamicReferenceKeyWithDefaults\":\"",{"Ref":"SecretA720EF05"},":SecretString:::\",\"cfnDynamicReferenceKeyWithJsonFieldAndVersionStage\":\"",{"Ref":"SecretA720EF05"},":SecretString:json-key:version-stage:\",\"cfnDynamicReferenceKeyWithJsonFieldAndVersionId\":\"",{"Ref":"SecretA720EF05"},":SecretString:json-key::version-id\"}"]]}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"cdk-integ-secrets-dynamic-reference-key/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"cdk-integ-secrets-dynamic-reference-key/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"cdk-integ-secrets-dynamic-reference-key-test":{"id":"cdk-integ-secrets-dynamic-reference-key-test","path":"cdk-integ-secrets-dynamic-reference-key-test","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"cdk-integ-secrets-dynamic-reference-key-test/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"cdk-integ-secrets-dynamic-reference-key-test/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"cdk-integ-secrets-dynamic-reference-key-test/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"cdk-integ-secrets-dynamic-reference-key-test/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"cdk-integ-secrets-dynamic-reference-key-test/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.ts new file mode 100644 index 0000000000000..192ff6993de59 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.secret.dynamic-reference-key.ts @@ -0,0 +1,38 @@ +import * as cdk from 'aws-cdk-lib'; +import { SecretValue } from 'aws-cdk-lib'; +import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager'; +import * as integ from '@aws-cdk/integ-tests-alpha'; + +class TestStack extends cdk.Stack { + constructor(scope: cdk.App, id: string) { + super(scope, id); + + // Create a default secret + const secret = new secretsmanager.Secret(this, 'Secret'); + + // Create a JSON secret containing cfnDynamicReferenceKey values extracted from the default secret + new secretsmanager.Secret(this, 'JSONSecret', { + secretObjectValue: { + cfnDynamicReferenceKeyWithDefaults: SecretValue.unsafePlainText(secret.cfnDynamicReferenceKey()), + cfnDynamicReferenceKeyWithJsonFieldAndVersionStage: SecretValue.unsafePlainText(secret.cfnDynamicReferenceKey({ + jsonField: 'json-key', + versionStage: 'version-stage', + })), + cfnDynamicReferenceKeyWithJsonFieldAndVersionId: SecretValue.unsafePlainText(secret.cfnDynamicReferenceKey({ + jsonField: 'json-key', + versionId: 'version-id', + })), + }, + }); + } +} + +const app = new cdk.App(); + +const stack = new TestStack(app, 'cdk-integ-secrets-dynamic-reference-key'); + +new integ.IntegTest(app, 'cdk-integ-secrets-dynamic-reference-key-test', { + testCases: [stack], +}); + +app.synth(); diff --git a/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts b/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts index db0f084c90d6a..15ea0919c4292 100644 --- a/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts +++ b/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts @@ -4,7 +4,7 @@ import { RotationSchedule, RotationScheduleOptions } from './rotation-schedule'; import * as secretsmanager from './secretsmanager.generated'; import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; -import { ArnFormat, FeatureFlags, Fn, IResolveContext, IResource, Lazy, RemovalPolicy, Resource, ResourceProps, SecretValue, Stack, Token, TokenComparison, UnscopedValidationError, ValidationError } from '../../core'; +import { ArnFormat, FeatureFlags, Fn, IResolveContext, IResource, Lazy, RemovalPolicy, Resource, ResourceProps, SecretsManagerSecretOptions, SecretValue, Stack, Token, TokenComparison, UnscopedValidationError, ValidationError } from '../../core'; import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource'; import { propertyInjectable } from '../../core/lib/prop-injectable'; import * as cxapi from '../../cx-api'; @@ -96,6 +96,16 @@ export interface ISecret extends IResource { * @returns An attached secret */ attach(target: ISecretAttachmentTarget): ISecret; + + /** + * Returns a key which can be used within an AWS CloudFormation dynamic reference to dynamically load this + * secret from AWS Secrets Manager + * + * @see https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html + * + * @param options Options + */ + cfnDynamicReferenceKey(options?: SecretsManagerSecretOptions): string; } /** @@ -361,6 +371,18 @@ abstract class SecretBase extends Resource implements ISecret { this.node.addValidation({ validate: () => this.policy?.document.validateForResourcePolicy() ?? [] }); } + /** + * Returns a key which can be used within an AWS CloudFormation dynamic reference to dynamically load this + * secret from AWS Secrets Manager + * + * @see https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html + * + * @param options Options + */ + cfnDynamicReferenceKey(options: SecretsManagerSecretOptions = {}): string { + return SecretValue.cfnDynamicReferenceKey(this.secretArn, options); + } + public get secretFullArn(): string | undefined { return this.secretArn; } public grantRead(grantee: iam.IGrantable, versionStages?: string[]): iam.Grant { diff --git a/packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts b/packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts index 937714739f71f..a84c60cb19567 100644 --- a/packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts +++ b/packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts @@ -1449,3 +1449,58 @@ test('cross-environment grant with imported from partialArn', () => { }, }); }); + +test('dynamicReferenceKey', () => { + // GIVEN + const secretArn = 'arn:aws:secretsmanager:eu-west-1:111111111111:secret:MySecret-f3gDy9'; + + // WHEN + const options = { + jsonField: 'json-key', + versionStage: 'version-stage', + }; + const secret = secretsmanager.Secret.fromSecretCompleteArn(stack, 'Secret', secretArn); + + // THEN + expect(stack.resolve(secret.cfnDynamicReferenceKey(options))).toEqual(`${secretArn}:SecretString:${options.jsonField}:${options.versionStage}:`); +}); + +test('dynamicReferenceKey with versionId', () => { + // GIVEN + const secretArn = 'arn:aws:secretsmanager:eu-west-1:111111111111:secret:MySecret-f3gDy9'; + + // WHEN + const options = { + jsonField: 'json-key', + versionId: 'version-id', + }; + const secret = secretsmanager.Secret.fromSecretCompleteArn(stack, 'Secret', secretArn); + + // THEN + expect(stack.resolve(secret.cfnDynamicReferenceKey(options))).toEqual(`${secretArn}:SecretString:${options.jsonField}::${options.versionId}`); +}); + +test('dynamicReferenceKey with defaults', () => { + // GIVEN + const secretArn = 'arn:aws:secretsmanager:eu-west-1:111111111111:secret:MySecret-f3gDy9'; + + // WHEN + const secret = secretsmanager.Secret.fromSecretCompleteArn(stack, 'Secret', secretArn); + + // THEN + expect(stack.resolve(secret.cfnDynamicReferenceKey())).toEqual(`${secretArn}:SecretString:::`); +}); + +test('dynamicReferenceKey with versionStage and versionId', () => { + // GIVEN + const secretArn = 'arn:aws:secretsmanager:eu-west-1:111111111111:secret:MySecret-f3gDy9'; + + // WHEN + const secret = secretsmanager.Secret.fromSecretCompleteArn(stack, 'Secret', secretArn); + + // THEN + expect(() => secret.cfnDynamicReferenceKey({ + versionStage: 'version-stage', + versionId: 'version-id', + })).toThrow(/were both provided but only one is allowed/); +}); diff --git a/packages/aws-cdk-lib/core/lib/secret-value.ts b/packages/aws-cdk-lib/core/lib/secret-value.ts index 9754faac87752..87b71038f4fea 100644 --- a/packages/aws-cdk-lib/core/lib/secret-value.ts +++ b/packages/aws-cdk-lib/core/lib/secret-value.ts @@ -96,6 +96,20 @@ export class SecretValue extends Intrinsic { * @param options Options */ public static secretsManager(secretId: string, options: SecretsManagerSecretOptions = {}): SecretValue { + const dyref = new CfnDynamicReference(CfnDynamicReferenceService.SECRETS_MANAGER, SecretValue.cfnDynamicReferenceKey(secretId, options)); + return this.cfnDynamicReference(dyref); + } + + /** + * Returns a key which can be used within an AWS CloudFormation dynamic reference to dynamically load a + * secret from AWS Secrets Manager + * + * @see https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html + * + * @param secretId The ID or ARN of the secret + * @param options Options + */ + public static cfnDynamicReferenceKey(secretId: string, options: SecretsManagerSecretOptions = {}): string { if (!secretId) { throw new UnscopedValidationError('secretId cannot be empty'); } @@ -116,8 +130,7 @@ export class SecretValue extends Intrinsic { options.versionId || '', ]; - const dyref = new CfnDynamicReference(CfnDynamicReferenceService.SECRETS_MANAGER, parts.join(':')); - return this.cfnDynamicReference(dyref); + return parts.join(':'); } /** diff --git a/packages/aws-cdk-lib/core/test/secret-value.test.ts b/packages/aws-cdk-lib/core/test/secret-value.test.ts index 10de7396f147a..0f2ce8dc1d21c 100644 --- a/packages/aws-cdk-lib/core/test/secret-value.test.ts +++ b/packages/aws-cdk-lib/core/test/secret-value.test.ts @@ -61,6 +61,20 @@ describe('secret value', () => { expect(stack.resolve(v)).toEqual('{{resolve:secretsmanager:secret-id:SecretString:json-key:version-stage:}}'); }); + test('secretsManager with jsonField and versionId', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + const v = SecretValue.secretsManager('secret-id', { + jsonField: 'json-key', + versionId: 'version-id', + }); + + // THEN + expect(stack.resolve(v)).toEqual('{{resolve:secretsmanager:secret-id:SecretString:json-key::version-id}}'); + }); + test('secretsManager with secret-id from token', () => { // GIVEN const stack = new Stack(); @@ -133,6 +147,104 @@ describe('secret value', () => { expect(() => SecretValue.secretsManager('not:an:arn')).toThrow(/is not an ARN but contains ":"/); }); + test('cfnDynamicReferenceKey with jsonField and versionStage', () => { + // WHEN + const secretId = 'secret-id'; + const options = { + jsonField: 'json-key', + versionStage: 'version-stage', + }; + const v = SecretValue.cfnDynamicReferenceKey(secretId, options); + + // THEN + expect(v).toEqual(`${secretId}:SecretString:${options.jsonField}:${options.versionStage}:`); + }); + + test('cfnDynamicReferenceKey with jsonField and versionId', () => { + // WHEN + const secretId = 'secret-id'; + const options = { + jsonField: 'json-key', + versionId: 'version-id', + }; + const v = SecretValue.cfnDynamicReferenceKey(secretId, options); + + // THEN + expect(v).toEqual(`${secretId}:SecretString:${options.jsonField}::${options.versionId}`); + }); + + test('cfnDynamicReferenceKey with secret-id from token', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + const secretId = 'secret-id'; + const secretIdToken = Token.asString({ Ref: secretId }); + const options = { + jsonField: 'json-key', + versionStage: 'version-stage', + }; + const v = SecretValue.cfnDynamicReferenceKey(secretIdToken, options); + + // THEN + expect(stack.resolve(v)).toEqual({ + 'Fn::Join': [ + '', + [ + { Ref: secretId }, + `:SecretString:${options.jsonField}:${options.versionStage}:`, + ], + ], + }); + }); + + test('cfnDynamicReferenceKey with defaults', () => { + // WHEN + const secretId = 'secret-id'; + const v = SecretValue.cfnDynamicReferenceKey(secretId); + + // THEN + expect(v).toEqual(`${secretId}:SecretString:::`); + }); + + test('cfnDynamicReferenceKey with defaults, secret-id from token', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + const secretId = 'secret-id'; + const v = SecretValue.cfnDynamicReferenceKey(Token.asString({ Ref: secretId })); + + // THEN + expect(stack.resolve(v)).toEqual({ + 'Fn::Join': [ + '', + [ + { Ref: secretId }, + ':SecretString:::', + ], + ], + }); + }); + + test('cfnDynamicReferenceKey with an empty ID', () => { + expect(() => SecretValue.cfnDynamicReferenceKey('')).toThrow(/secretId cannot be empty/); + }); + + test('cfnDynamicReferenceKey with versionStage and versionId', () => { + expect(() => { + SecretValue.cfnDynamicReferenceKey('secret-id', + { + versionStage: 'version-stage', + versionId: 'version-id', + }); + }).toThrow(/were both provided but only one is allowed/); + }); + + test('cfnDynamicReferenceKey with a non-ARN ID that has colon', () => { + expect(() => SecretValue.cfnDynamicReferenceKey('not:an:arn')).toThrow(/is not an ARN but contains ":"/); + }); + test('ssmSecure', () => { // GIVEN const stack = new Stack(); From c76a3806107092f87e58ef72416f571d8461e5b9 Mon Sep 17 00:00:00 2001 From: Justin Debuse Date: Mon, 18 Aug 2025 14:45:35 +0100 Subject: [PATCH 2/2] Add README docs for Secret dynamic reference key --- packages/aws-cdk-lib/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/aws-cdk-lib/README.md b/packages/aws-cdk-lib/README.md index b6110117b8b7f..b10f0ade242ed 100644 --- a/packages/aws-cdk-lib/README.md +++ b/packages/aws-cdk-lib/README.md @@ -480,6 +480,8 @@ CloudFormation to re-read the secret. `SecretValue.ssmSecure()` is only supported for a limited set of resources. [Click here for a list of supported resources and properties](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#template-parameters-dynamic-patterns-resources). +`SecretValue.cfnDynamicReferenceKey` takes the same parameters as `SecretValue.secretsManager` and returns a key which can be used within a [dynamic reference](#dynamic-references) to dynamically load a secret from AWS Secrets Manager. + ## ARN manipulation Sometimes you will need to put together or pick apart Amazon Resource Names