Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: introduce SecretValue to represent secrets #2161

Merged
merged 8 commits into from
Apr 4, 2019
Merged

refactor: introduce SecretValue to represent secrets #2161

merged 8 commits into from
Apr 4, 2019

Conversation

eladb
Copy link
Contributor

@eladb eladb commented Apr 2, 2019
edited
Loading

The class cdk.SecretValue is a token that represents a value that should
be treated as a secret. It can be created through one of the factory methods:
SecretValue.secretsManager(id) or SecretValue.plainText(text).

Constructs that reference secrets have been converted to use this type
instead of plain strings.

The secretsmanager.Secret construct now has secretValue and
secretJsonValue which return SecretValue objects with a dynamic reference.

The DynamicReference class is now a Token.

BREAKING CHANGE: The secretsmanager.SecretString class has been removed in favor of cdk.SecretValue.secretsManager(id[, options])

The following prop types have been changed from string to cdk.SecretValue: codepipeline-actions.AlexaSkillDeployAction.clientSecret, codepipeline-actions.AlexaSkillDeployAction.refreshToken, codepipeline-actions.GitHubSourceAction.oauthToken, iam.User.password

secretsmanager.Secret.stringValue and jsonFieldValue have been removed. Use secretsmanage.Secret.secretValue and secretJsonValue instead.

secretsmanager.Secret.secretString have been removed. Use cdk.SecretValue.secretsManager() or secretsmanager.Secret.import(..).secretValue.

The class cdk.Secret has been removed. Use cdk.SecretValue instead.

The class cdk.DynamicReference is no longer a construct, and it's
constructor signature was changed.

Pull Request Checklist

  • Testing
    • Unit test added (prefer not to modify an existing test, otherwise, it's probably a breaking change)
    • CLI change?: coordinate update of integration tests with team
    • cdk-init template change?: coordinated update of integration tests with team
  • Docs
    • jsdocs: All public APIs documented
    • README: README and/or documentation topic updated
  • Title and Description
    • Change type: title prefixed with fix, feat will appear in changelog
    • Title: use lower-case and doesn't end with a period
    • Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
    • Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
  • Sensitive Modules (requires 2 PR approvers)
    • IAM Policy Document (in @aws-cdk/aws-iam)
    • EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
    • Grant APIs (only if not based on official documentation with a reference)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

refactor: introduce SecretValue to represent secrets
1c74fc6 
The class `cdk.SecretValue` is a token that represents a value that should
be treated as a secret. It can be created through one of the factory methods:
`SecretValue.secretsManager(id)` or `SecretValue.plainText(text)`.

Constructs that reference secrets have been converted to use this type
instead of plain strings.

The `secretsmanager.Secret` construct now has `secretValue` and 
`secretJsonValue` which return `SecretValue` objects with a dynamic reference.

The `DynamicReference` class is now a `Token`.

BREAKING CHANGE: The `secretsmanager.SecretString` class has been removed in favor of `cdk.SecretValue.secretsManager(id[, options])`

The following prop types have been changed from `string` to `cdk.SecretValue`: `codepipeline-actions.AlexaSkillDeployAction.clientSecret`, `codepipeline-actions.AlexaSkillDeployAction.refreshToken`, `codepipeline-actions.GitHubSourceAction.oauthToken`, `iam.User.password`

`secretsmanager.Secret.stringValue` and `jsonFieldValue` have been removed. Use `secretsmanage.Secret.secretValue` and `secretJsonValue` instead.

`secretsmanager.Secret.secretString` have been removed. Use `cdk.SecretValue.secretsManager()` or `secretsmanager.Secret.import(..).secretValue`.

The class `cdk.Secret` has been removed. Use `cdk.SecretValue` instead.

The class `cdk.DynamicReference` is no longer a construct, and it's
constructor signature was changed.
@eladb eladb requested review from RomainMuller, skinny85 and a team as code owners April 2, 2019 16:16
rix0rrr
rix0rrr reviewed Apr 2, 2019
View reviewed changes
packages/@aws-cdk/cdk/lib/secret-value.ts
* @param secretId The ID or ARN of the secret
* @param options Options
*/
public static secretsManager(secretId: string, options: SecretsManagerSecretOptions = { }): SecretValue {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you're going to go the way of adding constructor functions here, then you should also add one for SSMPS.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And it should kinda/sorta also be possible to use a NoEcho CfnParameter.

We shouldn't encourage it but it is something people can do today, and SecretsManager does cost money per secret per month.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yap adding that too. Enforcing NoEcho is a nice touch.

@jogold
Copy link
Contributor

jogold commented Apr 2, 2019

Hey @eladb, shouldn't this also be converted?
https://github.com/awslabs/aws-cdk/blob/997dbcc33fa6802ae807db07a392a7382df7dc7c/packages/%40aws-cdk/aws-rds/lib/props.ts#L77

Elad Ben-Israel added 2 commits April 3, 2019 12:29
use SecretValue in rds
6b1c8bd
Additional ways to create a SecretValue
9ab8a27 
* add `SecretValue.ssmSecure`.
* add `SecretValue.cfnDynamicReference`
* add `SecretValue.cfnParameter`

BREAKING CHANGE: cdk.DynamicReference renamed to cdk.CfnDynamicReference.
@eladb eladb merged commit a3d9f2e into master Apr 4, 2019
@eladb eladb deleted the benisrae/secrets-refactor branch April 4, 2019 11:44
eladb pushed a commit that referenced this pull request Apr 4, 2019
refactor: introduce SecretValue to represent secrets (#2161)
163a727 
The class `cdk.SecretValue` is a token that represents a value that should
be treated as a secret. It can be created through one of the factory methods:
`SecretValue.secretsManager(id)` or `SecretValue.plainText(text)`.

Constructs that reference secrets have been converted to use this type
instead of plain strings.

The `secretsmanager.Secret` construct now has `secretValue` and 
`secretJsonValue` which return `SecretValue` objects with a dynamic reference.

The `DynamicReference` class is now a `Token`.

BREAKING CHANGE: The `secretsmanager.SecretString` class has been removed in favor of `cdk.SecretValue.secretsManager(id[, options])`

The following prop types have been changed from `string` to `cdk.SecretValue`: `codepipeline-actions.AlexaSkillDeployAction.clientSecret`, `codepipeline-actions.AlexaSkillDeployAction.refreshToken`, `codepipeline-actions.GitHubSourceAction.oauthToken`, `iam.User.password`

`secretsmanager.Secret.stringValue` and `jsonFieldValue` have been removed. Use `secretsmanage.Secret.secretValue` and `secretJsonValue` instead.

`secretsmanager.Secret.secretString` have been removed. Use `cdk.SecretValue.secretsManager()` or `secretsmanager.Secret.import(..).secretValue`.

The class `cdk.Secret` has been removed. Use `cdk.SecretValue` instead.

The class `cdk.DynamicReference` is no longer a construct, and it's
constructor signature was changed and was renamed `cdk.CfnDynamicReference`.
@NGL321 NGL321 added the contribution/core This is a PR that came from AWS. label Sep 23, 2019
@mergify
Copy link
Contributor

mergify bot commented Sep 23, 2019

Thanks so much for taking the time to contribute to the AWS CDK ❤️

We will shortly assign someone to review this pull request and help get it
merged. In the meantime, please take a minute to make sure you follow this
checklist:

  • PR title type(scope): text
    • type: fix, feat, refactor go into CHANGELOG, chore is hidden
    • scope: name of module without aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
    • text: use all lower-case, do not end with a period, do not include issue refs
  • PR Description
    • Rationale: describe rationale of change and approach taken
    • Issues: indicate issues fixed via: fixes #xxx or closes #xxx
    • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
  • Testing
    • Unit test added. Prefer to add a new test rather than modify existing tests
    • CLI or init templates change? Re-run/add CLI integration tests
  • Documentation
    • README: update module README to describe new features
    • API docs: public APIs must be documented. Copy from official AWS docs when possible
    • Design: for significant features, follow design process

This was referenced Dec 12, 2019
Closed
Open
Open
@njlynch njlynch mentioned this pull request Dec 2, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rix0rrr rix0rrr rix0rrr approved these changes

@RomainMuller RomainMuller Awaiting requested review from RomainMuller

@skinny85 skinny85 Awaiting requested review from skinny85

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@eladb @jogold @rix0rrr @NGL321