Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(secretsmanager): cannot set hourly rotation #28303

Merged
merged 5 commits into from
Dec 14, 2023
Merged

fix(secretsmanager): cannot set hourly rotation #28303

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
dc05370
fix(secretsmanager): cannot set hourly rotation
lpizzinidev Dec 8, 2023
ada07d7
minor nits and template update
lpizzinidev Dec 9, 2023
524ea38
handle rotation in days with scheduleExpression
lpizzinidev Dec 14, 2023
66413dc
fixed integration test
lpizzinidev Dec 14, 2023
f1a3cc9
Merge branch 'main' into gh-28261
mergify[bot] Dec 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .../test/integ.cluster-rotation.lit.js.snapshot/aws-cdk-docdb-cluster-rotation.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -501,7 +501,7 @@
]
},
"RotationRules": {
"AutomaticallyAfterDays": 30
"ScheduleExpression": "rate(30 days)"
},
"SecretId": {
"Ref": "DatabaseSecretAttachmentE5D1B020"
Expand Down
2 changes: 1 addition & 1 deletion ...ting/framework-integ/test/aws-docdb/test/integ.cluster-rotation.lit.js.snapshot/tree.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions ...ds/test/integ.cluster-rotation.lit.js.snapshot/aws-cdk-rds-cluster-rotation.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -599,7 +599,7 @@
]
},
"RotationRules": {
"AutomaticallyAfterDays": 30
"ScheduleExpression": "rate(30 days)"
},
"SecretId": {
"Ref": "DatabaseSecretAttachmentE5D1B020"
Expand Down Expand Up @@ -920,7 +920,7 @@
]
},
"RotationRules": {
"AutomaticallyAfterDays": 7
"ScheduleExpression": "rate(7 days)"
},
"SecretId": {
"Ref": "CustomRotationOptionsSecretAttachment697A23BF"
Expand Down
4 changes: 2 additions & 2 deletions ...esting/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/tree.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .../aws-rds/test/integ.cluster-snapshot.js.snapshot/cdk-integ-cluster-snapshot.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1403,7 +1403,7 @@
]
},
"RotationRules": {
"AutomaticallyAfterDays": 30
"ScheduleExpression": "rate(30 days)"
},
"SecretId": {
"Ref": "FromSnapshotSnapshotSecretAttachmentA3F619B8"
Expand Down
2 changes: 1 addition & 1 deletion ...dk-testing/framework-integ/test/aws-rds/test/integ.cluster-snapshot.js.snapshot/tree.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion ...integ/test/aws-rds/test/integ.instance.lit.js.snapshot/aws-cdk-rds-instance.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -616,7 +616,7 @@
]
},
"RotationRules": {
"AutomaticallyAfterDays": 30
"ScheduleExpression": "rate(30 days)"
},
"SecretId": {
"Ref": "InstanceSecretAttachment83BEE581"
Expand Down
2 changes: 1 addition & 1 deletion ...ws-cdk-testing/framework-integ/test/aws-rds/test/integ.instance.lit.js.snapshot/tree.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion ...-secret-rotation-custom-names.js.snapshot/aws-cdk-rds-integ-secret-rotation.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@
"RotationType": "MySQLSingleUser"
},
"RotationRules": {
"AutomaticallyAfterDays": 30
"ScheduleExpression": "rate(30 days)"
}
}
},
Expand Down
2 changes: 1 addition & 1 deletion .../aws-rds/test/integ.serverless-cluster-secret-rotation-custom-names.js.snapshot/tree.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion ...rless-cluster-secret-rotation.js.snapshot/aws-cdk-rds-integ-secret-rotation.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@
"RotationType": "MySQLSingleUser"
},
"RotationRules": {
"AutomaticallyAfterDays": 30
"ScheduleExpression": "rate(30 days)"
}
}
},
Expand Down
2 changes: 1 addition & 1 deletion ...rk-integ/test/aws-rds/test/integ.serverless-cluster-secret-rotation.js.snapshot/tree.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions ...ger/test/integ.hosted-rotation.js.snapshot/cdk-integ-secret-hosted-rotation.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
"RotationType": "MySQLSingleUser"
},
"RotationRules": {
"AutomaticallyAfterDays": 30
"ScheduleExpression": "rate(30 days)"
}
}
},
Expand Down Expand Up @@ -84,7 +84,7 @@
},
"RotateImmediatelyOnUpdate": false,
"RotationRules": {
"AutomaticallyAfterDays": 30
"ScheduleExpression": "rate(30 days)"
}
}
},
Expand Down
4 changes: 2 additions & 2 deletions .../framework-integ/test/aws-secretsmanager/test/integ.hosted-rotation.js.snapshot/tree.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion ...ger/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@
]
},
"RotationRules": {
"AutomaticallyAfterDays": 30
"ScheduleExpression": "rate(4 hours)"
},
"SecretId": {
"Ref": "SecretA720EF05"
Expand Down
2 changes: 1 addition & 1 deletion .../framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.js.snapshot/tree.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions ...es/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ class TestStack extends cdk.Stack {
handler: 'index.handler',
code: lambda.Code.fromInline('NOOP'),
}),
automaticallyAfter: cdk.Duration.hours(4),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running the integ test to verify.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, I see the integ test fails due to the schedule not working. I still see the schedule is at 30 days.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Screenshot 2023-12-08 at 10 32 03 AM

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't update tree.json, should be good now.

});
}
}
Expand Down
4 changes: 2 additions & 2 deletions packages/aws-cdk-lib/aws-docdb/test/cluster.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -785,7 +785,7 @@ describe('DatabaseCluster', () => {
'Fn::GetAtt': ['DatabaseRotationSingleUser65F55654', 'Outputs.RotationLambdaARN'],
},
RotationRules: {
AutomaticallyAfterDays: 5,
ScheduleExpression: 'rate(5 days)',
},
});
});
Expand Down Expand Up @@ -899,7 +899,7 @@ describe('DatabaseCluster', () => {
'Fn::GetAtt': ['DatabaseRotation6B6E1D86', 'Outputs.RotationLambdaARN'],
},
RotationRules: {
AutomaticallyAfterDays: 5,
ScheduleExpression: 'rate(5 days)',
},
});
});
Expand Down
16 changes: 8 additions & 8 deletions packages/aws-cdk-lib/aws-rds/test/cluster.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1975,7 +1975,7 @@ describe('cluster', () => {
],
},
RotationRules: {
AutomaticallyAfterDays: 30,
ScheduleExpression: 'rate(30 days)',
},
});
});
Expand Down Expand Up @@ -2006,7 +2006,7 @@ describe('cluster', () => {
],
},
RotationRules: {
AutomaticallyAfterDays: 30,
ScheduleExpression: 'rate(30 days)',
},
});

Expand Down Expand Up @@ -2058,7 +2058,7 @@ describe('cluster', () => {
// THEN
Template.fromStack(stack).hasResourceProperties('AWS::SecretsManager::RotationSchedule', {
RotationRules: {
AutomaticallyAfterDays: 15,
ScheduleExpression: 'rate(15 days)',
},
});

Expand Down Expand Up @@ -2125,7 +2125,7 @@ describe('cluster', () => {
// THEN
Template.fromStack(stack).hasResourceProperties('AWS::SecretsManager::RotationSchedule', {
RotationRules: {
AutomaticallyAfterDays: 15,
ScheduleExpression: 'rate(15 days)',
},
});

Expand Down Expand Up @@ -2231,7 +2231,7 @@ describe('cluster', () => {
],
},
RotationRules: {
AutomaticallyAfterDays: 30,
ScheduleExpression: 'rate(30 days)',
},
RotateImmediatelyOnUpdate: false,
});
Expand Down Expand Up @@ -2266,7 +2266,7 @@ describe('cluster', () => {
],
},
RotationRules: {
AutomaticallyAfterDays: 30,
ScheduleExpression: 'rate(30 days)',
},
RotateImmediatelyOnUpdate: false,
});
Expand Down Expand Up @@ -3439,7 +3439,7 @@ describe('cluster', () => {
// THEN
Template.fromStack(stack).hasResourceProperties('AWS::SecretsManager::RotationSchedule', {
RotationRules: {
AutomaticallyAfterDays: 30,
ScheduleExpression: 'rate(30 days)',
},
});
});
Expand Down Expand Up @@ -3493,7 +3493,7 @@ describe('cluster', () => {
],
},
RotationRules: {
AutomaticallyAfterDays: 30,
ScheduleExpression: 'rate(30 days)',
},
});

Expand Down
8 changes: 4 additions & 4 deletions packages/aws-cdk-lib/aws-rds/test/instance.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -782,7 +782,7 @@ describe('instance', () => {
],
},
RotationRules: {
AutomaticallyAfterDays: 30,
ScheduleExpression: 'rate(30 days)',
},
});
});
Expand Down Expand Up @@ -810,7 +810,7 @@ describe('instance', () => {
],
},
RotationRules: {
AutomaticallyAfterDays: 30,
ScheduleExpression: 'rate(30 days)',
},
});

Expand Down Expand Up @@ -858,7 +858,7 @@ describe('instance', () => {
// THEN
Template.fromStack(stack).hasResourceProperties('AWS::SecretsManager::RotationSchedule', {
RotationRules: {
AutomaticallyAfterDays: 15,
ScheduleExpression: 'rate(15 days)',
},
});

Expand Down Expand Up @@ -921,7 +921,7 @@ describe('instance', () => {
// THEN
Template.fromStack(stack).hasResourceProperties('AWS::SecretsManager::RotationSchedule', {
RotationRules: {
AutomaticallyAfterDays: 15,
ScheduleExpression: 'rate(15 days)',
},
});

Expand Down
28 changes: 19 additions & 9 deletions packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import { Construct } from 'constructs';
import { ISecret, Secret } from './secret';
import { CfnRotationSchedule } from './secretsmanager.generated';
import * as ec2 from '../../aws-ec2';
import { Schedule } from '../../aws-events';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AHhhh I suppose this is ok because the schedule is not exposed in anyway, but we STILL need to get this into class into core.

import * as iam from '../../aws-iam';
import * as kms from '../../aws-kms';
import * as lambda from '../../aws-lambda';
Expand Down Expand Up @@ -37,6 +38,7 @@ export interface RotationScheduleOptions {
* Specifies the number of days after the previous rotation before
* Secrets Manager triggers the next automatic rotation.
*
* The minimum value is 4 hours.
* The maximum value is 1000 days.
*
* A value of zero (`Duration.days(0)`) will not create RotationRules.
Expand Down Expand Up @@ -126,18 +128,26 @@ export class RotationSchedule extends Resource {
);
}

let automaticallyAfterDays: number | undefined = undefined;
if (props.automaticallyAfter && props.automaticallyAfter.toDays() > 1000) {
throw new Error(`automaticallyAfter must not be greater than 1000 days, got ${props.automaticallyAfter.toDays()} days`);
}
if (props.automaticallyAfter?.toMilliseconds() !== 0) {
automaticallyAfterDays = props.automaticallyAfter?.toDays() || 30;
let scheduleExpression: string | undefined;
if (props.automaticallyAfter) {
const automaticallyAfterMillis = props.automaticallyAfter.toMilliseconds();
if (automaticallyAfterMillis > 0) {
if (automaticallyAfterMillis < Duration.hours(4).toMilliseconds()) {
throw new Error(`automaticallyAfter must not be smaller than 4 hours, got ${props.automaticallyAfter.toHours()} hours`);
}
if (automaticallyAfterMillis > Duration.days(1000).toMilliseconds()) {
throw new Error(`automaticallyAfter must not be greater than 1000 days, got ${props.automaticallyAfter.toDays()} days`);
}
scheduleExpression = Schedule.rate(props.automaticallyAfter).expressionString;
}
} else {
scheduleExpression = Schedule.rate(Duration.days(30)).expressionString;
}

let rotationRules: CfnRotationSchedule.RotationRulesProperty | undefined = undefined;
if (automaticallyAfterDays !== undefined) {
let rotationRules: CfnRotationSchedule.RotationRulesProperty | undefined;
if (scheduleExpression) {
rotationRules = {
automaticallyAfterDays,
scheduleExpression,
};
}

Expand Down
Loading