fix(secretsmanager): automaticallyAfter is not disabling the automati…

…c rotation of secrets
aws · Oct 11, 2023 · f9dcef2 · f9dcef2
1 parent 7e4fdc7
commit f9dcef2
Show file tree

Hide file tree

Showing 7 changed files with 410 additions and 67 deletions.
diff --git a/...nager/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.assets.json b/...nager/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.assets.json
diff --git a/...ger/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json b/...ger/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json
@@ -98,11 +98,71 @@
         }
        },
        "Effect": "Allow",
+       "Principal": {
+        "AWS": [
+         {
+          "Fn::GetAtt": [
+           "LambdaServiceRoleA8ED4D3B",
+           "Arn"
+          ]
+         },
+         {
+          "Fn::Join": [
+           "",
+           [
+            "arn:",
+            {
+             "Ref": "AWS::Partition"
+            },
+            ":iam::",
+            {
+             "Ref": "AWS::AccountId"
+            },
+            ":root"
+           ]
+          ]
+         }
+        ]
+       },
+       "Resource": "*"
+      },
+      {
+       "Action": [
+        "kms:CreateGrant",
+        "kms:DescribeKey"
+       ],
+       "Condition": {
+        "StringEquals": {
+         "kms:ViaService": {
+          "Fn::Join": [
+           "",
+           [
+            "secretsmanager.",
+            {
+             "Ref": "AWS::Region"
+            },
+            ".amazonaws.com"
+           ]
+          ]
+         }
+        }
+       },
+       "Effect": "Allow",
        "Principal": {
         "AWS": {
-         "Fn::GetAtt": [
-          "LambdaServiceRoleA8ED4D3B",
-          "Arn"
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
          ]
         }
        },
@@ -253,7 +313,7 @@
    "Type": "AWS::Lambda::Function",
    "Properties": {
     "Code": {
-     "ZipFile": "NOOP"
+     "ZipFile": "// dummy func"
     },
     "Handler": "index.handler",
     "Role": {
@@ -281,6 +341,70 @@
     },
     "Principal": "secretsmanager.amazonaws.com"
    }
+  },
+  "SecretForRotationDisabledD3CC9741": {
+   "Type": "AWS::SecretsManager::Secret",
+   "Properties": {
+    "GenerateSecretString": {},
+    "KmsKeyId": {
+     "Fn::GetAtt": [
+      "Key961B73FD",
+      "Arn"
+     ]
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "LambdaForRotationDisabledServiceRole9FA05754": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "LambdaForRotationDisabled3F8DC7F6": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": "// dummy func"
+    },
+    "Handler": "index.handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "LambdaForRotationDisabledServiceRole9FA05754",
+      "Arn"
+     ]
+    },
+    "Runtime": "nodejs18.x"
+   },
+   "DependsOn": [
+    "LambdaForRotationDisabledServiceRole9FA05754"
+   ]
   }
  },
  "Parameters": {

diff --git a/...mework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.js.snapshot/manifest.json b/...mework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.js.snapshot/manifest.json