secretsmanager.RotationSchedule(): breaks cdk import

[steven-robbins]

Describe the bug

Secrets Manager RotationSchedule is causing all resources in the stack to be reported as "unsupported resource type" during cdk import.

Expected Behavior

Supported resources are able to be imported during cdk import

cdk import
ExampleStack
ExampleStack/ExampleVpc/Resource (AWS::EC2::VPC): enter VpcId (empty to skip):

Current Behavior

cdk import
ExampleStack
ExampleStack/ExampleVpc/Resource: unsupported resource type AWS::EC2::VPC, skipping import.
ExampleStack/ExampleVpc/PublicSubnet1/Subnet: unsupported resource type AWS::EC2::Subnet, skipping import.
ExampleStack/ExampleVpc/PublicSubnet1/RouteTable: unsupported resource type AWS::EC2::RouteTable, skipping import.
ExampleStack/ExampleVpc/PublicSubnet1/RouteTableAssociation: unsupported resource type AWS::EC2::SubnetRouteTableAssociation, skipping import.
ExampleStack/ExampleVpc/PublicSubnet1/DefaultRoute: unsupported resource type AWS::EC2::Route, skipping import.
ExampleStack/ExampleVpc/PublicSubnet1/EIP: unsupported resource type AWS::EC2::EIP, skipping import.
ExampleStack/ExampleVpc/PublicSubnet1/NATGateway: unsupported resource type AWS::EC2::NatGateway, skipping import.
ExampleStack/ExampleVpc/PublicSubnet2/Subnet: unsupported resource type AWS::EC2::Subnet, skipping import.
ExampleStack/ExampleVpc/PublicSubnet2/RouteTable: unsupported resource type AWS::EC2::RouteTable, skipping import.
ExampleStack/ExampleVpc/PublicSubnet2/RouteTableAssociation: unsupported resource type AWS::EC2::SubnetRouteTableAssociation, skipping import.
ExampleStack/ExampleVpc/PublicSubnet2/DefaultRoute: unsupported resource type AWS::EC2::Route, skipping import.
ExampleStack/ExampleVpc/PublicSubnet2/EIP: unsupported resource type AWS::EC2::EIP, skipping import.
ExampleStack/ExampleVpc/PublicSubnet2/NATGateway: unsupported resource type AWS::EC2::NatGateway, skipping import.
ExampleStack/ExampleVpc/PrivateSubnet1/Subnet: unsupported resource type AWS::EC2::Subnet, skipping import.
ExampleStack/ExampleVpc/PrivateSubnet1/RouteTable: unsupported resource type AWS::EC2::RouteTable, skipping import.
ExampleStack/ExampleVpc/PrivateSubnet1/RouteTableAssociation: unsupported resource type AWS::EC2::SubnetRouteTableAssociation, skipping import.
ExampleStack/ExampleVpc/PrivateSubnet1/DefaultRoute: unsupported resource type AWS::EC2::Route, skipping import.
ExampleStack/ExampleVpc/PrivateSubnet2/Subnet: unsupported resource type AWS::EC2::Subnet, skipping import.
ExampleStack/ExampleVpc/PrivateSubnet2/RouteTable: unsupported resource type AWS::EC2::RouteTable, skipping import.
ExampleStack/ExampleVpc/PrivateSubnet2/RouteTableAssociation: unsupported resource type AWS::EC2::SubnetRouteTableAssociation, skipping import.
ExampleStack/ExampleVpc/PrivateSubnet2/DefaultRoute: unsupported resource type AWS::EC2::Route, skipping import.
ExampleStack/ExampleVpc/IGW: unsupported resource type AWS::EC2::InternetGateway, skipping import.
ExampleStack/ExampleVpc/VPCGW: unsupported resource type AWS::EC2::VPCGatewayAttachment, skipping import.
ExampleStack/ExampleVpc/RestrictDefaultSecurityGroupCustomResource/Default: unsupported resource type Custom::VpcRestrictDefaultSG, skipping import.
ExampleStack/Custom::VpcRestrictDefaultSGCustomResourceProvider/Role: unsupported resource type AWS::IAM::Role, skipping import.
ExampleStack/Custom::VpcRestrictDefaultSGCustomResourceProvider/Handler: unsupported resource type AWS::Lambda::Function, skipping import.
ExampleStack/ExampleSecret/Resource: unsupported resource type AWS::SecretsManager::Secret, skipping import.
ExampleStack/ExampleSecret/Policy/Resource: unsupported resource type AWS::SecretsManager::ResourcePolicy, skipping import.
ExampleStack/ExampleRotationSchedule/Resource: unsupported resource type AWS::SecretsManager::RotationSchedule, skipping import.
No resources selected for import.

Reproduction Steps

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';

export class ExampleStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = new ec2.Vpc(this, 'ExampleVpc', {
      ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/16'),
    })

    const secret = new secretsmanager.Secret(this, 'ExampleSecret', {
      secretObjectValue: {
        username: cdk.SecretValue.unsafePlainText('appuser'),
        database: cdk.SecretValue.unsafePlainText('foo'),
        password: cdk.SecretValue.unsafePlainText('default'),
      },
    })

    const rotationSchedule = new secretsmanager.RotationSchedule(this, 'ExampleRotationSchedule', {
      secret: secret,
      hostedRotation: secretsmanager.HostedRotation.mysqlSingleUser(),
    });
  }
}

Possible Solution

No response

Additional Information/Context

It looks like this is the line that is causing all stack imports to fail.
Stack.of(scope).addTransform('AWS::SecretsManager-2020-07-23');
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts#L309

CDK CLI Version

2.148.1

Framework Version

No response

Node.js Version

v20.10.0

OS

MacOS 14.5

Language

TypeScript

Language Version

No response

Other information

No response

[khushail]

Hi @steven-robbins , thanks for reaching out. I tried to repro the scenario and observed that by adding this block, the code started failing with imports as you mentioned above -

const rotationSchedule = new secretsmanager.RotationSchedule(this, 'ExampleRotationSchedule', {
      secret: secret,
      hostedRotation: secretsmanager.HostedRotation.mysqlSingleUser(),
    });

Although the issue is reproducible, I noticed that its mentioned in the docs that one has to add the transform- You must specify Transform: AWS::SecretsManager-2020-07-23 at the beginning of the CloudFormation template.. that is the reason why this function -

aws-cdk/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts

Line 307 in 38e2ecf

public bind(secret: ISecret, scope: Construct): CfnRotationSchedule.HostedRotationLambdaProperty {

is being executed which invokes the addTransform() method -

aws-cdk/packages/aws-cdk-lib/core/lib/stack.ts

Line 897 in 38e2ecf

public addTransform(transform: string) {

https://github.com/aws/aws-cdk/blob/38e2ecf581b44fa2b81dbfa4e0c3573926343919/packages/aws-cdk-lib/core/lib/stack.ts#L883-#L902

[khushail]

This is snippet of synthesized template , the Transform gets added in the beginning of the template-
{
"Transform": "AWS::SecretsManager-2020-07-23",
"Resources": {
"ExampleVpc7799291B": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsHostnames": true,
"EnableDnsSupport": true,
"InstanceTenancy": "default",
"Tags": [
{
"Key": "Name",
"Value": "SecretManagerIssueStack/ExampleVpc"
}
]
},
"Metadata": {
"aws:cdk:path": "SecretManagerIssueStack/ExampleVpc/Resource"
}
},

[khushail]

@steven-robbins , RotationSchedule() is not supported by cdk import. Please see here the list of importable resources -https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-supported-resources.html.
However you could proceed with importing VPC and Secret. I am closing this issue for now as its not supported. Please feel free to reopen if you have any further queries. Thanks!

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[steven-robbins]

I'm not sure I would consider this bug addressed. Introducing secret rotation causes all resources in the stack to be considered an "unsupported resource type". This means the VPC and Secret resources cannot be imported.

[TheRealAmazonKendra]

I'm not sure I would consider this bug addressed. Introducing secret rotation causes all resources in the stack to be considered an "unsupported resource type". This means the VPC and Secret resources cannot be imported.

In order to use cdk import your code in the app must be modeled exactly the same as it already exists. It cannot contain any mutations on those resources until the import is already completed. While you're correct that the error message here is misleading, the fact that this does not work how you are attempting to use it is expected behavior.

We should not resolve this, however, until the error messages have been addressed.