Class: AWSCDK::SecretsManager::SecretProps

Inherits:
Jsii::Struct
  • Object
show all
Defined in:
secrets_manager/secret_props.rb

Overview

The properties required to create a new secret in AWS Secrets Manager.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(description: nil, encryption_key: nil, generate_secret_string: nil, removal_policy: nil, replica_regions: nil, secret_name: nil, secret_object_value: nil, secret_string_beta1: nil, secret_string_value: nil) ⇒ SecretProps

Returns a new instance of SecretProps.

Parameters:

  • description (String, nil) (defaults to: nil)

    An optional, human-friendly description of the secret.

  • encryption_key (AWSCDK::KMS::IKey, nil) (defaults to: nil)

    The customer-managed encryption key to use for encrypting the secret value.

  • generate_secret_string (AWSCDK::SecretsManager::SecretStringGenerator, nil) (defaults to: nil)

    Configuration for how to generate a secret value.

  • removal_policy (AWSCDK::RemovalPolicy, nil) (defaults to: nil)

    Policy to apply when the secret is removed from this stack.

  • replica_regions (Array<AWSCDK::SecretsManager::ReplicaRegion>, nil) (defaults to: nil)

    A list of regions where to replicate this secret.

  • secret_name (String, nil) (defaults to: nil)

    A name for the secret.

  • secret_object_value (Hash{String => AWSCDK::SecretValue}, nil) (defaults to: nil)

    Initial value for a JSON secret.

  • secret_string_beta1 (AWSCDK::SecretsManager::SecretStringValueBeta1, nil) (defaults to: nil)

    Initial value for the secret.

  • secret_string_value (AWSCDK::SecretValue, nil) (defaults to: nil)

    Initial value for the secret.



16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# File 'secrets_manager/secret_props.rb', line 16

def initialize(description: nil, encryption_key: nil, generate_secret_string: nil, removal_policy: nil, replica_regions: nil, secret_name: nil, secret_object_value: nil, secret_string_beta1: nil, secret_string_value: nil)
  @description = description
  Jsii::Type.check_type(@description, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "description") unless @description.nil?
  @encryption_key = encryption_key
  Jsii::Type.check_type(@encryption_key, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3Nfa21zLklLZXkifQ==")), "encryptionKey") unless @encryption_key.nil?
  @generate_secret_string = generate_secret_string.is_a?(Hash) ? ::AWSCDK::SecretsManager::SecretStringGenerator.new(**generate_secret_string.transform_keys(&:to_sym)) : generate_secret_string
  Jsii::Type.check_type(@generate_secret_string, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3Nfc2VjcmV0c21hbmFnZXIuU2VjcmV0U3RyaW5nR2VuZXJhdG9yIn0=")), "generateSecretString") unless @generate_secret_string.nil?
  @removal_policy = removal_policy
  Jsii::Type.check_type(@removal_policy, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5SZW1vdmFsUG9saWN5In0=")), "removalPolicy") unless @removal_policy.nil?
  @replica_regions = replica_regions.is_a?(Array) ? replica_regions.map { |jsii_v0| jsii_v0.is_a?(Hash) ? ::AWSCDK::SecretsManager::ReplicaRegion.new(**jsii_v0.transform_keys(&:to_sym)) : jsii_v0 } : replica_regions
  Jsii::Type.check_type(@replica_regions, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7ImZxbiI6ImF3cy1jZGstbGliLmF3c19zZWNyZXRzbWFuYWdlci5SZXBsaWNhUmVnaW9uIn0sImtpbmQiOiJhcnJheSJ9fQ==")), "replicaRegions") unless @replica_regions.nil?
  @secret_name = secret_name
  Jsii::Type.check_type(@secret_name, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "secretName") unless @secret_name.nil?
  @secret_object_value = secret_object_value
  Jsii::Type.check_type(@secret_object_value, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7ImZxbiI6ImF3cy1jZGstbGliLlNlY3JldFZhbHVlIn0sImtpbmQiOiJtYXAifX0=")), "secretObjectValue") unless @secret_object_value.nil?
  @secret_string_beta1 = secret_string_beta1
  Jsii::Type.check_type(@secret_string_beta1, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3Nfc2VjcmV0c21hbmFnZXIuU2VjcmV0U3RyaW5nVmFsdWVCZXRhMSJ9")), "secretStringBeta1") unless @secret_string_beta1.nil?
  @secret_string_value = secret_string_value
  Jsii::Type.check_type(@secret_string_value, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5TZWNyZXRWYWx1ZSJ9")), "secretStringValue") unless @secret_string_value.nil?
end

Instance Attribute Details

#descriptionString? (readonly)

Note:

Default: - No description.

An optional, human-friendly description of the secret.

Returns:

  • (String, nil)


41
42
43
# File 'secrets_manager/secret_props.rb', line 41

def description
  @description
end

#encryption_keyAWSCDK::KMS::IKey? (readonly)

Note:

Default: - A default KMS key for the account and region is used.

The customer-managed encryption key to use for encrypting the secret value.

Returns:



46
47
48
# File 'secrets_manager/secret_props.rb', line 46

def encryption_key
  @encryption_key
end

#generate_secret_stringAWSCDK::SecretsManager::SecretStringGenerator? (readonly)

Note:

Default: - 32 characters with upper-case letters, lower-case letters, punctuation and numbers (at least one from each category), per the default values of SecretStringGenerator.

Configuration for how to generate a secret value.

Only one of secret_string and generate_secret_string can be provided.



53
54
55
# File 'secrets_manager/secret_props.rb', line 53

def generate_secret_string
  @generate_secret_string
end

#removal_policyAWSCDK::RemovalPolicy? (readonly)

Note:

Default: - Not set.

Policy to apply when the secret is removed from this stack.

Returns:



58
59
60
# File 'secrets_manager/secret_props.rb', line 58

def removal_policy
  @removal_policy
end

#replica_regionsArray<AWSCDK::SecretsManager::ReplicaRegion>? (readonly)

Note:

Default: - Secret is not replicated

A list of regions where to replicate this secret.

Returns:



63
64
65
# File 'secrets_manager/secret_props.rb', line 63

def replica_regions
  @replica_regions
end

#secret_nameString? (readonly)

Note:

Default: - A name is generated by CloudFormation.

A name for the secret.

Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.

Returns:

  • (String, nil)


71
72
73
# File 'secrets_manager/secret_props.rb', line 71

def secret_name
  @secret_name
end

#secret_object_valueHash{String => AWSCDK::SecretValue}? (readonly)

Note:

Default: - SecretsManager generates a new secret value.

Initial value for a JSON secret.

NOTE: It is **highly* encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret object -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).

Specifies a JSON object that you want to encrypt and store in this new version of the secret. To specify a simple string value instead, use SecretProps.secretStringValue

Only one of secret_string_beta1, secret_string_value, 'secretObjectValue', and generate_secret_string can be provided.

Examples:

user = nil # AWSCDK::IAM::User
access_key = nil # AWSCDK::IAM::AccessKey
stack = nil # AWSCDK::Stack

AWSCDK::SecretsManager::Secret.new(stack, "JSONSecret", {
    secret_object_value: {
        username: AWSCDK::SecretValue.unsafe_plain_text(user.user_name),
         # intrinsic reference, not exposed as plaintext
        database: AWSCDK::SecretValue.unsafe_plain_text("foo"),
         # rendered as plain text, but not a secret
        password: access_key.secret_access_key,
    },
})

Returns:



101
102
103
# File 'secrets_manager/secret_props.rb', line 101

def secret_object_value
  @secret_object_value
end

#secret_string_beta1AWSCDK::SecretsManager::SecretStringValueBeta1? (readonly)

Deprecated.

Use secretStringValue instead.

Note:

Default: - SecretsManager generates a new secret value.

Initial value for the secret.

NOTE: It is **highly* encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).

Specifies text data that you want to encrypt and store in this new version of the secret. May be a simple string value, or a string representation of a JSON structure.

Only one of secret_string_beta1, secret_string_value, and generate_secret_string can be provided.



118
119
120
# File 'secrets_manager/secret_props.rb', line 118

def secret_string_beta1
  @secret_string_beta1
end

#secret_string_valueAWSCDK::SecretValue? (readonly)

Note:

Default: - SecretsManager generates a new secret value.

Initial value for the secret.

NOTE: It is **highly* encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).

Specifies text data that you want to encrypt and store in this new version of the secret. May be a simple string value. To provide a string representation of JSON structure, use SecretProps.secretObjectValue instead.

Only one of secret_string_beta1, secret_string_value, 'secretObjectValue', and generate_secret_string can be provided.

Returns:



134
135
136
# File 'secrets_manager/secret_props.rb', line 134

def secret_string_value
  @secret_string_value
end

Class Method Details

.jsii_propertiesObject



136
137
138
139
140
141
142
143
144
145
146
147
148
# File 'secrets_manager/secret_props.rb', line 136

def self.jsii_properties
  {
    :description => "description",
    :encryption_key => "encryptionKey",
    :generate_secret_string => "generateSecretString",
    :removal_policy => "removalPolicy",
    :replica_regions => "replicaRegions",
    :secret_name => "secretName",
    :secret_object_value => "secretObjectValue",
    :secret_string_beta1 => "secretStringBeta1",
    :secret_string_value => "secretStringValue",
  }
end

Instance Method Details

#to_jsiiObject



150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
# File 'secrets_manager/secret_props.rb', line 150

def to_jsii
  result = {}
  result.merge!({
    "description" => @description,
    "encryptionKey" => @encryption_key,
    "generateSecretString" => @generate_secret_string,
    "removalPolicy" => @removal_policy,
    "replicaRegions" => @replica_regions,
    "secretName" => @secret_name,
    "secretObjectValue" => @secret_object_value,
    "secretStringBeta1" => @secret_string_beta1,
    "secretStringValue" => @secret_string_value,
  })
  result.compact
end