aws-cdk-lib.aws_secretsmanager.SecretRotation

class SecretRotation (construct)

LanguageType name
.NETAmazon.CDK.AWS.SecretsManager.SecretRotation
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awssecretsmanager#SecretRotation
Javasoftware.amazon.awscdk.services.secretsmanager.SecretRotation
Pythonaws_cdk.aws_secretsmanager.SecretRotation
TypeScript (source)aws-cdk-lib » aws_secretsmanager » SecretRotation

Implements IConstruct, IDependable

Secret rotation for a service or database.

Example

declare const mySecret: secretsmanager.Secret;
declare const myDatabase: ec2.IConnectable;
declare const myVpc: ec2.Vpc;

new secretsmanager.SecretRotation(this, 'SecretRotation', {
  application: secretsmanager.SecretRotationApplication.MYSQL_ROTATION_SINGLE_USER, // MySQL single user scheme
  secret: mySecret,
  target: myDatabase, // a Connectable
  vpc: myVpc, // The VPC where the secret rotation application will be deployed
  excludeCharacters: ' %+:;{}', // characters to never use when generating new passwords;
                                // by default, no characters are excluded,
                                // which might cause problems with some services, like DMS
});

Initializer

new SecretRotation(scope: Construct, id: string, props: SecretRotationProps)

Parameters

  • scope Construct
  • id string
  • props SecretRotationProps

Construct Props

NameTypeDescription
applicationSecretRotationApplicationThe serverless application for the rotation.
secretISecretThe secret to rotate. It must be a JSON string with the following format:.
targetIConnectableThe target service or database.
vpcIVpcThe VPC where the Lambda rotation function will run.
automaticallyAfter?DurationSpecifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation.
endpoint?IInterfaceVpcEndpointThe VPC interface endpoint to use for the Secrets Manager API.
excludeCharacters?stringCharacters which should not appear in the generated password.
masterSecret?ISecretThe master secret for a multi user rotation scheme.
securityGroup?ISecurityGroupThe security group for the Lambda rotation function.
vpcSubnets?SubnetSelectionThe type of subnets in the VPC where the Lambda rotation function will run.

application

Type: SecretRotationApplication

The serverless application for the rotation.


secret

Type: ISecret

The secret to rotate. It must be a JSON string with the following format:.

{
  "engine": <required: database engine>,
  "host": <required: instance host name>,
  "username": <required: username>,
  "password": <required: password>,
  "dbname": <optional: database name>,
  "port": <optional: if not specified, default port will be used>,
  "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>
}

This is typically the case for a secret referenced from an AWS::SecretsManager::SecretTargetAttachment or an ISecret returned by the attach() method of Secret.

See also: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html


target

Type: IConnectable

The target service or database.


vpc

Type: IVpc

The VPC where the Lambda rotation function will run.


automaticallyAfter?

Type: Duration (optional, default: Duration.days(30))

Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation.


endpoint?

Type: IInterfaceVpcEndpoint (optional, default: https://secretsmanager..amazonaws.com)

The VPC interface endpoint to use for the Secrets Manager API.

If you enable private DNS hostnames for your VPC private endpoint (the default), you don't need to specify an endpoint. The standard Secrets Manager DNS hostname the Secrets Manager CLI and SDKs use by default (https://secretsmanager..amazonaws.com) automatically resolves to your VPC endpoint.


excludeCharacters?

Type: string (optional, default: no additional characters are explicitly excluded)

Characters which should not appear in the generated password.


masterSecret?

Type: ISecret (optional, default: single user rotation scheme)

The master secret for a multi user rotation scheme.


securityGroup?

Type: ISecurityGroup (optional, default: a new security group is created)

The security group for the Lambda rotation function.


vpcSubnets?

Type: SubnetSelection (optional, default: the Vpc default strategy if not specified.)

The type of subnets in the VPC where the Lambda rotation function will run.

Properties

NameTypeDescription
nodeNodeThe tree node.

node

Type: Node

The tree node.

Methods

NameDescription
toString()Returns a string representation of this construct.

toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.