aws-cdk-lib.aws_rds.DatabaseSecretProps

interface DatabaseSecretProps

LanguageType name
.NETAmazon.CDK.AWS.RDS.DatabaseSecretProps
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsrds#DatabaseSecretProps
Javasoftware.amazon.awscdk.services.rds.DatabaseSecretProps
Pythonaws_cdk.aws_rds.DatabaseSecretProps
TypeScript (source)aws-cdk-lib » aws_rds » DatabaseSecretProps

Construction properties for a DatabaseSecret.

Example

// Create username and password secret for DB Cluster
const secret = new rds.DatabaseSecret(this, 'AuroraSecret', {
  username: 'clusteradmin',
});

// The VPC to place the cluster in
const vpc = new ec2.Vpc(this, 'AuroraVpc');

// Create the serverless cluster, provide all values needed to customise the database.
const cluster = new rds.ServerlessCluster(this, 'AuroraCluster', {
  engine: rds.DatabaseClusterEngine.AURORA_MYSQL,
  vpc,
  credentials: { username: 'clusteradmin' },
  clusterIdentifier: 'db-endpoint-test',
  defaultDatabaseName: 'demos',
});

// Build a data source for AppSync to access the database.
declare const api: appsync.GraphqlApi;
const rdsDS = api.addRdsDataSource('rds', cluster, secret, 'demos');

// Set up a resolver for an RDS query.
rdsDS.createResolver('QueryGetDemosRdsResolver', {
  typeName: 'Query',
  fieldName: 'getDemosRds',
  requestMappingTemplate: appsync.MappingTemplate.fromString(`
  {
    "version": "2018-05-29",
    "statements": [
      "SELECT * FROM demos"
    ]
  }
  `),
  responseMappingTemplate: appsync.MappingTemplate.fromString(`
    $utils.toJson($utils.rds.toJsonObject($ctx.result)[0])
  `),
});

// Set up a resolver for an RDS mutation.
rdsDS.createResolver('MutationAddDemoRdsResolver', {
  typeName: 'Mutation',
  fieldName: 'addDemoRds',
  requestMappingTemplate: appsync.MappingTemplate.fromString(`
  {
    "version": "2018-05-29",
    "statements": [
      "INSERT INTO demos VALUES (:id, :version)",
      "SELECT * WHERE id = :id"
    ],
    "variableMap": {
      ":id": $util.toJson($util.autoId()),
      ":version": $util.toJson($ctx.args.version)
    }
  }
  `),
  responseMappingTemplate: appsync.MappingTemplate.fromString(`
    $utils.toJson($utils.rds.toJsonObject($ctx.result)[1][0])
  `),
});

Properties

NameTypeDescription
usernamestringThe username.
dbname?stringThe database name, if not using the default one.
encryptionKey?IKeyThe KMS key to use to encrypt the secret.
excludeCharacters?stringCharacters to not include in the generated password.
masterSecret?ISecretThe master secret which will be used to rotate this secret.
replaceOnPasswordCriteriaChanges?booleanWhether to replace this secret when the criteria for the password change.
replicaRegions?ReplicaRegion[]A list of regions where to replicate this secret.
secretName?stringA name for the secret.

username

Type: string

The username.


dbname?

Type: string (optional, default: whatever the secret generates after the attach method is run)

The database name, if not using the default one.


encryptionKey?

Type: IKey (optional, default: default master key)

The KMS key to use to encrypt the secret.


excludeCharacters?

Type: string (optional, default: " %+~`#$&()|[]{}:;<>?!'/@"\")*

Characters to not include in the generated password.


masterSecret?

Type: ISecret (optional, default: no master secret information will be included)

The master secret which will be used to rotate this secret.


replaceOnPasswordCriteriaChanges?

Type: boolean (optional, default: false)

Whether to replace this secret when the criteria for the password change.

This is achieved by overriding the logical id of the AWS::SecretsManager::Secret with a hash of the options that influence the password generation. This way a new secret will be created when the password is regenerated and the cluster or instance consuming this secret will have its credentials updated.


replicaRegions?

Type: ReplicaRegion[] (optional, default: Secret is not replicated)

A list of regions where to replicate this secret.


secretName?

Type: string (optional, default: A name is generated by CloudFormation.)

A name for the secret.