Resource: awsSecretsmanagerSecretRotation
Provides a resource to manage AWS Secrets Manager secret rotation. To manage a secret, see the awsSecretsmanagerSecret
resource. To manage a secret value, see the awsSecretsmanagerSecretVersion
resource.
Example Usage
Basic
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.secretsmanagerSecretRotation.SecretsmanagerSecretRotation(
this,
"example",
{
rotationLambdaArn: "${aws_lambda_function.example.arn}",
rotationRules: {
automaticallyAfterDays: 30,
},
secretId: "${aws_secretsmanager_secret.example.id}",
}
);
Rotation Configuration
To enable automatic secret rotation, the Secrets Manager service requires usage of a Lambda function. The Rotate Secrets section in the Secrets Manager User Guide provides additional information about deploying a prebuilt Lambda functions for supported credential rotation (e.g., RDS) or deploying a custom Lambda function.
\~> NOTE: Configuring rotation causes the secret to rotate once as soon as you enable rotation. Before you do this, you must ensure that all of your applications that use the credentials stored in the secret are updated to retrieve the secret from AWS Secrets Manager. The old credentials might no longer be usable after the initial rotation and any applications that you fail to update will break as soon as the old credentials are no longer valid.
\~> NOTE: If you cancel a rotation that is in progress (by removing the rotation
configuration), it can leave the VersionStage labels in an unexpected state. Depending on what step of the rotation was in progress, you might need to remove the staging label AWSPENDING from the partially created version, specified by the SecretVersionId response value. You should also evaluate the partially rotated new version to see if it should be deleted, which you can do by removing all staging labels from the new version's VersionStage field.
Argument Reference
The following arguments are supported:
secretId
- (Required) Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.rotationLambdaArn
- (Required) Specifies the ARN of the Lambda function that can rotate the secret.rotationRules
- (Required) A structure that defines the rotation configuration for this secret. Defined below.
rotationRules
automaticallyAfterDays
- (Required) Specifies the number of days between automatic scheduled rotations of the secret.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- Amazon Resource Name (ARN) of the secret.arn
- Amazon Resource Name (ARN) of the secret.rotationEnabled
- Specifies whether automatic rotation is enabled for this secret.
Import
awsSecretsmanagerSecretRotation
can be imported by using the secret Amazon Resource Name (ARN), e.g.,