SecretRotationProps

class aws_cdk.aws_secretsmanager.SecretRotationProps(*, application, secret, target, vpc, automatically_after=None, endpoint=None, exclude_characters=None, master_secret=None, rotate_immediately_on_update=None, security_group=None, vpc_subnets=None)

Bases: object

Construction properties for a SecretRotation.

Parameters:

  • application (SecretRotationApplication) – The serverless application for the rotation.

  • secret (ISecret) – The secret to rotate. It must be a JSON string with the following format:. Example:: { “engine”: <required: database engine>, “host”: <required: instance host name>, “username”: <required: username>, “password”: <required: password>, “dbname”: <optional: database name>, “port”: <optional: if not specified, default port will be used>, “masterarn”: <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords> } This is typically the case for a secret referenced from an AWS::SecretsManager::SecretTargetAttachment or an ISecret returned by the attach() method of Secret.

  • target (IConnectable) – The target service or database.

  • vpc (IVpc) – The VPC where the Lambda rotation function will run.

  • automatically_after (Optional[Duration]) – Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation. Default: Duration.days(30)

  • endpoint (Optional[IInterfaceVpcEndpoint]) – The VPC interface endpoint to use for the Secrets Manager API. If you enable private DNS hostnames for your VPC private endpoint (the default), you don’t need to specify an endpoint. The standard Secrets Manager DNS hostname the Secrets Manager CLI and SDKs use by default (https://secretsmanager..amazonaws.com) automatically resolves to your VPC endpoint. Default: https://secretsmanager..amazonaws.com

  • exclude_characters (Optional[str]) – Characters which should not appear in the generated password. Default: - no additional characters are explicitly excluded

  • master_secret (Optional[ISecret]) – The master secret for a multi user rotation scheme. Default: - single user rotation scheme

  • rotate_immediately_on_update (Optional[bool]) – Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. Default: true

  • security_group (Optional[ISecurityGroup]) – The security group for the Lambda rotation function. Default: - a new security group is created

  • vpc_subnets (Union[SubnetSelection, Dict[str, Any], None]) – The type of subnets in the VPC where the Lambda rotation function will run. Default: - the Vpc default strategy if not specified.

ExampleMetadata:

infused

Example:

# my_user_secret: secretsmanager.Secret
# my_master_secret: secretsmanager.Secret
# my_database: ec2.IConnectable
# my_vpc: ec2.Vpc


secretsmanager.SecretRotation(self, "SecretRotation",
    application=secretsmanager.SecretRotationApplication.MYSQL_ROTATION_MULTI_USER,
    secret=my_user_secret,  # The secret that will be rotated
    master_secret=my_master_secret,  # The secret used for the rotation
    target=my_database,
    vpc=my_vpc
)

Attributes

application

The serverless application for the rotation.

automatically_after

Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation.

Default:

Duration.days(30)

endpoint

The VPC interface endpoint to use for the Secrets Manager API.

If you enable private DNS hostnames for your VPC private endpoint (the default), you don’t need to specify an endpoint. The standard Secrets Manager DNS hostname the Secrets Manager CLI and SDKs use by default (https://secretsmanager..amazonaws.com) automatically resolves to your VPC endpoint.

Default:

https://secretsmanager..amazonaws.com

exclude_characters

Characters which should not appear in the generated password.

Default:

  • no additional characters are explicitly excluded

master_secret

The master secret for a multi user rotation scheme.

Default:

  • single user rotation scheme

rotate_immediately_on_update

Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window.

Default:

true

secret

.

Example:

{
  "engine": <required: database engine>,
  "host": <required: instance host name>,
  "username": <required: username>,
  "password": <required: password>,
  "dbname": <optional: database name>,
  "port": <optional: if not specified, default port will be used>,
  "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>
}

This is typically the case for a secret referenced from an AWS::SecretsManager::SecretTargetAttachment or an ISecret returned by the attach() method of Secret.

See:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html

Type:

The secret to rotate. It must be a JSON string with the following format

security_group

The security group for the Lambda rotation function.

Default:

  • a new security group is created

target

The target service or database.

vpc

The VPC where the Lambda rotation function will run.

vpc_subnets

The type of subnets in the VPC where the Lambda rotation function will run.

Default:

  • the Vpc default strategy if not specified.