SecretRotationProps

class aws_cdk.aws_secretsmanager.SecretRotationProps(*, application, secret, target, vpc, automatically_after=None, exclude_characters=None, master_secret=None, security_group=None, vpc_subnets=None)

Bases: object

Construction properties for a SecretRotation.

Parameters
  • application (SecretRotationApplication) – The serverless application for the rotation.

  • secret (ISecret) – The secret to rotate. It must be a JSON string with the following format:. Example:: { “engine”: <required: database engine>, “host”: <required: instance host name>, “username”: <required: username>, “password”: <required: password>, “dbname”: <optional: database name>, “port”: <optional: if not specified, default port will be used>, “masterarn”: <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords> } This is typically the case for a secret referenced from an AWS::SecretsManager::SecretTargetAttachment or an ISecret returned by the attach() method of Secret.

  • target (IConnectable) – The target service or database.

  • vpc (IVpc) – The VPC where the Lambda rotation function will run.

  • automatically_after (Optional[Duration]) – Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation. Default: Duration.days(30)

  • exclude_characters (Optional[str]) – Characters which should not appear in the generated password. Default: - no additional characters are explicitly excluded

  • master_secret (Optional[ISecret]) – The master secret for a multi user rotation scheme. Default: - single user rotation scheme

  • security_group (Optional[ISecurityGroup]) – The security group for the Lambda rotation function. Default: - a new security group is created

  • vpc_subnets (Optional[SubnetSelection]) – The type of subnets in the VPC where the Lambda rotation function will run. Default: - the Vpc default strategy if not specified.

Attributes

application

The serverless application for the rotation.

Return type

SecretRotationApplication

automatically_after

Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation.

Default

Duration.days(30)

Return type

Optional[Duration]

exclude_characters

Characters which should not appear in the generated password.

Default
  • no additional characters are explicitly excluded

Return type

Optional[str]

master_secret

The master secret for a multi user rotation scheme.

Default
  • single user rotation scheme

Return type

Optional[ISecret]

secret

.

Example:

{
   "engine": <required: database engine>,
   "host": <required: instance host name>,
   "username": <required: username>,
   "password": <required: password>,
   "dbname": <optional: database name>,
   "port": <optional: if not specified, default port will be used>,
   "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>
}

This is typically the case for a secret referenced from an AWS::SecretsManager::SecretTargetAttachment or an ISecret returned by the attach() method of Secret.

See

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html

Type

The secret to rotate. It must be a JSON string with the following format

Return type

ISecret

security_group

The security group for the Lambda rotation function.

Default
  • a new security group is created

Return type

Optional[ISecurityGroup]

target

The target service or database.

Return type

IConnectable

vpc

The VPC where the Lambda rotation function will run.

Return type

IVpc

vpc_subnets

The type of subnets in the VPC where the Lambda rotation function will run.

Default
  • the Vpc default strategy if not specified.

Return type

Optional[SubnetSelection]