DatabaseSecretProps

class aws_cdk.aws_rds.DatabaseSecretProps(*, username, dbname=None, encryption_key=None, exclude_characters=None, master_secret=None, replace_on_password_criteria_changes=None, replica_regions=None, secret_name=None)

Bases: object

Construction properties for a DatabaseSecret.

Parameters:

  • username (str) – The username.

  • dbname (Optional[str]) – The database name, if not using the default one. Default: - whatever the secret generates after the attach method is run

  • encryption_key (Optional[IKey]) – The KMS key to use to encrypt the secret. Default: default master key

  • exclude_characters (Optional[str]) – Characters to not include in the generated password. Default: “ %+~`#$&*()|[]{}:;<>?!’/@”"

  • master_secret (Optional[ISecret]) – The master secret which will be used to rotate this secret. Default: - no master secret information will be included

  • replace_on_password_criteria_changes (Optional[bool]) – Whether to replace this secret when the criteria for the password change. This is achieved by overriding the logical id of the AWS::SecretsManager::Secret with a hash of the options that influence the password generation. This way a new secret will be created when the password is regenerated and the cluster or instance consuming this secret will have its credentials updated. Default: false

  • replica_regions (Optional[Sequence[Union[ReplicaRegion, Dict[str, Any]]]]) – A list of regions where to replicate this secret. Default: - Secret is not replicated

  • secret_name (Optional[str]) – A name for the secret. Default: - A name is generated by CloudFormation.

ExampleMetadata:

infused

Example:

# Build a data source for AppSync to access the database.
# api: appsync.GraphqlApi
# Create username and password secret for DB Cluster
secret = rds.DatabaseSecret(self, "AuroraSecret",
    username="clusteradmin"
)

# The VPC to place the cluster in
vpc = ec2.Vpc(self, "AuroraVpc")

# Create the serverless cluster, provide all values needed to customise the database.
cluster = rds.ServerlessCluster(self, "AuroraCluster",
    engine=rds.DatabaseClusterEngine.AURORA_MYSQL,
    vpc=vpc,
    credentials={"username": "clusteradmin"},
    cluster_identifier="db-endpoint-test",
    default_database_name="demos"
)
rds_dS = api.add_rds_data_source("rds", cluster, secret, "demos")

# Set up a resolver for an RDS query.
rds_dS.create_resolver("QueryGetDemosRdsResolver",
    type_name="Query",
    field_name="getDemosRds",
    request_mapping_template=appsync.MappingTemplate.from_string("""
          {
            "version": "2018-05-29",
            "statements": [
              "SELECT * FROM demos"
            ]
          }
          """),
    response_mapping_template=appsync.MappingTemplate.from_string("""
            $utils.toJson($utils.rds.toJsonObject($ctx.result)[0])
          """)
)

# Set up a resolver for an RDS mutation.
rds_dS.create_resolver("MutationAddDemoRdsResolver",
    type_name="Mutation",
    field_name="addDemoRds",
    request_mapping_template=appsync.MappingTemplate.from_string("""
          {
            "version": "2018-05-29",
            "statements": [
              "INSERT INTO demos VALUES (:id, :version)",
              "SELECT * WHERE id = :id"
            ],
            "variableMap": {
              ":id": $util.toJson($util.autoId()),
              ":version": $util.toJson($ctx.args.version)
            }
          }
          """),
    response_mapping_template=appsync.MappingTemplate.from_string("""
            $utils.toJson($utils.rds.toJsonObject($ctx.result)[1][0])
          """)
)

Attributes

dbname

The database name, if not using the default one.

Default:

  • whatever the secret generates after the attach method is run

encryption_key

The KMS key to use to encrypt the secret.

Default:

default master key

exclude_characters

Characters to not include in the generated password.

Default:

“ %+~`#$&*()|[]{}:;<>?!’/@”"

master_secret

The master secret which will be used to rotate this secret.

Default:

  • no master secret information will be included

replace_on_password_criteria_changes

Whether to replace this secret when the criteria for the password change.

This is achieved by overriding the logical id of the AWS::SecretsManager::Secret with a hash of the options that influence the password generation. This way a new secret will be created when the password is regenerated and the cluster or instance consuming this secret will have its credentials updated.

Default:

false

replica_regions

A list of regions where to replicate this secret.

Default:

  • Secret is not replicated

secret_name

A name for the secret.

Default:

  • A name is generated by CloudFormation.

username

The username.