agent-claw: automated task changes

cdk/node_modules/aws-cdk-lib/aws-secretsmanager/lib/index.d.ts

@@ -0,0 +1,5 @@
+export * from './secret';
+export * from './rotation-schedule';
+export * from './policy';
+export * from './secret-rotation';
+export * from './secretsmanager.generated';

cdk/node_modules/aws-cdk-lib/aws-secretsmanager/lib/index.js

@@ -0,0 +1 @@
+"use strict";var __createBinding=exports&&exports.__createBinding||(Object.create?(function(o,m,k,k2){k2===void 0&&(k2=k);var desc=Object.getOwnPropertyDescriptor(m,k);(!desc||("get"in desc?!m.__esModule:desc.writable||desc.configurable))&&(desc={enumerable:!0,get:function(){return m[k]}}),Object.defineProperty(o,k2,desc)}):(function(o,m,k,k2){k2===void 0&&(k2=k),o[k2]=m[k]})),__exportStar=exports&&exports.__exportStar||function(m,exports2){for(var p in m)p!=="default"&&!Object.prototype.hasOwnProperty.call(exports2,p)&&__createBinding(exports2,m,p)};Object.defineProperty(exports,"__esModule",{value:!0});var _noFold;exports.SecretStringValueBeta1=void 0,Object.defineProperty(exports,_noFold="SecretStringValueBeta1",{enumerable:!0,configurable:!0,get:()=>{var value=require("./secret").SecretStringValueBeta1;return Object.defineProperty(exports,_noFold="SecretStringValueBeta1",{enumerable:!0,configurable:!0,value}),value}}),exports.Secret=void 0,Object.defineProperty(exports,_noFold="Secret",{enumerable:!0,configurable:!0,get:()=>{var value=require("./secret").Secret;return Object.defineProperty(exports,_noFold="Secret",{enumerable:!0,configurable:!0,value}),value}}),exports.AttachmentTargetType=void 0,Object.defineProperty(exports,_noFold="AttachmentTargetType",{enumerable:!0,configurable:!0,get:()=>{var value=require("./secret").AttachmentTargetType;return Object.defineProperty(exports,_noFold="AttachmentTargetType",{enumerable:!0,configurable:!0,value}),value}}),exports.SecretTargetAttachment=void 0,Object.defineProperty(exports,_noFold="SecretTargetAttachment",{enumerable:!0,configurable:!0,get:()=>{var value=require("./secret").SecretTargetAttachment;return Object.defineProperty(exports,_noFold="SecretTargetAttachment",{enumerable:!0,configurable:!0,value}),value}}),exports.RotationSchedule=void 0,Object.defineProperty(exports,_noFold="RotationSchedule",{enumerable:!0,configurable:!0,get:()=>{var value=require("./rotation-schedule").RotationSchedule;return Object.defineProperty(exports,_noFold="RotationSchedule",{enumerable:!0,configurable:!0,value}),value}}),exports.HostedRotation=void 0,Object.defineProperty(exports,_noFold="HostedRotation",{enumerable:!0,configurable:!0,get:()=>{var value=require("./rotation-schedule").HostedRotation;return Object.defineProperty(exports,_noFold="HostedRotation",{enumerable:!0,configurable:!0,value}),value}}),exports.HostedRotationType=void 0,Object.defineProperty(exports,_noFold="HostedRotationType",{enumerable:!0,configurable:!0,get:()=>{var value=require("./rotation-schedule").HostedRotationType;return Object.defineProperty(exports,_noFold="HostedRotationType",{enumerable:!0,configurable:!0,value}),value}}),exports.ResourcePolicy=void 0,Object.defineProperty(exports,_noFold="ResourcePolicy",{enumerable:!0,configurable:!0,get:()=>{var value=require("./policy").ResourcePolicy;return Object.defineProperty(exports,_noFold="ResourcePolicy",{enumerable:!0,configurable:!0,value}),value}}),exports.SecretRotationApplication=void 0,Object.defineProperty(exports,_noFold="SecretRotationApplication",{enumerable:!0,configurable:!0,get:()=>{var value=require("./secret-rotation").SecretRotationApplication;return Object.defineProperty(exports,_noFold="SecretRotationApplication",{enumerable:!0,configurable:!0,value}),value}}),exports.SecretRotation=void 0,Object.defineProperty(exports,_noFold="SecretRotation",{enumerable:!0,configurable:!0,get:()=>{var value=require("./secret-rotation").SecretRotation;return Object.defineProperty(exports,_noFold="SecretRotation",{enumerable:!0,configurable:!0,value}),value}}),exports.CfnResourcePolicy=void 0,Object.defineProperty(exports,_noFold="CfnResourcePolicy",{enumerable:!0,configurable:!0,get:()=>{var value=require("./secretsmanager.generated").CfnResourcePolicy;return Object.defineProperty(exports,_noFold="CfnResourcePolicy",{enumerable:!0,configurable:!0,value}),value}}),exports.CfnRotationSchedule=void 0,Object.defineProperty(exports,_noFold="CfnRotationSchedule",{enumerable:!0,configurable:!0,get:()=>{var value=require("./secretsmanager.generated").CfnRotationSchedule;return Object.defineProperty(exports,_noFold="CfnRotationSchedule",{enumerable:!0,configurable:!0,value}),value}}),exports.CfnSecret=void 0,Object.defineProperty(exports,_noFold="CfnSecret",{enumerable:!0,configurable:!0,get:()=>{var value=require("./secretsmanager.generated").CfnSecret;return Object.defineProperty(exports,_noFold="CfnSecret",{enumerable:!0,configurable:!0,value}),value}}),exports.CfnSecretTargetAttachment=void 0,Object.defineProperty(exports,_noFold="CfnSecretTargetAttachment",{enumerable:!0,configurable:!0,get:()=>{var value=require("./secretsmanager.generated").CfnSecretTargetAttachment;return Object.defineProperty(exports,_noFold="CfnSecretTargetAttachment",{enumerable:!0,configurable:!0,value}),value}});

cdk/node_modules/aws-cdk-lib/aws-secretsmanager/lib/policy.d.ts

@@ -0,0 +1,36 @@
+import type { Construct } from 'constructs';
+import type { ISecret } from './secret';
+import * as iam from '../../aws-iam';
+import { Resource } from '../../core';
+/**
+ * Construction properties for a ResourcePolicy
+ */
+export interface ResourcePolicyProps {
+    /**
+     * The secret to attach a resource-based permissions policy
+     */
+    readonly secret: ISecret;
+}
+/**
+ * Resource Policy for SecretsManager Secrets
+ *
+ * Policies define the operations that are allowed on this resource.
+ *
+ * You almost never need to define this construct directly.
+ *
+ * All AWS resources that support resource policies have a method called
+ * `addToResourcePolicy()`, which will automatically create a new resource
+ * policy if one doesn't exist yet, otherwise it will add to the existing
+ * policy.
+ *
+ * Prefer to use `addToResourcePolicy()` instead.
+ */
+export declare class ResourcePolicy extends Resource {
+    /** Uniquely identifies this class. */
+    static readonly PROPERTY_INJECTION_ID: string;
+    /**
+     * The IAM policy document for this policy.
+     */
+    readonly document: iam.PolicyDocument;
+    constructor(scope: Construct, id: string, props: ResourcePolicyProps);
+}

cdk/node_modules/aws-cdk-lib/aws-secretsmanager/lib/policy.js

@@ -0,0 +1 @@
+"use strict";var __esDecorate=exports&&exports.__esDecorate||function(ctor,descriptorIn,decorators,contextIn,initializers,extraInitializers){function accept(f){if(f!==void 0&&typeof f!="function")throw new TypeError("Function expected");return f}for(var kind=contextIn.kind,key=kind==="getter"?"get":kind==="setter"?"set":"value",target=!descriptorIn&&ctor?contextIn.static?ctor:ctor.prototype:null,descriptor=descriptorIn||(target?Object.getOwnPropertyDescriptor(target,contextIn.name):{}),_,done=!1,i=decorators.length-1;i>=0;i--){var context={};for(var p in contextIn)context[p]=p==="access"?{}:contextIn[p];for(var p in contextIn.access)context.access[p]=contextIn.access[p];context.addInitializer=function(f){if(done)throw new TypeError("Cannot add initializers after decoration has completed");extraInitializers.push(accept(f||null))};var result=(0,decorators[i])(kind==="accessor"?{get:descriptor.get,set:descriptor.set}:descriptor[key],context);if(kind==="accessor"){if(result===void 0)continue;if(result===null||typeof result!="object")throw new TypeError("Object expected");(_=accept(result.get))&&(descriptor.get=_),(_=accept(result.set))&&(descriptor.set=_),(_=accept(result.init))&&initializers.unshift(_)}else(_=accept(result))&&(kind==="field"?initializers.unshift(_):descriptor[key]=_)}target&&Object.defineProperty(target,contextIn.name,descriptor),done=!0},__runInitializers=exports&&exports.__runInitializers||function(thisArg,initializers,value){for(var useValue=arguments.length>2,i=0;i<initializers.length;i++)value=useValue?initializers[i].call(thisArg,value):initializers[i].call(thisArg);return useValue?value:void 0};Object.defineProperty(exports,"__esModule",{value:!0}),exports.ResourcePolicy=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var secretsmanager_generated_1=()=>{var tmp=require("./secretsmanager.generated");return secretsmanager_generated_1=()=>tmp,tmp},iam=()=>{var tmp=require("../../aws-iam");return iam=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},metadata_resource_1=()=>{var tmp=require("../../core/lib/metadata-resource");return metadata_resource_1=()=>tmp,tmp},prop_injectable_1=()=>{var tmp=require("../../core/lib/prop-injectable");return prop_injectable_1=()=>tmp,tmp};let ResourcePolicy=(()=>{let _classDecorators=[prop_injectable_1().propertyInjectable],_classDescriptor,_classExtraInitializers=[],_classThis,_classSuper=core_1().Resource;var ResourcePolicy2=class extends _classSuper{static{_classThis=this}static{const _metadata=typeof Symbol=="function"&&Symbol.metadata?Object.create(_classSuper[Symbol.metadata]??null):void 0;__esDecorate(null,_classDescriptor={value:_classThis},_classDecorators,{kind:"class",name:_classThis.name,metadata:_metadata},null,_classExtraInitializers),ResourcePolicy2=_classThis=_classDescriptor.value,_metadata&&Object.defineProperty(_classThis,Symbol.metadata,{enumerable:!0,configurable:!0,writable:!0,value:_metadata})}static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_secretsmanager.ResourcePolicy",version:"2.252.0"};static PROPERTY_INJECTION_ID="aws-cdk-lib.aws-secretsmanager.ResourcePolicy";document=new(iam()).PolicyDocument;constructor(scope,id,props){super(scope,id);try{jsiiDeprecationWarnings().aws_cdk_lib_aws_secretsmanager_ResourcePolicyProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,ResourcePolicy2),error}(0,metadata_resource_1().addConstructMetadata)(this,props),new(secretsmanager_generated_1()).CfnResourcePolicy(this,"Resource",{resourcePolicy:this.document,secretId:props.secret.secretArn})}static{__runInitializers(_classThis,_classExtraInitializers)}};return ResourcePolicy2=_classThis})();exports.ResourcePolicy=ResourcePolicy;

cdk/node_modules/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.d.ts

@@ -0,0 +1,207 @@
+import type { Construct } from 'constructs';
+import type { ISecret } from './secret';
+import { CfnRotationSchedule } from './secretsmanager.generated';
+import * as ec2 from '../../aws-ec2';
+import type * as lambda from '../../aws-lambda';
+import { Duration, Resource } from '../../core';
+/**
+ * Options to add a rotation schedule to a secret.
+ */
+export interface RotationScheduleOptions {
+    /**
+     * A Lambda function that can rotate the secret.
+     *
+     * @default - either `rotationLambda` or `hostedRotation` must be specified
+     */
+    readonly rotationLambda?: lambda.IFunction;
+    /**
+     * Hosted rotation
+     *
+     * @default - either `rotationLambda` or `hostedRotation` must be specified
+     */
+    readonly hostedRotation?: HostedRotation;
+    /**
+     * Specifies the number of days after the previous rotation before
+     * Secrets Manager triggers the next automatic rotation.
+     *
+     * The minimum value is 4 hours.
+     * The maximum value is 1000 days.
+     *
+     * A value of zero (`Duration.days(0)`) will not create RotationRules.
+     *
+     * @default Duration.days(30)
+     */
+    readonly automaticallyAfter?: Duration;
+    /**
+     * Specifies whether to rotate the secret immediately or wait until the next
+     * scheduled rotation window.
+     *
+     * @default true
+     */
+    readonly rotateImmediatelyOnUpdate?: boolean;
+}
+/**
+ * Construction properties for a RotationSchedule.
+ */
+export interface RotationScheduleProps extends RotationScheduleOptions {
+    /**
+     * The secret to rotate.
+     *
+     * If hosted rotation is used, this must be a JSON string with the following format:
+     *
+     * ```
+     * {
+     *   "engine": <required: database engine>,
+     *   "host": <required: instance host name>,
+     *   "username": <required: username>,
+     *   "password": <required: password>,
+     *   "dbname": <optional: database name>,
+     *   "port": <optional: if not specified, default port will be used>,
+     *   "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>
+     * }
+     * ```
+     *
+     * This is typically the case for a secret referenced from an `AWS::SecretsManager::SecretTargetAttachment`
+     * or an `ISecret` returned by the `attach()` method of `Secret`.
+     */
+    readonly secret: ISecret;
+}
+/**
+ * A rotation schedule.
+ */
+export declare class RotationSchedule extends Resource {
+    /** Uniquely identifies this class. */
+    static readonly PROPERTY_INJECTION_ID: string;
+    constructor(scope: Construct, id: string, props: RotationScheduleProps);
+}
+/**
+ * Single user hosted rotation options
+ */
+export interface SingleUserHostedRotationOptions {
+    /**
+     * A name for the Lambda created to rotate the secret
+     *
+     * @default - a CloudFormation generated name
+     */
+    readonly functionName?: string;
+    /**
+     * A list of security groups for the Lambda created to rotate the secret
+     *
+     * @default - a new security group is created
+     */
+    readonly securityGroups?: ec2.ISecurityGroup[];
+    /**
+     * The VPC where the Lambda rotation function will run.
+     *
+     * @default - the Lambda is not deployed in a VPC
+     */
+    readonly vpc?: ec2.IVpc;
+    /**
+     * The type of subnets in the VPC where the Lambda rotation function will run.
+     *
+     * @default - the Vpc default strategy if not specified.
+     */
+    readonly vpcSubnets?: ec2.SubnetSelection;
+    /**
+     * A string of the characters that you don't want in the password
+     *
+     * @default the same exclude characters as the ones used for the
+     * secret or " %+~`#$&*()|[]{}:;<>?!'/@\"\\"
+     */
+    readonly excludeCharacters?: string;
+}
+/**
+ * Multi user hosted rotation options
+ */
+export interface MultiUserHostedRotationOptions extends SingleUserHostedRotationOptions {
+    /**
+     * The master secret for a multi user rotation scheme
+     */
+    readonly masterSecret: ISecret;
+}
+/**
+ * A hosted rotation
+ */
+export declare class HostedRotation implements ec2.IConnectable {
+    private readonly type;
+    private readonly props;
+    private readonly masterSecret?;
+    /** MySQL Single User */
+    static mysqlSingleUser(options?: SingleUserHostedRotationOptions): HostedRotation;
+    /** MySQL Multi User */
+    static mysqlMultiUser(options: MultiUserHostedRotationOptions): HostedRotation;
+    /** PostgreSQL Single User */
+    static postgreSqlSingleUser(options?: SingleUserHostedRotationOptions): HostedRotation;
+    /** PostgreSQL Multi User */
+    static postgreSqlMultiUser(options: MultiUserHostedRotationOptions): HostedRotation;
+    /** Oracle Single User */
+    static oracleSingleUser(options?: SingleUserHostedRotationOptions): HostedRotation;
+    /** Oracle Multi User */
+    static oracleMultiUser(options: MultiUserHostedRotationOptions): HostedRotation;
+    /** MariaDB Single User */
+    static mariaDbSingleUser(options?: SingleUserHostedRotationOptions): HostedRotation;
+    /** MariaDB Multi User */
+    static mariaDbMultiUser(options: MultiUserHostedRotationOptions): HostedRotation;
+    /** SQL Server Single User */
+    static sqlServerSingleUser(options?: SingleUserHostedRotationOptions): HostedRotation;
+    /** SQL Server Multi User */
+    static sqlServerMultiUser(options: MultiUserHostedRotationOptions): HostedRotation;
+    /** Redshift Single User */
+    static redshiftSingleUser(options?: SingleUserHostedRotationOptions): HostedRotation;
+    /** Redshift Multi User */
+    static redshiftMultiUser(options: MultiUserHostedRotationOptions): HostedRotation;
+    /** MongoDB Single User */
+    static mongoDbSingleUser(options?: SingleUserHostedRotationOptions): HostedRotation;
+    /** MongoDB Multi User */
+    static mongoDbMultiUser(options: MultiUserHostedRotationOptions): HostedRotation;
+    private _connections?;
+    private constructor();
+    /**
+     * Binds this hosted rotation to a secret
+     */
+    bind(secret: ISecret, scope: Construct): CfnRotationSchedule.HostedRotationLambdaProperty;
+    /**
+     * Security group connections for this hosted rotation
+     */
+    get connections(): ec2.Connections;
+}
+/**
+ * Hosted rotation type
+ */
+export declare class HostedRotationType {
+    readonly name: string;
+    readonly isMultiUser?: boolean | undefined;
+    /** MySQL Single User */
+    static readonly MYSQL_SINGLE_USER: HostedRotationType;
+    /** MySQL Multi User */
+    static readonly MYSQL_MULTI_USER: HostedRotationType;
+    /** PostgreSQL Single User */
+    static readonly POSTGRESQL_SINGLE_USER: HostedRotationType;
+    /** PostgreSQL Multi User */
+    static readonly POSTGRESQL_MULTI_USER: HostedRotationType;
+    /** Oracle Single User */
+    static readonly ORACLE_SINGLE_USER: HostedRotationType;
+    /** Oracle Multi User */
+    static readonly ORACLE_MULTI_USER: HostedRotationType;
+    /** MariaDB Single User */
+    static readonly MARIADB_SINGLE_USER: HostedRotationType;
+    /** MariaDB Multi User */
+    static readonly MARIADB_MULTI_USER: HostedRotationType;
+    /** SQL Server Single User */
+    static readonly SQLSERVER_SINGLE_USER: HostedRotationType;
+    /** SQL Server Multi User */
+    static readonly SQLSERVER_MULTI_USER: HostedRotationType;
+    /** Redshift Single User */
+    static readonly REDSHIFT_SINGLE_USER: HostedRotationType;
+    /** Redshift Multi User */
+    static readonly REDSHIFT_MULTI_USER: HostedRotationType;
+    /** MongoDB Single User */
+    static readonly MONGODB_SINGLE_USER: HostedRotationType;
+    /** MongoDB Multi User */
+    static readonly MONGODB_MULTI_USER: HostedRotationType;
+    /**
+     * @param name The type of rotation
+     * @param isMultiUser Whether the rotation uses the mutli user scheme
+     */
+    private constructor();
+}

cdk/node_modules/aws-cdk-lib/aws-secretsmanager/lib/secret-rotation.d.ts

@@ -0,0 +1,188 @@
+import { Construct } from 'constructs';
+import type { ISecret } from './secret';
+import * as ec2 from '../../aws-ec2';
+import type { Duration } from '../../core';
+/**
+ * Options for a SecretRotationApplication
+ */
+export interface SecretRotationApplicationOptions {
+    /**
+     * Whether the rotation application uses the mutli user scheme
+     *
+     * @default false
+     */
+    readonly isMultiUser?: boolean;
+}
+/**
+ * A secret rotation serverless application.
+ */
+export declare class SecretRotationApplication {
+    /**
+     * Conducts an AWS SecretsManager secret rotation for RDS MariaDB using the single user rotation scheme
+     */
+    static readonly MARIADB_ROTATION_SINGLE_USER: SecretRotationApplication;
+    /**
+     * Conducts an AWS SecretsManager secret rotation for RDS MariaDB using the multi user rotation scheme
+     */
+    static readonly MARIADB_ROTATION_MULTI_USER: SecretRotationApplication;
+    /**
+     * Conducts an AWS SecretsManager secret rotation for RDS MySQL using the single user rotation scheme
+     */
+    static readonly MYSQL_ROTATION_SINGLE_USER: SecretRotationApplication;
+    /**
+     * Conducts an AWS SecretsManager secret rotation for RDS MySQL using the multi user rotation scheme
+     */
+    static readonly MYSQL_ROTATION_MULTI_USER: SecretRotationApplication;
+    /**
+     * Conducts an AWS SecretsManager secret rotation for RDS Oracle using the single user rotation scheme
+     */
+    static readonly ORACLE_ROTATION_SINGLE_USER: SecretRotationApplication;
+    /**
+     * Conducts an AWS SecretsManager secret rotation for RDS Oracle using the multi user rotation scheme
+     */
+    static readonly ORACLE_ROTATION_MULTI_USER: SecretRotationApplication;
+    /**
+     * Conducts an AWS SecretsManager secret rotation for RDS PostgreSQL using the single user rotation scheme
+     */
+    static readonly POSTGRES_ROTATION_SINGLE_USER: SecretRotationApplication;
+    /**
+     * Conducts an AWS SecretsManager secret rotation for RDS PostgreSQL using the multi user rotation scheme
+     */
+    static readonly POSTGRES_ROTATION_MULTI_USER: SecretRotationApplication;
+    /**
+     * Conducts an AWS SecretsManager secret rotation for RDS SQL Server using the single user rotation scheme
+     */
+    static readonly SQLSERVER_ROTATION_SINGLE_USER: SecretRotationApplication;
+    /**
+     * Conducts an AWS SecretsManager secret rotation for RDS SQL Server using the multi user rotation scheme
+     */
+    static readonly SQLSERVER_ROTATION_MULTI_USER: SecretRotationApplication;
+    /**
+     * Conducts an AWS SecretsManager secret rotation for Amazon Redshift using the single user rotation scheme
+     */
+    static readonly REDSHIFT_ROTATION_SINGLE_USER: SecretRotationApplication;
+    /**
+     * Conducts an AWS SecretsManager secret rotation for Amazon Redshift using the multi user rotation scheme
+     */
+    static readonly REDSHIFT_ROTATION_MULTI_USER: SecretRotationApplication;
+    /**
+     * Conducts an AWS SecretsManager secret rotation for MongoDB using the single user rotation scheme
+     */
+    static readonly MONGODB_ROTATION_SINGLE_USER: SecretRotationApplication;
+    /**
+     * Conducts an AWS SecretsManager secret rotation for MongoDB using the multi user rotation scheme
+     */
+    static readonly MONGODB_ROTATION_MULTI_USER: SecretRotationApplication;
+    /**
+     * Whether the rotation application uses the mutli user scheme
+     */
+    readonly isMultiUser?: boolean;
+    /**
+     * The application name of the rotation application
+     */
+    private readonly applicationName;
+    constructor(applicationId: string, semanticVersion: string, options?: SecretRotationApplicationOptions);
+    /**
+     * Returns the application ARN for the current partition.
+     * Can be used in combination with a `CfnMapping` to automatically select the correct ARN based on the current partition.
+     */
+    applicationArnForPartition(partition: string): string;
+    /**
+     * The semantic version of the app for the current partition.
+     * Can be used in combination with a `CfnMapping` to automatically select the correct version based on the current partition.
+     */
+    semanticVersionForPartition(partition: string): string;
+}
+/**
+ * Construction properties for a SecretRotation.
+ */
+export interface SecretRotationProps {
+    /**
+     * The secret to rotate. It must be a JSON string with the following format:
+     *
+     * ```
+     * {
+     *   "engine": <required: database engine>,
+     *   "host": <required: instance host name>,
+     *   "username": <required: username>,
+     *   "password": <required: password>,
+     *   "dbname": <optional: database name>,
+     *   "port": <optional: if not specified, default port will be used>,
+     *   "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>
+     * }
+     * ```
+     *
+     * This is typically the case for a secret referenced from an `AWS::SecretsManager::SecretTargetAttachment`
+     * or an `ISecret` returned by the `attach()` method of `Secret`.
+     *
+     * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html
+     */
+    readonly secret: ISecret;
+    /**
+     * The master secret for a multi user rotation scheme
+     *
+     * @default - single user rotation scheme
+     */
+    readonly masterSecret?: ISecret;
+    /**
+     * Specifies the number of days after the previous rotation before
+     * Secrets Manager triggers the next automatic rotation.
+     *
+     * @default Duration.days(30)
+     */
+    readonly automaticallyAfter?: Duration;
+    /**
+     * The serverless application for the rotation.
+     */
+    readonly application: SecretRotationApplication;
+    /**
+     * The VPC where the Lambda rotation function will run.
+     */
+    readonly vpc: ec2.IVpc;
+    /**
+     * The type of subnets in the VPC where the Lambda rotation function will run.
+     *
+     * @default - the Vpc default strategy if not specified.
+     */
+    readonly vpcSubnets?: ec2.SubnetSelection;
+    /**
+     * The target service or database
+     */
+    readonly target: ec2.IConnectable;
+    /**
+     * The security group for the Lambda rotation function
+     *
+     * @default - a new security group is created
+     */
+    readonly securityGroup?: ec2.ISecurityGroup;
+    /**
+     * Characters which should not appear in the generated password
+     *
+     * @default - no additional characters are explicitly excluded
+     */
+    readonly excludeCharacters?: string;
+    /**
+     * The VPC interface endpoint to use for the Secrets Manager API
+     *
+     * If you enable private DNS hostnames for your VPC private endpoint (the default), you don't
+     * need to specify an endpoint. The standard Secrets Manager DNS hostname the Secrets Manager
+     * CLI and SDKs use by default (https://secretsmanager.<region>.amazonaws.com) automatically
+     * resolves to your VPC endpoint.
+     *
+     * @default https://secretsmanager.<region>.amazonaws.com
+     */
+    readonly endpoint?: ec2.IInterfaceVpcEndpoint;
+    /**
+     * Specifies whether to rotate the secret immediately or wait until the next
+     * scheduled rotation window.
+     *
+     * @default true
+     */
+    readonly rotateImmediatelyOnUpdate?: boolean;
+}
+/**
+ * Secret rotation for a service or database
+ */
+export declare class SecretRotation extends Construct {
+    constructor(scope: Construct, id: string, props: SecretRotationProps);
+}

cdk/node_modules/aws-cdk-lib/aws-secretsmanager/lib/secret.d.ts

@@ -0,0 +1,572 @@
+import type { Construct } from 'constructs';
+import type { RotationScheduleOptions } from './rotation-schedule';
+import { RotationSchedule } from './rotation-schedule';
+import * as iam from '../../aws-iam';
+import * as kms from '../../aws-kms';
+import type { IResource, ResourceProps, SecretsManagerSecretOptions } from '../../core';
+import { RemovalPolicy, Resource, SecretValue } from '../../core';
+import type { ISecretRef, SecretReference, ISecretTargetAttachmentRef, SecretTargetAttachmentReference } from '../../interfaces/generated/aws-secretsmanager-interfaces.generated';
+/**
+ * A secret in AWS Secrets Manager.
+ */
+export interface ISecret extends IResource, ISecretRef {
+    /**
+     * The customer-managed encryption key that is used to encrypt this secret, if any. When not specified, the default
+     * KMS key for the account and region is being used.
+     */
+    readonly encryptionKey?: kms.IKey;
+    /**
+     * The ARN of the secret in AWS Secrets Manager. Will return the full ARN if available, otherwise a partial arn.
+     * For secrets imported by the deprecated `fromSecretName`, it will return the `secretName`.
+     * @attribute
+     */
+    readonly secretArn: string;
+    /**
+     * The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.
+     * This is equal to `secretArn` in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).
+     */
+    readonly secretFullArn?: string;
+    /**
+     * The name of the secret.
+     *
+     * For "owned" secrets, this will be the full resource name (secret name + suffix), unless the
+     * '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.
+     */
+    readonly secretName: string;
+    /**
+     * Retrieve the value of the stored secret as a `SecretValue`.
+     * @attribute
+     */
+    readonly secretValue: SecretValue;
+    /**
+     * Interpret the secret as a JSON object and return a field's value from it as a `SecretValue`.
+     */
+    secretValueFromJson(key: string): SecretValue;
+    /**
+     * Grants reading the secret value to some role.
+     *
+     * @param grantee       the principal being granted permission.
+     * @param versionStages the version stages the grant is limited to. If not specified, no restriction on the version
+     *                      stages is applied.
+     */
+    grantRead(grantee: iam.IGrantable, versionStages?: string[]): iam.Grant;
+    /**
+     * Grants writing and updating the secret value to some role.
+     *
+     * @param grantee       the principal being granted permission.
+     */
+    grantWrite(grantee: iam.IGrantable): iam.Grant;
+    /**
+     * Adds a rotation schedule to the secret.
+     */
+    addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule;
+    /**
+     * Adds a statement to the IAM resource policy associated with this secret.
+     *
+     * If this secret was created in this stack, a resource policy will be
+     * automatically created upon the first call to `addToResourcePolicy`. If
+     * the secret is imported, then this is a no-op.
+     */
+    addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult;
+    /**
+     * Denies the `DeleteSecret` action to all principals within the current
+     * account.
+     */
+    denyAccountRootDelete(): void;
+    /**
+     * Attach a target to this secret.
+     *
+     * @param target The target to attach.
+     * @returns An attached secret
+     */
+    attach(target: ISecretAttachmentTarget): ISecret;
+    /**
+     * Returns a key which can be used within an AWS CloudFormation dynamic reference to dynamically load this
+     * secret from AWS Secrets Manager
+     *
+     * @see https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html
+     *
+     * @param options Options
+     */
+    cfnDynamicReferenceKey(options?: SecretsManagerSecretOptions): string;
+}
+/**
+ * The properties required to create a new secret in AWS Secrets Manager.
+ */
+export interface SecretProps {
+    /**
+     * An optional, human-friendly description of the secret.
+     *
+     * @default - No description.
+     */
+    readonly description?: string;
+    /**
+     * The customer-managed encryption key to use for encrypting the secret value.
+     *
+     * @default - A default KMS key for the account and region is used.
+     */
+    readonly encryptionKey?: kms.IKey;
+    /**
+     * Configuration for how to generate a secret value.
+     *
+     * Only one of `secretString` and `generateSecretString` can be provided.
+     *
+     * @default - 32 characters with upper-case letters, lower-case letters, punctuation and numbers (at least one from each
+     * category), per the default values of ``SecretStringGenerator``.
+     */
+    readonly generateSecretString?: SecretStringGenerator;
+    /**
+     * A name for the secret. Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to
+     * 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.
+     *
+     * @default - A name is generated by CloudFormation.
+     */
+    readonly secretName?: string;
+    /**
+     * Initial value for the secret
+     *
+     * **NOTE:** *It is **highly** encouraged to leave this field undefined and allow SecretsManager to create the secret value.
+     * The secret string -- if provided -- will be included in the output of the cdk as part of synthesis,
+     * and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to
+     * another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access
+     * to the CloudFormation template (via the AWS Console, SDKs, or CLI).
+     *
+     * Specifies text data that you want to encrypt and store in this new version of the secret.
+     * May be a simple string value, or a string representation of a JSON structure.
+     *
+     * Only one of `secretStringBeta1`, `secretStringValue`, and `generateSecretString` can be provided.
+     *
+     * @default - SecretsManager generates a new secret value.
+     * @deprecated Use `secretStringValue` instead.
+     */
+    readonly secretStringBeta1?: SecretStringValueBeta1;
+    /**
+     * Initial value for the secret
+     *
+     * **NOTE:** *It is **highly** encouraged to leave this field undefined and allow SecretsManager to create the secret value.
+     * The secret string -- if provided -- will be included in the output of the cdk as part of synthesis,
+     * and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to
+     * another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access
+     * to the CloudFormation template (via the AWS Console, SDKs, or CLI).
+     *
+     * Specifies text data that you want to encrypt and store in this new version of the secret.
+     * May be a simple string value. To provide a string representation of JSON structure, use `SecretProps.secretObjectValue` instead.
+     *
+     * Only one of `secretStringBeta1`, `secretStringValue`, 'secretObjectValue', and `generateSecretString` can be provided.
+     *
+     * @default - SecretsManager generates a new secret value.
+     */
+    readonly secretStringValue?: SecretValue;
+    /**
+     * Initial value for a JSON secret
+     *
+     * **NOTE:** *It is **highly** encouraged to leave this field undefined and allow SecretsManager to create the secret value.
+     * The secret object -- if provided -- will be included in the output of the cdk as part of synthesis,
+     * and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to
+     * another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access
+     * to the CloudFormation template (via the AWS Console, SDKs, or CLI).
+     *
+     * Specifies a JSON object that you want to encrypt and store in this new version of the secret.
+     * To specify a simple string value instead, use `SecretProps.secretStringValue`
+     *
+     * Only one of `secretStringBeta1`, `secretStringValue`, 'secretObjectValue', and `generateSecretString` can be provided.
+     *
+     * @example
+     * declare const user: iam.User;
+     * declare const accessKey: iam.AccessKey;
+     * declare const stack: Stack;
+     * new secretsmanager.Secret(stack, 'JSONSecret', {
+     *   secretObjectValue: {
+     *     username: SecretValue.unsafePlainText(user.userName), // intrinsic reference, not exposed as plaintext
+     *     database: SecretValue.unsafePlainText('foo'), // rendered as plain text, but not a secret
+     *     password: accessKey.secretAccessKey, // SecretValue
+     *   },
+     * });
+     *
+     * @default - SecretsManager generates a new secret value.
+     */
+    readonly secretObjectValue?: {
+        [key: string]: SecretValue;
+    };
+    /**
+     * Policy to apply when the secret is removed from this stack.
+     *
+     * @default - Not set.
+     */
+    readonly removalPolicy?: RemovalPolicy;
+    /**
+     * A list of regions where to replicate this secret.
+     *
+     * @default - Secret is not replicated
+     */
+    readonly replicaRegions?: ReplicaRegion[];
+}
+/**
+ * Secret replica region
+ */
+export interface ReplicaRegion {
+    /**
+     * The name of the region
+     */
+    readonly region: string;
+    /**
+     * The customer-managed encryption key to use for encrypting the secret value.
+     *
+     * @default - A default KMS key for the account and region is used.
+     */
+    readonly encryptionKey?: kms.IKey;
+}
+/**
+ * An experimental class used to specify an initial secret value for a Secret.
+ *
+ * The class wraps a simple string (or JSON representation) in order to provide some safety checks and warnings
+ * about the dangers of using plaintext strings as initial secret seed values via CDK/CloudFormation.
+ *
+ * @deprecated Use `cdk.SecretValue` instead.
+ */
+export declare class SecretStringValueBeta1 {
+    private readonly _secretValue;
+    /**
+     * Creates a `SecretStringValueBeta1` from a plaintext value.
+     *
+     * This approach is inherently unsafe, as the secret value may be visible in your source control repository
+     * and will also appear in plaintext in the resulting CloudFormation template, including in the AWS Console or APIs.
+     * Usage of this method is discouraged, especially for production workloads.
+     */
+    static fromUnsafePlaintext(secretValue: string): SecretStringValueBeta1;
+    /**
+     * Creates a `SecretValueValueBeta1` from a string value coming from a Token.
+     *
+     * The intent is to enable creating secrets from references (e.g., `Ref`, `Fn::GetAtt`) from other resources.
+     * This might be the direct output of another Construct, or the output of a Custom Resource.
+     * This method throws if it determines the input is an unsafe plaintext string.
+     *
+     * For example:
+     *
+     * ```ts
+     * // Creates a new IAM user, access and secret keys, and stores the secret access key in a Secret.
+     * const user = new iam.User(this, 'User');
+     * const accessKey = new iam.AccessKey(this, 'AccessKey', { user });
+     * const secret = new secretsmanager.Secret(this, 'Secret', {
+     * 	secretStringValue: accessKey.secretAccessKey,
+     * });
+     * ```
+     *
+     * The secret may also be embedded in a string representation of a JSON structure:
+     *
+     * ```ts
+     * const user = new iam.User(this, 'User');
+     * const accessKey = new iam.AccessKey(this, 'AccessKey', { user });
+     * const secretValue = secretsmanager.SecretStringValueBeta1.fromToken(JSON.stringify({
+     *   username: user.userName,
+     *   database: 'foo',
+     *   password: accessKey.secretAccessKey.unsafeUnwrap(),
+     * }));
+     * ```
+     *
+     * Note that the value being a Token does *not* guarantee safety. For example, a Lazy-evaluated string
+     * (e.g., `Lazy.string({ produce: () => 'myInsecurePassword' }))`) is a Token, but as the output is
+     * ultimately a plaintext string, and so insecure.
+     *
+     * @param secretValueFromToken a secret value coming from a Construct attribute or Custom Resource output
+     */
+    static fromToken(secretValueFromToken: string): SecretStringValueBeta1;
+    private constructor();
+    /** Returns the secret value */
+    secretValue(): string;
+}
+/**
+ * Attributes required to import an existing secret into the Stack.
+ * One ARN format (`secretArn`, `secretCompleteArn`, `secretPartialArn`) must be provided.
+ */
+export interface SecretAttributes {
+    /**
+     * The encryption key that is used to encrypt the secret, unless the default SecretsManager key is used.
+     */
+    readonly encryptionKey?: kms.IKey;
+    /**
+     * The complete ARN of the secret in SecretsManager. This is the ARN including the Secrets Manager 6-character suffix.
+     * Cannot be used with `secretArn` or `secretPartialArn`.
+     */
+    readonly secretCompleteArn?: string;
+    /**
+     * The partial ARN of the secret in SecretsManager. This is the ARN without the Secrets Manager 6-character suffix.
+     * Cannot be used with `secretArn` or `secretCompleteArn`.
+     */
+    readonly secretPartialArn?: string;
+}
+/**
+ * The common behavior of Secrets. Users should not use this class directly, and instead use ``Secret``.
+ */
+declare abstract class SecretBase extends Resource implements ISecret {
+    abstract readonly encryptionKey?: kms.IKey;
+    abstract readonly secretArn: string;
+    abstract readonly secretName: string;
+    protected abstract readonly autoCreatePolicy: boolean;
+    private policy?;
+    private _arnForPolicies;
+    constructor(scope: Construct, id: string, props?: ResourceProps);
+    get secretRef(): SecretReference;
+    /**
+     * Returns a key which can be used within an AWS CloudFormation dynamic reference to dynamically load this
+     * secret from AWS Secrets Manager
+     *
+     * @see https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html
+     *
+     * @param options Options
+     */
+    cfnDynamicReferenceKey(options?: SecretsManagerSecretOptions): string;
+    get secretFullArn(): string | undefined;
+    /**
+     * [disable-awslint:no-grants]
+     */
+    grantRead(grantee: iam.IGrantable, versionStages?: string[]): iam.Grant;
+    /**
+     * [disable-awslint:no-grants]
+     */
+    grantWrite(grantee: iam.IGrantable): iam.Grant;
+    get secretValue(): SecretValue;
+    secretValueFromJson(jsonField: string): SecretValue;
+    addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule;
+    addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult;
+    denyAccountRootDelete(): void;
+    /**
+     * Provides an identifier for this secret for use in IAM policies.
+     * If there is a full ARN, this is just the ARN;
+     * if we have a partial ARN -- due to either importing by secret name or partial ARN --
+     * then we need to add a suffix to capture the full ARN's format.
+     */
+    protected get arnForPolicies(): string;
+    /**
+     * Attach a target to this secret
+     *
+     * @param target The target to attach
+     * @returns An attached secret
+     */
+    attach(target: ISecretAttachmentTarget): ISecret;
+}
+/**
+ * Creates a new secret in AWS SecretsManager.
+ */
+export declare class Secret extends SecretBase {
+    /**
+     * Uniquely identifies this class.
+     */
+    static readonly PROPERTY_INJECTION_ID: string;
+    /**
+     * Return whether the given object is a Secret.
+     */
+    static isSecret(x: any): x is Secret;
+    /** Imports a secret by complete ARN. The complete ARN is the ARN with the Secrets Manager-supplied suffix. */
+    static fromSecretCompleteArn(scope: Construct, id: string, secretCompleteArn: string): ISecret;
+    /** Imports a secret by partial ARN. The partial ARN is the ARN without the Secrets Manager-supplied suffix. */
+    static fromSecretPartialArn(scope: Construct, id: string, secretPartialArn: string): ISecret;
+    /**
+     * Imports a secret by secret name.
+     * A secret with this name must exist in the same account & region.
+     * Replaces the deprecated `fromSecretName`.
+     * Please note this method returns ISecret that only contains partial ARN and could lead to AccessDeniedException
+     * when you pass the partial ARN to CLI or SDK to get the secret value. If your secret name ends with a hyphen and
+     * 6 characters, you should always use fromSecretCompleteArn() to avoid potential AccessDeniedException.
+     * @see https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
+     */
+    static fromSecretNameV2(scope: Construct, id: string, secretName: string): ISecret;
+    /**
+     * Import an existing secret into the Stack.
+     *
+     * @param scope the scope of the import.
+     * @param id    the ID of the imported Secret in the construct tree.
+     * @param attrs the attributes of the imported secret.
+     */
+    static fromSecretAttributes(scope: Construct, id: string, attrs: SecretAttributes): ISecret;
+    readonly encryptionKey?: kms.IKey;
+    readonly secretArn: string;
+    readonly secretName: string;
+    /**
+     * The string of the characters that are excluded in this secret
+     * when it is generated.
+     */
+    readonly excludeCharacters?: string;
+    private readonly _replicaRegions;
+    protected readonly autoCreatePolicy = true;
+    constructor(scope: Construct, id: string, props?: SecretProps);
+    private resolveSecretObjectValue;
+    /**
+     * Adds a replica region for the secret
+     *
+     * @param region The name of the region
+     * @param encryptionKey The customer-managed encryption key to use for encrypting the secret value.
+     */
+    addReplicaRegion(region: string, encryptionKey?: kms.IKeyRef): void;
+}
+/**
+ * A secret attachment target.
+ */
+export interface ISecretAttachmentTarget {
+    /**
+     * Renders the target specifications.
+     */
+    asSecretAttachmentTarget(): SecretAttachmentTargetProps;
+}
+/**
+ * The type of service or database that's being associated with the secret.
+ */
+export declare enum AttachmentTargetType {
+    /**
+     * AWS::RDS::DBInstance
+     */
+    RDS_DB_INSTANCE = "AWS::RDS::DBInstance",
+    /**
+     * AWS::RDS::DBCluster
+     */
+    RDS_DB_CLUSTER = "AWS::RDS::DBCluster",
+    /**
+     * AWS::RDS::DBProxy
+     */
+    RDS_DB_PROXY = "AWS::RDS::DBProxy",
+    /**
+     * AWS::Redshift::Cluster
+     */
+    REDSHIFT_CLUSTER = "AWS::Redshift::Cluster",
+    /**
+     * AWS::DocDB::DBInstance
+     */
+    DOCDB_DB_INSTANCE = "AWS::DocDB::DBInstance",
+    /**
+     * AWS::DocDB::DBCluster
+     */
+    DOCDB_DB_CLUSTER = "AWS::DocDB::DBCluster"
+}
+/**
+ * Attachment target specifications.
+ */
+export interface SecretAttachmentTargetProps {
+    /**
+     * The id of the target to attach the secret to.
+     */
+    readonly targetId: string;
+    /**
+     * The type of the target to attach the secret to.
+     */
+    readonly targetType: AttachmentTargetType;
+}
+/**
+ * Options to add a secret attachment to a secret.
+ */
+export interface AttachedSecretOptions {
+    /**
+     * The target to attach the secret to.
+     */
+    readonly target: ISecretAttachmentTarget;
+}
+/**
+ * Construction properties for an AttachedSecret.
+ */
+export interface SecretTargetAttachmentProps extends AttachedSecretOptions {
+    /**
+     * The secret to attach to the target.
+     */
+    readonly secret: ISecret;
+}
+export interface ISecretTargetAttachment extends ISecret, ISecretTargetAttachmentRef {
+    /**
+     * Same as `secretArn`
+     *
+     * @attribute
+     */
+    readonly secretTargetAttachmentSecretArn: string;
+}
+/**
+ * An attached secret.
+ */
+export declare class SecretTargetAttachment extends SecretBase implements ISecretTargetAttachment {
+    /** Uniquely identifies this class. */
+    static readonly PROPERTY_INJECTION_ID: string;
+    static fromSecretTargetAttachmentSecretArn(scope: Construct, id: string, secretTargetAttachmentSecretArn: string): ISecretTargetAttachment;
+    readonly encryptionKey?: kms.IKey;
+    readonly secretArn: string;
+    readonly secretName: string;
+    /**
+     * @attribute
+     */
+    readonly secretTargetAttachmentSecretArn: string;
+    protected readonly autoCreatePolicy = true;
+    private readonly attachedSecret;
+    constructor(scope: Construct, id: string, props: SecretTargetAttachmentProps);
+    get secretTargetAttachmentRef(): SecretTargetAttachmentReference;
+    /**
+     * Forward any additions to the resource policy to the original secret.
+     * This is required because a secret can only have a single resource policy.
+     * If we do not forward policy additions, a new policy resource is created using the secret attachment ARN.
+     * This ends up being rejected by CloudFormation.
+     */
+    addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult;
+}
+/**
+ * Configuration to generate secrets such as passwords automatically.
+ */
+export interface SecretStringGenerator {
+    /**
+     * Specifies that the generated password shouldn't include uppercase letters.
+     *
+     * @default false
+     */
+    readonly excludeUppercase?: boolean;
+    /**
+     * Specifies whether the generated password must include at least one of every allowed character type.
+     *
+     * @default true
+     */
+    readonly requireEachIncludedType?: boolean;
+    /**
+     * Specifies that the generated password can include the space character.
+     *
+     * @default false
+     */
+    readonly includeSpace?: boolean;
+    /**
+     * A string that includes characters that shouldn't be included in the generated password. The string can be a minimum
+     * of ``0`` and a maximum of ``4096`` characters long.
+     *
+     * @default no exclusions
+     */
+    readonly excludeCharacters?: string;
+    /**
+     * The desired length of the generated password.
+     *
+     * @default 32
+     */
+    readonly passwordLength?: number;
+    /**
+     * Specifies that the generated password shouldn't include punctuation characters.
+     *
+     * @default false
+     */
+    readonly excludePunctuation?: boolean;
+    /**
+     * Specifies that the generated password shouldn't include lowercase letters.
+     *
+     * @default false
+     */
+    readonly excludeLowercase?: boolean;
+    /**
+     * Specifies that the generated password shouldn't include digits.
+     *
+     * @default false
+     */
+    readonly excludeNumbers?: boolean;
+    /**
+     * A properly structured JSON string that the generated password can be added to. The ``generateStringKey`` is
+     * combined with the generated random string and inserted into the JSON structure that's specified by this parameter.
+     * The merged JSON string is returned as the completed SecretString of the secret. If you specify ``secretStringTemplate``
+     * then ``generateStringKey`` must be also be specified.
+     */
+    readonly secretStringTemplate?: string;
+    /**
+     * The JSON key name that's used to add the generated password to the JSON structure specified by the
+     * ``secretStringTemplate`` parameter. If you specify ``generateStringKey`` then ``secretStringTemplate``
+     * must be also be specified.
+     */
+    readonly generateStringKey?: string;
+}
+export {};