189 lines
7.3 KiB
TypeScript
189 lines
7.3 KiB
TypeScript
import { Construct } from 'constructs';
|
|
import type { ISecret } from './secret';
|
|
import * as ec2 from '../../aws-ec2';
|
|
import type { Duration } from '../../core';
|
|
/**
|
|
* Options for a SecretRotationApplication
|
|
*/
|
|
export interface SecretRotationApplicationOptions {
|
|
/**
|
|
* Whether the rotation application uses the mutli user scheme
|
|
*
|
|
* @default false
|
|
*/
|
|
readonly isMultiUser?: boolean;
|
|
}
|
|
/**
|
|
* A secret rotation serverless application.
|
|
*/
|
|
export declare class SecretRotationApplication {
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for RDS MariaDB using the single user rotation scheme
|
|
*/
|
|
static readonly MARIADB_ROTATION_SINGLE_USER: SecretRotationApplication;
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for RDS MariaDB using the multi user rotation scheme
|
|
*/
|
|
static readonly MARIADB_ROTATION_MULTI_USER: SecretRotationApplication;
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for RDS MySQL using the single user rotation scheme
|
|
*/
|
|
static readonly MYSQL_ROTATION_SINGLE_USER: SecretRotationApplication;
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for RDS MySQL using the multi user rotation scheme
|
|
*/
|
|
static readonly MYSQL_ROTATION_MULTI_USER: SecretRotationApplication;
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for RDS Oracle using the single user rotation scheme
|
|
*/
|
|
static readonly ORACLE_ROTATION_SINGLE_USER: SecretRotationApplication;
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for RDS Oracle using the multi user rotation scheme
|
|
*/
|
|
static readonly ORACLE_ROTATION_MULTI_USER: SecretRotationApplication;
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for RDS PostgreSQL using the single user rotation scheme
|
|
*/
|
|
static readonly POSTGRES_ROTATION_SINGLE_USER: SecretRotationApplication;
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for RDS PostgreSQL using the multi user rotation scheme
|
|
*/
|
|
static readonly POSTGRES_ROTATION_MULTI_USER: SecretRotationApplication;
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for RDS SQL Server using the single user rotation scheme
|
|
*/
|
|
static readonly SQLSERVER_ROTATION_SINGLE_USER: SecretRotationApplication;
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for RDS SQL Server using the multi user rotation scheme
|
|
*/
|
|
static readonly SQLSERVER_ROTATION_MULTI_USER: SecretRotationApplication;
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for Amazon Redshift using the single user rotation scheme
|
|
*/
|
|
static readonly REDSHIFT_ROTATION_SINGLE_USER: SecretRotationApplication;
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for Amazon Redshift using the multi user rotation scheme
|
|
*/
|
|
static readonly REDSHIFT_ROTATION_MULTI_USER: SecretRotationApplication;
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for MongoDB using the single user rotation scheme
|
|
*/
|
|
static readonly MONGODB_ROTATION_SINGLE_USER: SecretRotationApplication;
|
|
/**
|
|
* Conducts an AWS SecretsManager secret rotation for MongoDB using the multi user rotation scheme
|
|
*/
|
|
static readonly MONGODB_ROTATION_MULTI_USER: SecretRotationApplication;
|
|
/**
|
|
* Whether the rotation application uses the mutli user scheme
|
|
*/
|
|
readonly isMultiUser?: boolean;
|
|
/**
|
|
* The application name of the rotation application
|
|
*/
|
|
private readonly applicationName;
|
|
constructor(applicationId: string, semanticVersion: string, options?: SecretRotationApplicationOptions);
|
|
/**
|
|
* Returns the application ARN for the current partition.
|
|
* Can be used in combination with a `CfnMapping` to automatically select the correct ARN based on the current partition.
|
|
*/
|
|
applicationArnForPartition(partition: string): string;
|
|
/**
|
|
* The semantic version of the app for the current partition.
|
|
* Can be used in combination with a `CfnMapping` to automatically select the correct version based on the current partition.
|
|
*/
|
|
semanticVersionForPartition(partition: string): string;
|
|
}
|
|
/**
|
|
* Construction properties for a SecretRotation.
|
|
*/
|
|
export interface SecretRotationProps {
|
|
/**
|
|
* The secret to rotate. It must be a JSON string with the following format:
|
|
*
|
|
* ```
|
|
* {
|
|
* "engine": <required: database engine>,
|
|
* "host": <required: instance host name>,
|
|
* "username": <required: username>,
|
|
* "password": <required: password>,
|
|
* "dbname": <optional: database name>,
|
|
* "port": <optional: if not specified, default port will be used>,
|
|
* "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>
|
|
* }
|
|
* ```
|
|
*
|
|
* This is typically the case for a secret referenced from an `AWS::SecretsManager::SecretTargetAttachment`
|
|
* or an `ISecret` returned by the `attach()` method of `Secret`.
|
|
*
|
|
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html
|
|
*/
|
|
readonly secret: ISecret;
|
|
/**
|
|
* The master secret for a multi user rotation scheme
|
|
*
|
|
* @default - single user rotation scheme
|
|
*/
|
|
readonly masterSecret?: ISecret;
|
|
/**
|
|
* Specifies the number of days after the previous rotation before
|
|
* Secrets Manager triggers the next automatic rotation.
|
|
*
|
|
* @default Duration.days(30)
|
|
*/
|
|
readonly automaticallyAfter?: Duration;
|
|
/**
|
|
* The serverless application for the rotation.
|
|
*/
|
|
readonly application: SecretRotationApplication;
|
|
/**
|
|
* The VPC where the Lambda rotation function will run.
|
|
*/
|
|
readonly vpc: ec2.IVpc;
|
|
/**
|
|
* The type of subnets in the VPC where the Lambda rotation function will run.
|
|
*
|
|
* @default - the Vpc default strategy if not specified.
|
|
*/
|
|
readonly vpcSubnets?: ec2.SubnetSelection;
|
|
/**
|
|
* The target service or database
|
|
*/
|
|
readonly target: ec2.IConnectable;
|
|
/**
|
|
* The security group for the Lambda rotation function
|
|
*
|
|
* @default - a new security group is created
|
|
*/
|
|
readonly securityGroup?: ec2.ISecurityGroup;
|
|
/**
|
|
* Characters which should not appear in the generated password
|
|
*
|
|
* @default - no additional characters are explicitly excluded
|
|
*/
|
|
readonly excludeCharacters?: string;
|
|
/**
|
|
* The VPC interface endpoint to use for the Secrets Manager API
|
|
*
|
|
* If you enable private DNS hostnames for your VPC private endpoint (the default), you don't
|
|
* need to specify an endpoint. The standard Secrets Manager DNS hostname the Secrets Manager
|
|
* CLI and SDKs use by default (https://secretsmanager.<region>.amazonaws.com) automatically
|
|
* resolves to your VPC endpoint.
|
|
*
|
|
* @default https://secretsmanager.<region>.amazonaws.com
|
|
*/
|
|
readonly endpoint?: ec2.IInterfaceVpcEndpoint;
|
|
/**
|
|
* Specifies whether to rotate the secret immediately or wait until the next
|
|
* scheduled rotation window.
|
|
*
|
|
* @default true
|
|
*/
|
|
readonly rotateImmediatelyOnUpdate?: boolean;
|
|
}
|
|
/**
|
|
* Secret rotation for a service or database
|
|
*/
|
|
export declare class SecretRotation extends Construct {
|
|
constructor(scope: Construct, id: string, props: SecretRotationProps);
|
|
}
|