Skip to content

Commit

Permalink
chore(release): 1.106.1 (#14881)
Browse files Browse the repository at this point in the history
See CHANGELOG

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
mergify[bot] authored May 26, 2021
2 parents fe32f1c + a94af94 commit c832c1b
Show file tree
Hide file tree
Showing 5 changed files with 9 additions and 102 deletions.
8 changes: 8 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,14 @@

All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.

## [1.106.1](https://github.com/aws/aws-cdk/compare/v1.106.0...v1.106.1) (2021-05-26)


### Bug Fixes

* **secretsmanager**: revert "Automatically grant permissions to rotation Lambda ([#14471](https://github.com/aws/aws-cdk/issues/14471))",
fixes [#14868](https://github.com/aws/aws-cdk/issues/14868)

## [1.106.0](https://github.com/aws/aws-cdk/compare/v1.105.0...v1.106.0) (2021-05-25)


Expand Down
2 changes: 0 additions & 2 deletions packages/@aws-cdk/aws-secretsmanager/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,8 +87,6 @@ secret.addRotationSchedule('RotationSchedule', {
});
```

Note: The required permissions for Lambda to call SecretsManager and the other way round are automatically granted based on [AWS Documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions.html) as long as the Lambda is not imported.

See [Overview of the Lambda Rotation Function](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-lambda-function-overview.html) on how to implement a Lambda Rotation Function.

### Using a Hosted Lambda Function
Expand Down
30 changes: 0 additions & 30 deletions packages/@aws-cdk/aws-secretsmanager/lib/rotation-schedule.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
import * as ec2 from '@aws-cdk/aws-ec2';
import * as iam from '@aws-cdk/aws-iam';
import * as lambda from '@aws-cdk/aws-lambda';
import { Duration, Resource, Stack } from '@aws-cdk/core';
import { Construct } from 'constructs';
Expand Down Expand Up @@ -71,35 +70,6 @@ export class RotationSchedule extends Resource {
throw new Error('One of `rotationLambda` or `hostedRotation` must be specified.');
}

if (props.rotationLambda?.permissionsNode.defaultChild) {
props.rotationLambda.grantInvoke(new iam.ServicePrincipal('secretsmanager.amazonaws.com'));

props.rotationLambda.addToRolePolicy(
new iam.PolicyStatement({
actions: [
'secretsmanager:DescribeSecret',
'secretsmanager:GetSecretValue',
'secretsmanager:PutSecretValue',
'secretsmanager:UpdateSecretVersionStage',
],
resources: [props.secret.secretArn],
conditions: {
StringEquals: {
'secretsmanager:resource/AllowRotationLambdaArn': props.rotationLambda.functionArn,
},
},
}),
);
props.rotationLambda.addToRolePolicy(
new iam.PolicyStatement({
actions: [
'secretsmanager:GetRandomPassword',
],
resources: ['*'],
}),
);
}

new CfnRotationSchedule(this, 'Resource', {
secretId: props.secret.secretArn,
rotationLambdaArn: props.rotationLambda?.functionArn,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,75 +41,6 @@ test('create a rotation schedule with a rotation Lambda', () => {
});
});

test('assign permissions for rotation schedule with a rotation Lambda', () => {
// GIVEN
const secret = new secretsmanager.Secret(stack, 'Secret');
const rotationLambda = new lambda.Function(stack, 'Lambda', {
runtime: lambda.Runtime.NODEJS_10_X,
code: lambda.Code.fromInline('export.handler = event => event;'),
handler: 'index.handler',
});

// WHEN
new secretsmanager.RotationSchedule(stack, 'RotationSchedule', {
secret,
rotationLambda,
});

// THEN
expect(stack).toHaveResource('AWS::Lambda::Permission', {
Action: 'lambda:InvokeFunction',
FunctionName: {
'Fn::GetAtt': [
'LambdaD247545B',
'Arn',
],
},
Principal: 'secretsmanager.amazonaws.com',
});

expect(stack).toHaveResource('AWS::IAM::Policy', {
PolicyDocument: {
Statement: [
{
Action: [
'secretsmanager:DescribeSecret',
'secretsmanager:GetSecretValue',
'secretsmanager:PutSecretValue',
'secretsmanager:UpdateSecretVersionStage',
],
Effect: 'Allow',
Resource: {
Ref: 'SecretA720EF05',
},
Condition: {
StringEquals: {
'secretsmanager:resource/AllowRotationLambdaArn': {
'Fn::GetAtt': [
'LambdaD247545B',
'Arn',
],
},
},
},
},
{
Action: 'secretsmanager:GetRandomPassword',
Effect: 'Allow',
Resource: '*',
},
],
Version: '2012-10-17',
},
PolicyName: 'LambdaServiceRoleDefaultPolicyDAE46E21',
Roles: [
{
Ref: 'LambdaServiceRoleA8ED4D3B',
},
],
});
});

describe('hosted rotation', () => {
test('single user not in a vpc', () => {
// GIVEN
Expand Down
2 changes: 1 addition & 1 deletion version.v1.json
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
{
"version": "1.106.0"
"version": "1.106.1"
}

0 comments on commit c832c1b

Please sign in to comment.