feat(client-docdb): Support AWS Secret Manager managed password for A…

…WS DocumentDB instance-based cluster.
aws · Dec 20, 2024 · ba90110 · ba90110
1 parent fb7afd4
commit ba90110
Show file tree

Hide file tree

Showing 12 changed files with 284 additions and 6 deletions.
diff --git a/clients/client-docdb/src/commands/CreateDBClusterCommand.ts b/clients/client-docdb/src/commands/CreateDBClusterCommand.ts
@@ -68,6 +68,8 @@ export interface CreateDBClusterCommandOutput extends CreateDBClusterResult, __M
  *   DeletionProtection: true || false,
  *   GlobalClusterIdentifier: "STRING_VALUE",
  *   StorageType: "STRING_VALUE",
+ *   ManageMasterUserPassword: true || false,
+ *   MasterUserSecretKmsKeyId: "STRING_VALUE",
  * };
  * const command = new CreateDBClusterCommand(input);
  * const response = await client.send(command);
@@ -129,6 +131,11 @@ export interface CreateDBClusterCommandOutput extends CreateDBClusterResult, __M
  * //     ],
  * //     DeletionProtection: true || false,
  * //     StorageType: "STRING_VALUE",
+ * //     MasterUserSecret: { // ClusterMasterUserSecret
+ * //       SecretArn: "STRING_VALUE",
+ * //       SecretStatus: "STRING_VALUE",
+ * //       KmsKeyId: "STRING_VALUE",
+ * //     },
  * //   },
  * // };
  *

diff --git a/clients/client-docdb/src/commands/DeleteDBClusterCommand.ts b/clients/client-docdb/src/commands/DeleteDBClusterCommand.ts
@@ -101,6 +101,11 @@ export interface DeleteDBClusterCommandOutput extends DeleteDBClusterResult, __M
  * //     ],
  * //     DeletionProtection: true || false,
  * //     StorageType: "STRING_VALUE",
+ * //     MasterUserSecret: { // ClusterMasterUserSecret
+ * //       SecretArn: "STRING_VALUE",
+ * //       SecretStatus: "STRING_VALUE",
+ * //       KmsKeyId: "STRING_VALUE",
+ * //     },
  * //   },
  * // };
  *

diff --git a/clients/client-docdb/src/commands/DescribeDBClustersCommand.ts b/clients/client-docdb/src/commands/DescribeDBClustersCommand.ts
@@ -115,6 +115,11 @@ export interface DescribeDBClustersCommandOutput extends DBClusterMessage, __Met
  * //       ],
  * //       DeletionProtection: true || false,
  * //       StorageType: "STRING_VALUE",
+ * //       MasterUserSecret: { // ClusterMasterUserSecret
+ * //         SecretArn: "STRING_VALUE",
+ * //         SecretStatus: "STRING_VALUE",
+ * //         KmsKeyId: "STRING_VALUE",
+ * //       },
  * //     },
  * //   ],
  * // };

diff --git a/clients/client-docdb/src/commands/FailoverDBClusterCommand.ts b/clients/client-docdb/src/commands/FailoverDBClusterCommand.ts
@@ -101,6 +101,11 @@ export interface FailoverDBClusterCommandOutput extends FailoverDBClusterResult,
  * //     ],
  * //     DeletionProtection: true || false,
  * //     StorageType: "STRING_VALUE",
+ * //     MasterUserSecret: { // ClusterMasterUserSecret
+ * //       SecretArn: "STRING_VALUE",
+ * //       SecretStatus: "STRING_VALUE",
+ * //       KmsKeyId: "STRING_VALUE",
+ * //     },
  * //   },
  * // };
  *

diff --git a/clients/client-docdb/src/commands/ModifyDBClusterCommand.ts b/clients/client-docdb/src/commands/ModifyDBClusterCommand.ts
@@ -62,6 +62,9 @@ export interface ModifyDBClusterCommandOutput extends ModifyDBClusterResult, __M
  *   AllowMajorVersionUpgrade: true || false,
  *   DeletionProtection: true || false,
  *   StorageType: "STRING_VALUE",
+ *   ManageMasterUserPassword: true || false,
+ *   MasterUserSecretKmsKeyId: "STRING_VALUE",
+ *   RotateMasterUserPassword: true || false,
  * };
  * const command = new ModifyDBClusterCommand(input);
  * const response = await client.send(command);
@@ -123,6 +126,11 @@ export interface ModifyDBClusterCommandOutput extends ModifyDBClusterResult, __M
  * //     ],
  * //     DeletionProtection: true || false,
  * //     StorageType: "STRING_VALUE",
+ * //     MasterUserSecret: { // ClusterMasterUserSecret
+ * //       SecretArn: "STRING_VALUE",
+ * //       SecretStatus: "STRING_VALUE",
+ * //       KmsKeyId: "STRING_VALUE",
+ * //     },
  * //   },
  * // };
  *

diff --git a/clients/client-docdb/src/commands/RestoreDBClusterFromSnapshotCommand.ts b/clients/client-docdb/src/commands/RestoreDBClusterFromSnapshotCommand.ts
@@ -126,6 +126,11 @@ export interface RestoreDBClusterFromSnapshotCommandOutput
  * //     ],
  * //     DeletionProtection: true || false,
  * //     StorageType: "STRING_VALUE",
+ * //     MasterUserSecret: { // ClusterMasterUserSecret
+ * //       SecretArn: "STRING_VALUE",
+ * //       SecretStatus: "STRING_VALUE",
+ * //       KmsKeyId: "STRING_VALUE",
+ * //     },
  * //   },
  * // };
  *

diff --git a/clients/client-docdb/src/commands/RestoreDBClusterToPointInTimeCommand.ts b/clients/client-docdb/src/commands/RestoreDBClusterToPointInTimeCommand.ts
@@ -128,6 +128,11 @@ export interface RestoreDBClusterToPointInTimeCommandOutput
  * //     ],
  * //     DeletionProtection: true || false,
  * //     StorageType: "STRING_VALUE",
+ * //     MasterUserSecret: { // ClusterMasterUserSecret
+ * //       SecretArn: "STRING_VALUE",
+ * //       SecretStatus: "STRING_VALUE",
+ * //       KmsKeyId: "STRING_VALUE",
+ * //     },
  * //   },
  * // };
  *

diff --git a/clients/client-docdb/src/commands/StartDBClusterCommand.ts b/clients/client-docdb/src/commands/StartDBClusterCommand.ts
@@ -100,6 +100,11 @@ export interface StartDBClusterCommandOutput extends StartDBClusterResult, __Met
  * //     ],
  * //     DeletionProtection: true || false,
  * //     StorageType: "STRING_VALUE",
+ * //     MasterUserSecret: { // ClusterMasterUserSecret
+ * //       SecretArn: "STRING_VALUE",
+ * //       SecretStatus: "STRING_VALUE",
+ * //       KmsKeyId: "STRING_VALUE",
+ * //     },
  * //   },
  * // };
  *

diff --git a/clients/client-docdb/src/commands/StopDBClusterCommand.ts b/clients/client-docdb/src/commands/StopDBClusterCommand.ts
@@ -101,6 +101,11 @@ export interface StopDBClusterCommandOutput extends StopDBClusterResult, __Metad
  * //     ],
  * //     DeletionProtection: true || false,
  * //     StorageType: "STRING_VALUE",
+ * //     MasterUserSecret: { // ClusterMasterUserSecret
+ * //       SecretArn: "STRING_VALUE",
+ * //       SecretStatus: "STRING_VALUE",
+ * //       KmsKeyId: "STRING_VALUE",
+ * //     },
  * //   },
  * // };
  *

diff --git a/clients/client-docdb/src/models/models_0.ts b/clients/client-docdb/src/models/models_0.ts
@@ -1222,6 +1222,26 @@ export interface CreateDBClusterMessage {
    * @public
    */
   StorageType?: string | undefined;
+
+  /**
+   * <p>Specifies whether to manage the master user password with Amazon Web Services Secrets Manager.</p>
+   *          <p>Constraint: You can't manage the master user password with Amazon Web Services Secrets Manager if <code>MasterUserPassword</code> is specified.</p>
+   * @public
+   */
+  ManageMasterUserPassword?: boolean | undefined;
+
+  /**
+   * <p>The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and managed in Amazon Web Services Secrets Manager.
+   *             This setting is valid only if the master user password is managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the DB cluster.</p>
+   *          <p>The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
+   *             To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.</p>
+   *          <p>If you don't specify <code>MasterUserSecretKmsKeyId</code>, then the <code>aws/secretsmanager</code> KMS key is used to encrypt the secret.
+   *             If the secret is in a different Amazon Web Services account, then you can't use the <code>aws/secretsmanager</code> KMS key to encrypt the secret, and you must use a customer managed KMS key.</p>
+   *          <p>There is a default KMS key for your Amazon Web Services account.
+   *             Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.</p>
+   * @public
+   */
+  MasterUserSecretKmsKeyId?: string | undefined;
 }
 
 /**
@@ -1291,6 +1311,48 @@ export interface DBClusterMember {
   PromotionTier?: number | undefined;
 }
 
+/**
+ * <p>Contains the secret managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the master user password.</p>
+ * @public
+ */
+export interface ClusterMasterUserSecret {
+  /**
+   * <p>The Amazon Resource Name (ARN) of the secret.</p>
+   * @public
+   */
+  SecretArn?: string | undefined;
+
+  /**
+   * <p>The status of the secret.</p>
+   *          <p>The possible status values include the following:</p>
+   *          <ul>
+   *             <li>
+   *                <p>creating - The secret is being created.</p>
+   *             </li>
+   *             <li>
+   *                <p>active - The secret is available for normal use and rotation.</p>
+   *             </li>
+   *             <li>
+   *                <p>rotating - The secret is being rotated.</p>
+   *             </li>
+   *             <li>
+   *                <p>impaired - The secret can be used to access database credentials, but it can't be rotated.
+   *                 A secret might have this status if, for example, permissions are changed so that Amazon DocumentDB can no longer access either the secret or the KMS key for the secret.</p>
+   *                <p>When a secret has this status, you can correct the condition that caused the status.
+   *                     Alternatively, modify the instance to turn off automatic management of database credentials, and then modify the instance again to turn on automatic management of database credentials.</p>
+   *             </li>
+   *          </ul>
+   * @public
+   */
+  SecretStatus?: string | undefined;
+
+  /**
+   * <p>The Amazon Web Services KMS key identifier that is used to encrypt the secret.</p>
+   * @public
+   */
+  KmsKeyId?: string | undefined;
+}
+
 /**
  * <p>Used as a response element for queries on virtual private cloud (VPC) security group
  *             membership.</p>
@@ -1534,6 +1596,12 @@ export interface DBCluster {
    * @public
    */
   StorageType?: string | undefined;
+
+  /**
+   * <p>The secret managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the master user password.</p>
+   * @public
+   */
+  MasterUserSecret?: ClusterMasterUserSecret | undefined;
 }
 
 /**
@@ -5380,6 +5448,47 @@ export interface ModifyDBClusterMessage {
    * @public
    */
   StorageType?: string | undefined;
+
+  /**
+   * <p>Specifies whether to manage the master user password with Amazon Web Services Secrets Manager.
+   *             If the cluster doesn't manage the master user password with Amazon Web Services Secrets Manager, you can turn on this management.
+   *             In this case, you can't specify <code>MasterUserPassword</code>.
+   *             If the cluster already manages the master user password with Amazon Web Services Secrets Manager, and you specify that the master user password is not managed with Amazon Web Services Secrets Manager, then you must specify <code>MasterUserPassword</code>.
+   *             In this case, Amazon DocumentDB deletes the secret and uses the new password for the master user specified by <code>MasterUserPassword</code>.</p>
+   * @public
+   */
+  ManageMasterUserPassword?: boolean | undefined;
+
+  /**
+   * <p>The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and managed in Amazon Web Services Secrets Manager.</p>
+   *          <p>This setting is valid only if both of the following conditions are met:</p>
+   *          <ul>
+   *             <li>
+   *                <p>The cluster doesn't manage the master user password in Amazon Web Services Secrets Manager.
+   *                 If the cluster already manages the master user password in Amazon Web Services Secrets Manager, you can't change the KMS key that is used to encrypt the secret.</p>
+   *             </li>
+   *             <li>
+   *                <p>You are enabling <code>ManageMasterUserPassword</code> to manage the master user password in Amazon Web Services Secrets Manager.
+   *                 If you are turning on <code>ManageMasterUserPassword</code> and don't specify <code>MasterUserSecretKmsKeyId</code>, then the <code>aws/secretsmanager</code> KMS key is used to encrypt the secret.
+   *                 If the secret is in a different Amazon Web Services account, then you can't use the <code>aws/secretsmanager</code> KMS key to encrypt the secret, and you must use a customer managed KMS key.</p>
+   *             </li>
+   *          </ul>
+   *          <p>The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
+   *             To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.</p>
+   *          <p>There is a default KMS key for your Amazon Web Services account.
+   *             Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.</p>
+   * @public
+   */
+  MasterUserSecretKmsKeyId?: string | undefined;
+
+  /**
+   * <p>Specifies whether to rotate the secret managed by Amazon Web Services Secrets Manager for the master user password.</p>
+   *          <p>This setting is valid only if the master user password is managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the cluster.
+   *             The secret value contains the updated password.</p>
+   *          <p>Constraint: You must apply the change immediately when rotating the master user password.</p>
+   * @public
+   */
+  RotateMasterUserPassword?: boolean | undefined;
 }
 
 /**

diff --git a/clients/client-docdb/src/protocols/Aws_query.ts b/clients/client-docdb/src/protocols/Aws_query.ts
@@ -216,6 +216,7 @@ import {
   CertificateMessage,
   CertificateNotFoundFault,
   CloudwatchLogsExportConfiguration,
+  ClusterMasterUserSecret,
   CopyDBClusterParameterGroupMessage,
   CopyDBClusterParameterGroupResult,
   CopyDBClusterSnapshotMessage,
@@ -3801,6 +3802,12 @@ const se_CreateDBClusterMessage = (input: CreateDBClusterMessage, context: __Ser
   if (input[_ST] != null) {
     entries[_ST] = input[_ST];
   }
+  if (input[_MMUP] != null) {
+    entries[_MMUP] = input[_MMUP];
+  }
+  if (input[_MUSKKI] != null) {
+    entries[_MUSKKI] = input[_MUSKKI];
+  }
   return entries;
 };
 
@@ -4829,6 +4836,15 @@ const se_ModifyDBClusterMessage = (input: ModifyDBClusterMessage, context: __Ser
   if (input[_ST] != null) {
     entries[_ST] = input[_ST];
   }
+  if (input[_MMUP] != null) {
+    entries[_MMUP] = input[_MMUP];
+  }
+  if (input[_MUSKKI] != null) {
+    entries[_MUSKKI] = input[_MUSKKI];
+  }
+  if (input[_RMUP] != null) {
+    entries[_RMUP] = input[_RMUP];
+  }
   return entries;
 };
 
@@ -5599,6 +5615,23 @@ const de_CertificateNotFoundFault = (output: any, context: __SerdeContext): Cert
   return contents;
 };
 
+/**
+ * deserializeAws_queryClusterMasterUserSecret
+ */
+const de_ClusterMasterUserSecret = (output: any, context: __SerdeContext): ClusterMasterUserSecret => {
+  const contents: any = {};
+  if (output[_SA] != null) {
+    contents[_SA] = __expectString(output[_SA]);
+  }
+  if (output[_SS] != null) {
+    contents[_SS] = __expectString(output[_SS]);
+  }
+  if (output[_KKI] != null) {
+    contents[_KKI] = __expectString(output[_KKI]);
+  }
+  return contents;
+};
+
 /**
  * deserializeAws_queryCopyDBClusterParameterGroupResult
  */
@@ -5820,6 +5853,9 @@ const de_DBCluster = (output: any, context: __SerdeContext): DBCluster => {
   if (output[_ST] != null) {
     contents[_ST] = __expectString(output[_ST]);
   }
+  if (output[_MUS] != null) {
+    contents[_MUS] = de_ClusterMasterUserSecret(output[_MUS], context);
+  }
   return contents;
 };
 
@@ -6784,8 +6820,8 @@ const de_Event = (output: any, context: __SerdeContext): Event => {
   if (output[_Da] != null) {
     contents[_Da] = __expectNonNull(__parseRfc3339DateTimeWithOffset(output[_Da]));
   }
-  if (output[_SA] != null) {
-    contents[_SA] = __expectString(output[_SA]);
+  if (output[_SAo] != null) {
+    contents[_SAo] = __expectString(output[_SAo]);
   }
   return contents;
 };
@@ -7898,8 +7934,8 @@ const de_Subnet = (output: any, context: __SerdeContext): Subnet => {
   if (output[_SAZ] != null) {
     contents[_SAZ] = de_AvailabilityZone(output[_SAZ], context);
   }
-  if (output[_SS] != null) {
-    contents[_SS] = __expectString(output[_SS]);
+  if (output[_SSu] != null) {
+    contents[_SSu] = __expectString(output[_SSu]);
   }
   return contents;
 };
@@ -8294,9 +8330,12 @@ const _MDBSG = "ModifyDBSubnetGroup";
 const _MES = "ModifyEventSubscription";
 const _MEV = "MinimumEngineVersion";
 const _MGC = "ModifyGlobalCluster";
+const _MMUP = "ManageMasterUserPassword";
 const _MR = "MaxRecords";
 const _MU = "MasterUsername";
 const _MUP = "MasterUserPassword";
+const _MUS = "MasterUserSecret";
+const _MUSKKI = "MasterUserSecretKmsKeyId";
 const _Me = "Message";
 const _N = "Name";
 const _NDBCI = "NewDBClusterIdentifier";
@@ -8335,6 +8374,7 @@ const _RDBI = "RebootDBInstance";
 const _RE = "ReaderEndpoint";
 const _RFGC = "RemoveFromGlobalCluster";
 const _RI = "ResourceIdentifier";
+const _RMUP = "RotateMasterUserPassword";
 const _RN = "ResourceName";
 const _RPMA = "ResourcePendingMaintenanceActions";
 const _RRI = "ReadReplicaIdentifiers";
@@ -8345,8 +8385,9 @@ const _RT = "RestoreType";
 const _RTFR = "RemoveTagsFromResource";
 const _RTT = "RestoreToTime";
 const _S = "Source";
-const _SA = "SourceArn";
+const _SA = "SecretArn";
 const _SAZ = "SubnetAvailabilityZone";
+const _SAo = "SourceArn";
 const _SCACI = "SupportedCACertificateIdentifiers";
 const _SCRWR = "SupportsCertificateRotationWithoutRestart";
 const _SCT = "SnapshotCreateTime";
@@ -8371,7 +8412,8 @@ const _SIu = "SubnetIds";
 const _SIub = "SubnetIdentifier";
 const _SLETCL = "SupportsLogExportsToCloudwatchLogs";
 const _SN = "SubscriptionName";
-const _SS = "SubnetStatus";
+const _SS = "SecretStatus";
+const _SSu = "SubnetStatus";
 const _ST = "StorageType";
 const _STA = "SnsTopicArn";
 const _STn = "SnapshotType";