From ba9011074665efd86e2671e57099efbfd0e3547a Mon Sep 17 00:00:00 2001 From: awstools Date: Fri, 20 Dec 2024 19:13:27 +0000 Subject: [PATCH] feat(client-docdb): Support AWS Secret Manager managed password for AWS DocumentDB instance-based cluster. --- .../src/commands/CreateDBClusterCommand.ts | 7 ++ .../src/commands/DeleteDBClusterCommand.ts | 5 + .../src/commands/DescribeDBClustersCommand.ts | 5 + .../src/commands/FailoverDBClusterCommand.ts | 5 + .../src/commands/ModifyDBClusterCommand.ts | 8 ++ .../RestoreDBClusterFromSnapshotCommand.ts | 5 + .../RestoreDBClusterToPointInTimeCommand.ts | 5 + .../src/commands/StartDBClusterCommand.ts | 5 + .../src/commands/StopDBClusterCommand.ts | 5 + clients/client-docdb/src/models/models_0.ts | 109 ++++++++++++++++++ .../client-docdb/src/protocols/Aws_query.ts | 54 ++++++++- codegen/sdk-codegen/aws-models/docdb.json | 77 +++++++++++++ 12 files changed, 284 insertions(+), 6 deletions(-) diff --git a/clients/client-docdb/src/commands/CreateDBClusterCommand.ts b/clients/client-docdb/src/commands/CreateDBClusterCommand.ts index 7cd6f8159764..96b4f30018d0 100644 --- a/clients/client-docdb/src/commands/CreateDBClusterCommand.ts +++ b/clients/client-docdb/src/commands/CreateDBClusterCommand.ts @@ -68,6 +68,8 @@ export interface CreateDBClusterCommandOutput extends CreateDBClusterResult, __M * DeletionProtection: true || false, * GlobalClusterIdentifier: "STRING_VALUE", * StorageType: "STRING_VALUE", + * ManageMasterUserPassword: true || false, + * MasterUserSecretKmsKeyId: "STRING_VALUE", * }; * const command = new CreateDBClusterCommand(input); * const response = await client.send(command); @@ -129,6 +131,11 @@ export interface CreateDBClusterCommandOutput extends CreateDBClusterResult, __M * // ], * // DeletionProtection: true || false, * // StorageType: "STRING_VALUE", + * // MasterUserSecret: { // ClusterMasterUserSecret + * // SecretArn: "STRING_VALUE", + * // SecretStatus: "STRING_VALUE", + * // KmsKeyId: "STRING_VALUE", + * // }, * // }, * // }; * diff --git a/clients/client-docdb/src/commands/DeleteDBClusterCommand.ts b/clients/client-docdb/src/commands/DeleteDBClusterCommand.ts index 5a3337171e44..75912a599e24 100644 --- a/clients/client-docdb/src/commands/DeleteDBClusterCommand.ts +++ b/clients/client-docdb/src/commands/DeleteDBClusterCommand.ts @@ -101,6 +101,11 @@ export interface DeleteDBClusterCommandOutput extends DeleteDBClusterResult, __M * // ], * // DeletionProtection: true || false, * // StorageType: "STRING_VALUE", + * // MasterUserSecret: { // ClusterMasterUserSecret + * // SecretArn: "STRING_VALUE", + * // SecretStatus: "STRING_VALUE", + * // KmsKeyId: "STRING_VALUE", + * // }, * // }, * // }; * diff --git a/clients/client-docdb/src/commands/DescribeDBClustersCommand.ts b/clients/client-docdb/src/commands/DescribeDBClustersCommand.ts index 91364b4f3eb5..4b154937ce09 100644 --- a/clients/client-docdb/src/commands/DescribeDBClustersCommand.ts +++ b/clients/client-docdb/src/commands/DescribeDBClustersCommand.ts @@ -115,6 +115,11 @@ export interface DescribeDBClustersCommandOutput extends DBClusterMessage, __Met * // ], * // DeletionProtection: true || false, * // StorageType: "STRING_VALUE", + * // MasterUserSecret: { // ClusterMasterUserSecret + * // SecretArn: "STRING_VALUE", + * // SecretStatus: "STRING_VALUE", + * // KmsKeyId: "STRING_VALUE", + * // }, * // }, * // ], * // }; diff --git a/clients/client-docdb/src/commands/FailoverDBClusterCommand.ts b/clients/client-docdb/src/commands/FailoverDBClusterCommand.ts index e363a90da2e6..0b6c495729a6 100644 --- a/clients/client-docdb/src/commands/FailoverDBClusterCommand.ts +++ b/clients/client-docdb/src/commands/FailoverDBClusterCommand.ts @@ -101,6 +101,11 @@ export interface FailoverDBClusterCommandOutput extends FailoverDBClusterResult, * // ], * // DeletionProtection: true || false, * // StorageType: "STRING_VALUE", + * // MasterUserSecret: { // ClusterMasterUserSecret + * // SecretArn: "STRING_VALUE", + * // SecretStatus: "STRING_VALUE", + * // KmsKeyId: "STRING_VALUE", + * // }, * // }, * // }; * diff --git a/clients/client-docdb/src/commands/ModifyDBClusterCommand.ts b/clients/client-docdb/src/commands/ModifyDBClusterCommand.ts index 0c565e507fdd..9d207a574df4 100644 --- a/clients/client-docdb/src/commands/ModifyDBClusterCommand.ts +++ b/clients/client-docdb/src/commands/ModifyDBClusterCommand.ts @@ -62,6 +62,9 @@ export interface ModifyDBClusterCommandOutput extends ModifyDBClusterResult, __M * AllowMajorVersionUpgrade: true || false, * DeletionProtection: true || false, * StorageType: "STRING_VALUE", + * ManageMasterUserPassword: true || false, + * MasterUserSecretKmsKeyId: "STRING_VALUE", + * RotateMasterUserPassword: true || false, * }; * const command = new ModifyDBClusterCommand(input); * const response = await client.send(command); @@ -123,6 +126,11 @@ export interface ModifyDBClusterCommandOutput extends ModifyDBClusterResult, __M * // ], * // DeletionProtection: true || false, * // StorageType: "STRING_VALUE", + * // MasterUserSecret: { // ClusterMasterUserSecret + * // SecretArn: "STRING_VALUE", + * // SecretStatus: "STRING_VALUE", + * // KmsKeyId: "STRING_VALUE", + * // }, * // }, * // }; * diff --git a/clients/client-docdb/src/commands/RestoreDBClusterFromSnapshotCommand.ts b/clients/client-docdb/src/commands/RestoreDBClusterFromSnapshotCommand.ts index e0673f9da4a1..698bb4b3e511 100644 --- a/clients/client-docdb/src/commands/RestoreDBClusterFromSnapshotCommand.ts +++ b/clients/client-docdb/src/commands/RestoreDBClusterFromSnapshotCommand.ts @@ -126,6 +126,11 @@ export interface RestoreDBClusterFromSnapshotCommandOutput * // ], * // DeletionProtection: true || false, * // StorageType: "STRING_VALUE", + * // MasterUserSecret: { // ClusterMasterUserSecret + * // SecretArn: "STRING_VALUE", + * // SecretStatus: "STRING_VALUE", + * // KmsKeyId: "STRING_VALUE", + * // }, * // }, * // }; * diff --git a/clients/client-docdb/src/commands/RestoreDBClusterToPointInTimeCommand.ts b/clients/client-docdb/src/commands/RestoreDBClusterToPointInTimeCommand.ts index 36f9cb1f9358..5a34dbc10804 100644 --- a/clients/client-docdb/src/commands/RestoreDBClusterToPointInTimeCommand.ts +++ b/clients/client-docdb/src/commands/RestoreDBClusterToPointInTimeCommand.ts @@ -128,6 +128,11 @@ export interface RestoreDBClusterToPointInTimeCommandOutput * // ], * // DeletionProtection: true || false, * // StorageType: "STRING_VALUE", + * // MasterUserSecret: { // ClusterMasterUserSecret + * // SecretArn: "STRING_VALUE", + * // SecretStatus: "STRING_VALUE", + * // KmsKeyId: "STRING_VALUE", + * // }, * // }, * // }; * diff --git a/clients/client-docdb/src/commands/StartDBClusterCommand.ts b/clients/client-docdb/src/commands/StartDBClusterCommand.ts index b6b8cc4fcfe8..eff23d83a1d5 100644 --- a/clients/client-docdb/src/commands/StartDBClusterCommand.ts +++ b/clients/client-docdb/src/commands/StartDBClusterCommand.ts @@ -100,6 +100,11 @@ export interface StartDBClusterCommandOutput extends StartDBClusterResult, __Met * // ], * // DeletionProtection: true || false, * // StorageType: "STRING_VALUE", + * // MasterUserSecret: { // ClusterMasterUserSecret + * // SecretArn: "STRING_VALUE", + * // SecretStatus: "STRING_VALUE", + * // KmsKeyId: "STRING_VALUE", + * // }, * // }, * // }; * diff --git a/clients/client-docdb/src/commands/StopDBClusterCommand.ts b/clients/client-docdb/src/commands/StopDBClusterCommand.ts index b87fc7961e52..167952e003c6 100644 --- a/clients/client-docdb/src/commands/StopDBClusterCommand.ts +++ b/clients/client-docdb/src/commands/StopDBClusterCommand.ts @@ -101,6 +101,11 @@ export interface StopDBClusterCommandOutput extends StopDBClusterResult, __Metad * // ], * // DeletionProtection: true || false, * // StorageType: "STRING_VALUE", + * // MasterUserSecret: { // ClusterMasterUserSecret + * // SecretArn: "STRING_VALUE", + * // SecretStatus: "STRING_VALUE", + * // KmsKeyId: "STRING_VALUE", + * // }, * // }, * // }; * diff --git a/clients/client-docdb/src/models/models_0.ts b/clients/client-docdb/src/models/models_0.ts index 36a01ce3e5b8..ac3c82610d62 100644 --- a/clients/client-docdb/src/models/models_0.ts +++ b/clients/client-docdb/src/models/models_0.ts @@ -1222,6 +1222,26 @@ export interface CreateDBClusterMessage { * @public */ StorageType?: string | undefined; + + /** + *

Specifies whether to manage the master user password with Amazon Web Services Secrets Manager.

+ *

Constraint: You can't manage the master user password with Amazon Web Services Secrets Manager if MasterUserPassword is specified.

+ * @public + */ + ManageMasterUserPassword?: boolean | undefined; + + /** + *

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and managed in Amazon Web Services Secrets Manager. + * This setting is valid only if the master user password is managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the DB cluster.

+ *

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. + * To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

+ *

If you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager KMS key is used to encrypt the secret. + * If the secret is in a different Amazon Web Services account, then you can't use the aws/secretsmanager KMS key to encrypt the secret, and you must use a customer managed KMS key.

+ *

There is a default KMS key for your Amazon Web Services account. + * Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.

+ * @public + */ + MasterUserSecretKmsKeyId?: string | undefined; } /** @@ -1291,6 +1311,48 @@ export interface DBClusterMember { PromotionTier?: number | undefined; } +/** + *

Contains the secret managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the master user password.

+ * @public + */ +export interface ClusterMasterUserSecret { + /** + *

The Amazon Resource Name (ARN) of the secret.

+ * @public + */ + SecretArn?: string | undefined; + + /** + *

The status of the secret.

+ *

The possible status values include the following:

+ * + * @public + */ + SecretStatus?: string | undefined; + + /** + *

The Amazon Web Services KMS key identifier that is used to encrypt the secret.

+ * @public + */ + KmsKeyId?: string | undefined; +} + /** *

Used as a response element for queries on virtual private cloud (VPC) security group * membership.

@@ -1534,6 +1596,12 @@ export interface DBCluster { * @public */ StorageType?: string | undefined; + + /** + *

The secret managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the master user password.

+ * @public + */ + MasterUserSecret?: ClusterMasterUserSecret | undefined; } /** @@ -5380,6 +5448,47 @@ export interface ModifyDBClusterMessage { * @public */ StorageType?: string | undefined; + + /** + *

Specifies whether to manage the master user password with Amazon Web Services Secrets Manager. + * If the cluster doesn't manage the master user password with Amazon Web Services Secrets Manager, you can turn on this management. + * In this case, you can't specify MasterUserPassword. + * If the cluster already manages the master user password with Amazon Web Services Secrets Manager, and you specify that the master user password is not managed with Amazon Web Services Secrets Manager, then you must specify MasterUserPassword. + * In this case, Amazon DocumentDB deletes the secret and uses the new password for the master user specified by MasterUserPassword.

+ * @public + */ + ManageMasterUserPassword?: boolean | undefined; + + /** + *

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and managed in Amazon Web Services Secrets Manager.

+ *

This setting is valid only if both of the following conditions are met:

+ * + *

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. + * To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

+ *

There is a default KMS key for your Amazon Web Services account. + * Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.

+ * @public + */ + MasterUserSecretKmsKeyId?: string | undefined; + + /** + *

Specifies whether to rotate the secret managed by Amazon Web Services Secrets Manager for the master user password.

+ *

This setting is valid only if the master user password is managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the cluster. + * The secret value contains the updated password.

+ *

Constraint: You must apply the change immediately when rotating the master user password.

+ * @public + */ + RotateMasterUserPassword?: boolean | undefined; } /** diff --git a/clients/client-docdb/src/protocols/Aws_query.ts b/clients/client-docdb/src/protocols/Aws_query.ts index d7960abfa9e0..78a6db9c09e8 100644 --- a/clients/client-docdb/src/protocols/Aws_query.ts +++ b/clients/client-docdb/src/protocols/Aws_query.ts @@ -216,6 +216,7 @@ import { CertificateMessage, CertificateNotFoundFault, CloudwatchLogsExportConfiguration, + ClusterMasterUserSecret, CopyDBClusterParameterGroupMessage, CopyDBClusterParameterGroupResult, CopyDBClusterSnapshotMessage, @@ -3801,6 +3802,12 @@ const se_CreateDBClusterMessage = (input: CreateDBClusterMessage, context: __Ser if (input[_ST] != null) { entries[_ST] = input[_ST]; } + if (input[_MMUP] != null) { + entries[_MMUP] = input[_MMUP]; + } + if (input[_MUSKKI] != null) { + entries[_MUSKKI] = input[_MUSKKI]; + } return entries; }; @@ -4829,6 +4836,15 @@ const se_ModifyDBClusterMessage = (input: ModifyDBClusterMessage, context: __Ser if (input[_ST] != null) { entries[_ST] = input[_ST]; } + if (input[_MMUP] != null) { + entries[_MMUP] = input[_MMUP]; + } + if (input[_MUSKKI] != null) { + entries[_MUSKKI] = input[_MUSKKI]; + } + if (input[_RMUP] != null) { + entries[_RMUP] = input[_RMUP]; + } return entries; }; @@ -5599,6 +5615,23 @@ const de_CertificateNotFoundFault = (output: any, context: __SerdeContext): Cert return contents; }; +/** + * deserializeAws_queryClusterMasterUserSecret + */ +const de_ClusterMasterUserSecret = (output: any, context: __SerdeContext): ClusterMasterUserSecret => { + const contents: any = {}; + if (output[_SA] != null) { + contents[_SA] = __expectString(output[_SA]); + } + if (output[_SS] != null) { + contents[_SS] = __expectString(output[_SS]); + } + if (output[_KKI] != null) { + contents[_KKI] = __expectString(output[_KKI]); + } + return contents; +}; + /** * deserializeAws_queryCopyDBClusterParameterGroupResult */ @@ -5820,6 +5853,9 @@ const de_DBCluster = (output: any, context: __SerdeContext): DBCluster => { if (output[_ST] != null) { contents[_ST] = __expectString(output[_ST]); } + if (output[_MUS] != null) { + contents[_MUS] = de_ClusterMasterUserSecret(output[_MUS], context); + } return contents; }; @@ -6784,8 +6820,8 @@ const de_Event = (output: any, context: __SerdeContext): Event => { if (output[_Da] != null) { contents[_Da] = __expectNonNull(__parseRfc3339DateTimeWithOffset(output[_Da])); } - if (output[_SA] != null) { - contents[_SA] = __expectString(output[_SA]); + if (output[_SAo] != null) { + contents[_SAo] = __expectString(output[_SAo]); } return contents; }; @@ -7898,8 +7934,8 @@ const de_Subnet = (output: any, context: __SerdeContext): Subnet => { if (output[_SAZ] != null) { contents[_SAZ] = de_AvailabilityZone(output[_SAZ], context); } - if (output[_SS] != null) { - contents[_SS] = __expectString(output[_SS]); + if (output[_SSu] != null) { + contents[_SSu] = __expectString(output[_SSu]); } return contents; }; @@ -8294,9 +8330,12 @@ const _MDBSG = "ModifyDBSubnetGroup"; const _MES = "ModifyEventSubscription"; const _MEV = "MinimumEngineVersion"; const _MGC = "ModifyGlobalCluster"; +const _MMUP = "ManageMasterUserPassword"; const _MR = "MaxRecords"; const _MU = "MasterUsername"; const _MUP = "MasterUserPassword"; +const _MUS = "MasterUserSecret"; +const _MUSKKI = "MasterUserSecretKmsKeyId"; const _Me = "Message"; const _N = "Name"; const _NDBCI = "NewDBClusterIdentifier"; @@ -8335,6 +8374,7 @@ const _RDBI = "RebootDBInstance"; const _RE = "ReaderEndpoint"; const _RFGC = "RemoveFromGlobalCluster"; const _RI = "ResourceIdentifier"; +const _RMUP = "RotateMasterUserPassword"; const _RN = "ResourceName"; const _RPMA = "ResourcePendingMaintenanceActions"; const _RRI = "ReadReplicaIdentifiers"; @@ -8345,8 +8385,9 @@ const _RT = "RestoreType"; const _RTFR = "RemoveTagsFromResource"; const _RTT = "RestoreToTime"; const _S = "Source"; -const _SA = "SourceArn"; +const _SA = "SecretArn"; const _SAZ = "SubnetAvailabilityZone"; +const _SAo = "SourceArn"; const _SCACI = "SupportedCACertificateIdentifiers"; const _SCRWR = "SupportsCertificateRotationWithoutRestart"; const _SCT = "SnapshotCreateTime"; @@ -8371,7 +8412,8 @@ const _SIu = "SubnetIds"; const _SIub = "SubnetIdentifier"; const _SLETCL = "SupportsLogExportsToCloudwatchLogs"; const _SN = "SubscriptionName"; -const _SS = "SubnetStatus"; +const _SS = "SecretStatus"; +const _SSu = "SubnetStatus"; const _ST = "StorageType"; const _STA = "SnsTopicArn"; const _STn = "SnapshotType"; diff --git a/codegen/sdk-codegen/aws-models/docdb.json b/codegen/sdk-codegen/aws-models/docdb.json index 94e7e58a0081..998feb34419c 100644 --- a/codegen/sdk-codegen/aws-models/docdb.json +++ b/codegen/sdk-codegen/aws-models/docdb.json @@ -1636,6 +1636,32 @@ "smithy.api#documentation": "

The configuration setting for the log types to be enabled for export to Amazon\n CloudWatch Logs for a specific instance or cluster.

\n

The EnableLogTypes and DisableLogTypes arrays determine\n which logs are exported (or not exported) to CloudWatch Logs. The values within these\n arrays depend on the engine that is being used.

" } }, + "com.amazonaws.docdb#ClusterMasterUserSecret": { + "type": "structure", + "members": { + "SecretArn": { + "target": "com.amazonaws.docdb#String", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (ARN) of the secret.

" + } + }, + "SecretStatus": { + "target": "com.amazonaws.docdb#String", + "traits": { + "smithy.api#documentation": "

The status of the secret.

\n

The possible status values include the following:

\n " + } + }, + "KmsKeyId": { + "target": "com.amazonaws.docdb#String", + "traits": { + "smithy.api#documentation": "

The Amazon Web Services KMS key identifier that is used to encrypt the secret.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Contains the secret managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the master user password.

" + } + }, "com.amazonaws.docdb#CopyDBClusterParameterGroup": { "type": "operation", "input": { @@ -1998,6 +2024,18 @@ "traits": { "smithy.api#documentation": "

The storage type to associate with the DB cluster.

\n

For information on storage types for Amazon DocumentDB clusters, see \n Cluster storage configurations in the Amazon DocumentDB Developer Guide.

\n

Valid values for storage type - standard | iopt1\n

\n

Default value is standard \n

\n \n

When you create a DocumentDB DB cluster with the storage type set to iopt1, the storage type is returned\n in the response. The storage type isn't returned when you set it to standard.

\n " } + }, + "ManageMasterUserPassword": { + "target": "com.amazonaws.docdb#BooleanOptional", + "traits": { + "smithy.api#documentation": "

Specifies whether to manage the master user password with Amazon Web Services Secrets Manager.

\n

Constraint: You can't manage the master user password with Amazon Web Services Secrets Manager if MasterUserPassword is specified.

" + } + }, + "MasterUserSecretKmsKeyId": { + "target": "com.amazonaws.docdb#String", + "traits": { + "smithy.api#documentation": "

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and managed in Amazon Web Services Secrets Manager.\n This setting is valid only if the master user password is managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the DB cluster.

\n

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. \n To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

\n

If you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager KMS key is used to encrypt the secret. \n If the secret is in a different Amazon Web Services account, then you can't use the aws/secretsmanager KMS key to encrypt the secret, and you must use a customer managed KMS key.

\n

There is a default KMS key for your Amazon Web Services account. \n Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.

" + } } }, "traits": { @@ -2792,6 +2830,12 @@ "traits": { "smithy.api#documentation": "

Storage type associated with your cluster

\n

Storage type associated with your cluster

\n

For information on storage types for Amazon DocumentDB clusters, see \n Cluster storage configurations in the Amazon DocumentDB Developer Guide.

\n

Valid values for storage type - standard | iopt1\n

\n

Default value is standard \n

" } + }, + "MasterUserSecret": { + "target": "com.amazonaws.docdb#ClusterMasterUserSecret", + "traits": { + "smithy.api#documentation": "

The secret managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the master user password.

" + } } }, "traits": { @@ -4789,6 +4833,21 @@ "pageSize": "MaxRecords" }, "smithy.api#suppress": ["WaitableTraitInvalidErrorType"], + "smithy.test#smokeTests": [ + { + "id": "DescribeDBInstancesFailure", + "params": { + "DBInstanceIdentifier": "fake-id" + }, + "vendorParams": { + "region": "us-west-2" + }, + "vendorParamsShape": "aws.test#AwsVendorParams", + "expect": { + "failure": {} + } + } + ], "smithy.waiters#waitable": { "DBInstanceAvailable": { "acceptors": [ @@ -6595,6 +6654,24 @@ "traits": { "smithy.api#documentation": "

The storage type to associate with the DB cluster.

\n

For information on storage types for Amazon DocumentDB clusters, see \n Cluster storage configurations in the Amazon DocumentDB Developer Guide.

\n

Valid values for storage type - standard | iopt1\n

\n

Default value is standard \n

" } + }, + "ManageMasterUserPassword": { + "target": "com.amazonaws.docdb#BooleanOptional", + "traits": { + "smithy.api#documentation": "

Specifies whether to manage the master user password with Amazon Web Services Secrets Manager.\n If the cluster doesn't manage the master user password with Amazon Web Services Secrets Manager, you can turn on this management. \n In this case, you can't specify MasterUserPassword.\n If the cluster already manages the master user password with Amazon Web Services Secrets Manager, and you specify that the master user password is not managed with Amazon Web Services Secrets Manager, then you must specify MasterUserPassword. \n In this case, Amazon DocumentDB deletes the secret and uses the new password for the master user specified by MasterUserPassword.

" + } + }, + "MasterUserSecretKmsKeyId": { + "target": "com.amazonaws.docdb#String", + "traits": { + "smithy.api#documentation": "

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and managed in Amazon Web Services Secrets Manager.

\n

This setting is valid only if both of the following conditions are met:

\n \n

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. \n To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

\n

There is a default KMS key for your Amazon Web Services account. \n Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.

" + } + }, + "RotateMasterUserPassword": { + "target": "com.amazonaws.docdb#BooleanOptional", + "traits": { + "smithy.api#documentation": "

Specifies whether to rotate the secret managed by Amazon Web Services Secrets Manager for the master user password.

\n

This setting is valid only if the master user password is managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the cluster. \n The secret value contains the updated password.

\n

Constraint: You must apply the change immediately when rotating the master user password.

" + } } }, "traits": {