fix(core): remove cdk.Secret (#2068)

`cdk.Secret` was left over from when we thought we were going to do secrets differently. Today, we model secret values as strings, which can be retrieved from one of these: - `ssm.ParameterStoreSecureString.stringValue` - `secretsmanager.SecretString.stringValue` - `cdk.CfnParameter.stringValue` (but don't do that, because the secret will be readable from CloudFormation logs) Fixes #2064. BREAKING CHANGE: Replace use of `cdk.Secret` with `secretsmanager.SecretString` (preferred) or `ssm.ParameterStoreSecureString`.
aws · Apr 1, 2019 · b53d04d · b53d04d
1 parent 4819ff4
commit b53d04d
Show file tree

Hide file tree

Showing 21 changed files with 87 additions and 164 deletions.
diff --git a/packages/@aws-cdk/alexa-ask/README.md b/packages/@aws-cdk/alexa-ask/README.md
@@ -2,4 +2,4 @@
 
 ```ts
 const alexaAsk = require('@aws-cdk/alexa-ask');
-```
+```
diff --git a/packages/@aws-cdk/app-delivery/test/integ.cicd.ts b/packages/@aws-cdk/app-delivery/test/integ.cicd.ts
@@ -17,7 +17,7 @@ const source = new cpactions.GitHubSourceAction({
   actionName: 'GitHub',
   owner: 'awslabs',
   repo: 'aws-cdk',
-  oauthToken: new cdk.Secret('DummyToken'),
+  oauthToken: cdk.Secret.plainText('DummyToken'),
   pollForSourceChanges: true,
   outputArtifactName: 'Artifact_CICDGitHubF8BA7ADD',
 });

diff --git a/...ws-certificatemanager/lambda-packages/dns_validated_certificate_handler/package-lock.json b/...ws-certificatemanager/lambda-packages/dns_validated_certificate_handler/package-lock.json
diff --git a/packages/@aws-cdk/aws-codebuild/README.md b/packages/@aws-cdk/aws-codebuild/README.md
@@ -90,9 +90,9 @@ Example:
 const gitHubSource = new codebuild.GitHubSource({
   owner: 'awslabs',
   repo: 'aws-cdk',
-  oauthToken: new cdk.SecretParameter(this, 'GitHubOAuthToken', {
-    ssmParameter: 'my-github-token',
-  }).value,
+  oauthToken: new secretsmanager.SecretString(this, 'GitHubOAuthToken', {
+    secretId: 'my-github-token',
+  }).stringValue,
   webhook: true, // optional, default: false
 });
 ```

diff --git a/packages/@aws-cdk/aws-codebuild/lib/source.ts b/packages/@aws-cdk/aws-codebuild/lib/source.ts
@@ -213,7 +213,7 @@ export interface GitHubSourceProps extends GitBuildSourceProps {
    * Note that you need to give CodeBuild permissions to your GitHub account in order for the token to work.
    * That is a one-time operation that can be done through the AWS Console for CodeBuild.
    */
-  readonly oauthToken: cdk.Secret;
+  readonly oauthToken: string;
 
   /**
    * Whether to create a webhook that will trigger a build every time a commit is pushed to the GitHub repository.
@@ -236,12 +236,13 @@ export interface GitHubSourceProps extends GitBuildSourceProps {
 export class GitHubSource extends GitBuildSource {
   public readonly type: SourceType = SourceType.GitHub;
   private readonly httpsCloneUrl: string;
-  private readonly oauthToken: cdk.Secret;
+  private readonly oauthToken: string;
   private readonly reportBuildStatus: boolean;
   private readonly webhook?: boolean;
 
   constructor(props: GitHubSourceProps) {
     super(props);
+    cdk.Secret.assertSafeSecret(props.oauthToken, 'oauthToken');
     this.httpsCloneUrl = `https://github.com/${props.owner}/${props.repo}.git`;
     this.oauthToken = props.oauthToken;
     this.webhook = props.webhook;
@@ -277,7 +278,7 @@ export interface GitHubEnterpriseSourceProps extends GitBuildSourceProps {
   /**
    * The OAuth token used to authenticate when cloning the git repository.
    */
-  readonly oauthToken: cdk.Secret;
+  readonly oauthToken: string;
 
   /**
    * Whether to ignore SSL errors when connecting to the repository.
@@ -293,11 +294,12 @@ export interface GitHubEnterpriseSourceProps extends GitBuildSourceProps {
 export class GitHubEnterpriseSource extends GitBuildSource {
   public readonly type: SourceType = SourceType.GitHubEnterprise;
   private readonly httpsCloneUrl: string;
-  private readonly oauthToken: cdk.Secret;
+  private readonly oauthToken: string;
   private readonly ignoreSslErrors?: boolean;
 
   constructor(props: GitHubEnterpriseSourceProps) {
     super(props);
+    cdk.Secret.assertSafeSecret(props.oauthToken, 'oauthToken');
     this.httpsCloneUrl = props.httpsCloneUrl;
     this.oauthToken = props.oauthToken;
     this.ignoreSslErrors = props.ignoreSslErrors;

diff --git a/packages/@aws-cdk/aws-codebuild/test/test.project.ts b/packages/@aws-cdk/aws-codebuild/test/test.project.ts
@@ -58,7 +58,7 @@ export = {
           owner: 'testowner',
           repo: 'testrepo',
           cloneDepth: 3,
-          oauthToken: new cdk.Secret("test_oauth_token")
+          oauthToken: cdk.Secret.plainText("test_oauth_token"),
         })
       });
 
@@ -88,7 +88,7 @@ export = {
         source: new codebuild.GitHubSource({
           owner: 'testowner',
           repo: 'testrepo',
-          oauthToken: new cdk.Secret('test_oauth_token'),
+          oauthToken: cdk.Secret.plainText("test_oauth_token"),
           reportBuildStatus: false,
         })
       });
@@ -112,7 +112,7 @@ export = {
         source: new codebuild.GitHubSource({
           owner: 'testowner',
           repo: 'testrepo',
-          oauthToken: new cdk.Secret('test_oauth_token'),
+          oauthToken: cdk.Secret.plainText("test_oauth_token"),
           webhook: true,
         })
       });
@@ -138,7 +138,7 @@ export = {
         httpsCloneUrl: 'https://github.testcompany.com/testowner/testrepo',
         ignoreSslErrors: true,
         cloneDepth: 4,
-        oauthToken: new cdk.Secret("test_oauth_token")
+        oauthToken: cdk.Secret.plainText("test_oauth_token"),
       })
     });
 

diff --git a/packages/@aws-cdk/aws-codepipeline-actions/lib/alexa-ask/deploy-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/lib/alexa-ask/deploy-action.ts
@@ -8,17 +8,17 @@ export interface AlexaSkillDeployActionProps extends codepipeline.CommonActionPr
   /**
    * The client id of the developer console token
    */
-  readonly clientId: cdk.Secret;
+  readonly clientId: string;
 
   /**
    * The client secret of the developer console token
    */
-  readonly clientSecret: cdk.Secret;
+  readonly clientSecret: string;
 
   /**
    * The refresh token of the developer console token
    */
-  readonly refreshToken: cdk.Secret;
+  readonly refreshToken: string;
 
   /**
    * The Alexa skill id
@@ -41,6 +41,9 @@ export interface AlexaSkillDeployActionProps extends codepipeline.CommonActionPr
  */
 export class AlexaSkillDeployAction extends codepipeline.DeployAction {
   constructor(props: AlexaSkillDeployActionProps) {
+    cdk.Secret.assertSafeSecret(props.clientSecret, 'clientSecret');
+    cdk.Secret.assertSafeSecret(props.refreshToken, 'refreshToken');
+
     super({
       ...props,
       artifactBounds: {

diff --git a/packages/@aws-cdk/aws-codepipeline-actions/lib/github/source-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/lib/github/source-action.ts
@@ -31,13 +31,12 @@ export interface GitHubSourceActionProps extends codepipeline.CommonActionProps
   /**
    * A GitHub OAuth token to use for authentication.
    *
-   * It is recommended to use a `SecretParameter` to obtain the token from the SSM
-   * Parameter Store:
+   * It is recommended to use a Secrets Manager `SecretString` to obtain the token:
    *
-   *   const oauth = new cdk.SecretParameter(this, 'GitHubOAuthToken', { ssmParameter: 'my-github-token' });
+   *   const oauth = new secretsmanager.SecretString(this, 'GitHubOAuthToken', { secretId: 'my-github-token' });
    *   new GitHubSource(this, 'GitHubAction', { oauthToken: oauth.value, ... });
    */
-  readonly oauthToken: cdk.Secret;
+  readonly oauthToken: string;
 
   /**
    * Whether AWS CodePipeline should poll for source changes.
@@ -55,6 +54,8 @@ export class GitHubSourceAction extends codepipeline.SourceAction {
   private readonly props: GitHubSourceActionProps;
 
   constructor(props: GitHubSourceActionProps) {
+    cdk.Secret.assertSafeSecret(props.oauthToken, 'oauthToken');
+
     super({
       ...props,
       owner: 'ThirdParty',
@@ -77,7 +78,7 @@ export class GitHubSourceAction extends codepipeline.SourceAction {
       new codepipeline.CfnWebhook(info.scope, 'WebhookResource', {
         authentication: 'GITHUB_HMAC',
         authenticationConfiguration: {
-          secretToken: this.props.oauthToken.toString(),
+          secretToken: this.props.oauthToken,
         },
         filters: [
           {

diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.ts b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.ts
@@ -29,9 +29,9 @@ const deployStage = {
       actionName: 'DeploySkill',
       runOrder: 1,
       inputArtifact: sourceAction.outputArtifact,
-      clientId: new cdk.Secret('clientId'),
-      clientSecret: new cdk.Secret('clientSecret'),
-      refreshToken: new cdk.Secret('refreshToken'),
+      clientId: 'clientId',
+      clientSecret: cdk.Secret.plainText('clientSecret'),
+      refreshToken: cdk.Secret.plainText('refreshToken'),
       skillId: 'amzn1.ask.skill.12345678-1234-1234-1234-123456789012',
     }),
   ],

diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/test.pipeline.ts b/packages/@aws-cdk/aws-codepipeline-actions/test/test.pipeline.ts
@@ -68,7 +68,7 @@ export = {
   'github action uses ThirdParty owner'(test: Test) {
     const stack = new cdk.Stack();
 
-    const secret = new cdk.SecretParameter(stack, 'GitHubToken', { ssmParameter: 'my-token' });
+    const secret = new cdk.CfnParameter(stack, 'GitHubToken', { type: 'String', default: 'my-token' });
 
     const p = new codepipeline.Pipeline(stack, 'P');
 
@@ -80,7 +80,7 @@ export = {
           runOrder: 8,
           outputArtifactName: 'A',
           branch: 'branch',
-          oauthToken: secret.value,
+          oauthToken: secret.stringValue,
           owner: 'foo',
           repo: 'bar'
         }),
@@ -122,7 +122,7 @@ export = {
           "Repo": "bar",
           "Branch": "branch",
           "OAuthToken": {
-            "Ref": "GitHubTokenParameterBB166B9D"
+            "Ref": "GitHubToken"
           },
           "PollForSourceChanges": false
           },

diff --git a/packages/@aws-cdk/aws-lambda/package-lock.json b/packages/@aws-cdk/aws-lambda/package-lock.json
diff --git a/packages/@aws-cdk/aws-serverless/package-lock.json b/packages/@aws-cdk/aws-serverless/package-lock.json
diff --git a/packages/@aws-cdk/cdk/lib/index.ts b/packages/@aws-cdk/cdk/lib/index.ts
@@ -27,12 +27,11 @@ export * from './dynamic-reference';
 export * from './tag';
 export * from './removal-policy';
 export * from './arn';
-export * from './secret';
 
 export * from './app';
 export * from './context';
 export * from './environment';
 
 export * from './runtime';
-
-export * from './synthesis';
+export * from './secret';
+export * from './synthesis';
diff --git a/packages/@aws-cdk/cdk/lib/secret.ts b/packages/@aws-cdk/cdk/lib/secret.ts
@@ -1,94 +1,47 @@
-import { CfnParameter } from './cfn-parameter';
-import { Construct } from './construct';
-import { Token } from './token';
+import { Token } from "./token";
+import { unresolved } from "./unresolved";
 
 /**
- * A token that represents a value that's expected to be a secret, like
- * passwords and keys.
+ * Work with secret values in the CDK
  *
- * It is recommended to use the `SecretParameter` construct in order to import
- * secret values from the SSM Parameter Store instead of storing them in your
- * code.
+ * Secret values in the CDK (such as those retrieved from SecretsManager) are
+ * represented as regular strings, just like other values that are only
+ * available at deployment time.
  *
- * However, you can also just pass in values, like any other token: `new Secret('bla')`
+ * To help you avoid accidental mistakes which would lead to you putting your
+ * secret values directly into a CloudFormation template, constructs that take
+ * secret values will not allow you to pass in a literal secret value. They do
+ * so by calling `Secret.assertSafeSecret()`.
+ *
+ * You can escape the check by calling `Secret.plainTex()`, but doing
+ * so is highly discouraged.
  */
-export class Secret extends Token { }
-
-export interface SecretParameterProps {
-  /**
-   * The name of the SSM parameter where the secret value is stored.
-   */
-  readonly ssmParameter: string;
-
-  /**
-   * A string of up to 4000 characters that describes the parameter.
-   * @default No description
-   */
-  readonly description?: string;
-
-  /**
-   * A regular expression that represents the patterns to allow for String types.
-   */
-  readonly allowedPattern?: string;
-
-  /**
-   * An array containing the list of values allowed for the parameter.
-   */
-  readonly allowedValues?: string[];
-
+export class Secret {
   /**
-   * A string that explains a constraint when the constraint is violated.
-   * For example, without a constraint description, a parameter that has an allowed
-   * pattern of [A-Za-z0-9]+ displays the following error message when the user specifies
-   * an invalid value:
+   * Validate that a given secret value is not a literal
+   *
+   * If the value is a literal, throw an error.
    */
-  readonly constraintDescription?: string;
+  public static assertSafeSecret(secretValue: string, parameterName?: string) {
+    if (!unresolved(secretValue)) {
+      const theParameter = parameterName ? `'${parameterName}'` : 'The value';
 
-  /**
-   * An integer value that determines the largest number of characters you want to allow for String types.
-   */
-  readonly maxLength?: number;
+      // tslint:disable-next-line:max-line-length
+      throw new Error(`${theParameter} should be a secret. Store it in SecretsManager or Systems Manager Parameter Store and retrieve it from there. Secret.plainTex() can be used to bypass this check, but do so for testing purposes only.`);
+    }
+  }
 
   /**
-   * An integer value that determines the smallest number of characters you want to allow for String types.
+   * Construct a literal secret value for use with secret-aware constructs
+   *
+   * *Do not use this method for any secrets that you care about.*
+   *
+   * The only reasonable use case for using this method is when you are testing.
    */
-  readonly minLength?: number;
-}
-
-/**
- * Defines a secret value resolved from the Systems Manager (SSM) Parameter
- * Store during deployment. This is useful for referencing values that you do
- * not wish to include in your code base, such as secrets, passwords and keys.
- *
- * This construct will add a CloudFormation parameter to your template bound to
- * an SSM parameter (of type "AWS::SSM::Parameter::Value<String>"). Deployment
- * will fail if the value doesn't exist in the target environment.
- *
- * Important: For values other than secrets, prefer to use the
- * `SSMParameterProvider` which resolves SSM parameter in design-time, and
- * ensures that stack deployments are deterministic.
- */
-export class SecretParameter extends Construct {
-  /**
-   * The value of the secret parameter.
-   */
-  public value: Secret;
-
-  constructor(scope: Construct, id: string, props: SecretParameterProps) {
-    super(scope, id);
-
-    const param = new CfnParameter(this, 'Parameter', {
-      type: 'AWS::SSM::Parameter::Value<String>',
-      default: props.ssmParameter,
-      description: props.description,
-      allowedPattern: props.allowedPattern,
-      allowedValues: props.allowedValues,
-      constraintDescription: props.constraintDescription,
-      maxLength: props.maxLength,
-      minLength: props.minLength,
-      noEcho: true,
-    });
+  public static plainText(secret: string): string {
+    return new Token(() => secret).toString();
+  }
 
-    this.value = new Secret(param.ref);
+  private constructor() {
   }
-}
+}
diff --git a/packages/@aws-cdk/cdk/lib/token.ts b/packages/@aws-cdk/cdk/lib/token.ts
@@ -139,4 +139,4 @@ export interface IResolvedValuePostProcessor {
  */
 export function isResolvedValuePostProcessor(x: any): x is IResolvedValuePostProcessor {
   return x.postProcess !== undefined;
-}
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,4 +2,4 @@ @@
     ```ts
     const alexaAsk = require('@aws-cdk/alexa-ask');
-    ```
+    ```