-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: introduce SecretValue to represent secrets #2161
Conversation
The class `cdk.SecretValue` is a token that represents a value that should be treated as a secret. It can be created through one of the factory methods: `SecretValue.secretsManager(id)` or `SecretValue.plainText(text)`. Constructs that reference secrets have been converted to use this type instead of plain strings. The `secretsmanager.Secret` construct now has `secretValue` and `secretJsonValue` which return `SecretValue` objects with a dynamic reference. The `DynamicReference` class is now a `Token`. BREAKING CHANGE: The `secretsmanager.SecretString` class has been removed in favor of `cdk.SecretValue.secretsManager(id[, options])` The following prop types have been changed from `string` to `cdk.SecretValue`: `codepipeline-actions.AlexaSkillDeployAction.clientSecret`, `codepipeline-actions.AlexaSkillDeployAction.refreshToken`, `codepipeline-actions.GitHubSourceAction.oauthToken`, `iam.User.password` `secretsmanager.Secret.stringValue` and `jsonFieldValue` have been removed. Use `secretsmanage.Secret.secretValue` and `secretJsonValue` instead. `secretsmanager.Secret.secretString` have been removed. Use `cdk.SecretValue.secretsManager()` or `secretsmanager.Secret.import(..).secretValue`. The class `cdk.Secret` has been removed. Use `cdk.SecretValue` instead. The class `cdk.DynamicReference` is no longer a construct, and it's constructor signature was changed.
* @param secretId The ID or ARN of the secret | ||
* @param options Options | ||
*/ | ||
public static secretsManager(secretId: string, options: SecretsManagerSecretOptions = { }): SecretValue { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you're going to go the way of adding constructor functions here, then you should also add one for SSMPS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And it should kinda/sorta also be possible to use a NoEcho CfnParameter.
We shouldn't encourage it but it is something people can do today, and SecretsManager does cost money per secret per month.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yap adding that too. Enforcing NoEcho is a nice touch.
Hey @eladb, shouldn't this also be converted? |
* add `SecretValue.ssmSecure`. * add `SecretValue.cfnDynamicReference` * add `SecretValue.cfnParameter` BREAKING CHANGE: cdk.DynamicReference renamed to cdk.CfnDynamicReference.
The class `cdk.SecretValue` is a token that represents a value that should be treated as a secret. It can be created through one of the factory methods: `SecretValue.secretsManager(id)` or `SecretValue.plainText(text)`. Constructs that reference secrets have been converted to use this type instead of plain strings. The `secretsmanager.Secret` construct now has `secretValue` and `secretJsonValue` which return `SecretValue` objects with a dynamic reference. The `DynamicReference` class is now a `Token`. BREAKING CHANGE: The `secretsmanager.SecretString` class has been removed in favor of `cdk.SecretValue.secretsManager(id[, options])` The following prop types have been changed from `string` to `cdk.SecretValue`: `codepipeline-actions.AlexaSkillDeployAction.clientSecret`, `codepipeline-actions.AlexaSkillDeployAction.refreshToken`, `codepipeline-actions.GitHubSourceAction.oauthToken`, `iam.User.password` `secretsmanager.Secret.stringValue` and `jsonFieldValue` have been removed. Use `secretsmanage.Secret.secretValue` and `secretJsonValue` instead. `secretsmanager.Secret.secretString` have been removed. Use `cdk.SecretValue.secretsManager()` or `secretsmanager.Secret.import(..).secretValue`. The class `cdk.Secret` has been removed. Use `cdk.SecretValue` instead. The class `cdk.DynamicReference` is no longer a construct, and it's constructor signature was changed and was renamed `cdk.CfnDynamicReference`.
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
The class
cdk.SecretValue
is a token that represents a value that shouldbe treated as a secret. It can be created through one of the factory methods:
SecretValue.secretsManager(id)
orSecretValue.plainText(text)
.Constructs that reference secrets have been converted to use this type
instead of plain strings.
The
secretsmanager.Secret
construct now hassecretValue
andsecretJsonValue
which returnSecretValue
objects with a dynamic reference.The
DynamicReference
class is now aToken
.BREAKING CHANGE: The
secretsmanager.SecretString
class has been removed in favor ofcdk.SecretValue.secretsManager(id[, options])
The following prop types have been changed from
string
tocdk.SecretValue
:codepipeline-actions.AlexaSkillDeployAction.clientSecret
,codepipeline-actions.AlexaSkillDeployAction.refreshToken
,codepipeline-actions.GitHubSourceAction.oauthToken
,iam.User.password
secretsmanager.Secret.stringValue
andjsonFieldValue
have been removed. Usesecretsmanage.Secret.secretValue
andsecretJsonValue
instead.secretsmanager.Secret.secretString
have been removed. Usecdk.SecretValue.secretsManager()
orsecretsmanager.Secret.import(..).secretValue
.The class
cdk.Secret
has been removed. Usecdk.SecretValue
instead.The class
cdk.DynamicReference
is no longer a construct, and it'sconstructor signature was changed.
Pull Request Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.