feat(secretsmanager): deletionPolicy for secretsmanager

We often store important values on secretsmanager.Secret. But, without DeletionPolicy(Retain), it can be deleted by human error. closes: aws#6527
winky · May 25, 2020 · cee70dc · cee70dc
1 parent 3fed84b
commit cee70dc
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts b/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts
@@ -1,6 +1,6 @@
 import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
-import { Construct, IResource, Resource, SecretValue, Stack } from '@aws-cdk/core';
+import { Construct, IResource, RemovalPolicy, Resource, SecretValue, Stack } from '@aws-cdk/core';
 import { ResourcePolicy } from './policy';
 import { RotationSchedule, RotationScheduleOptions } from './rotation-schedule';
 import * as secretsmanager from './secretsmanager.generated';
@@ -102,6 +102,13 @@ export interface SecretProps {
    * @default - A name is generated by CloudFormation.
    */
   readonly secretName?: string;
+
+  /**
+   * Policy to apply when the secret is removed from this stack.
+   *
+   * @default - Not set.
+   */
+  readonly removalPolicy?: RemovalPolicy;
 }
 
 /**
@@ -260,6 +267,10 @@ export class Secret extends SecretBase {
       name: this.physicalName,
     });
 
+    if (props.removalPolicy) {
+      resource.applyRemovalPolicy(props.removalPolicy);
+    }
+
     this.secretArn = this.getResourceArnAttribute(resource.ref, {
       service: 'secretsmanager',
       resource: 'secret',

diff --git a/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts b/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts
@@ -1,4 +1,4 @@
-import { expect, haveResource, haveResourceLike } from '@aws-cdk/assert';
+import { expect, haveResource, haveResourceLike, ResourcePart } from '@aws-cdk/assert';
 import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
 import * as lambda from '@aws-cdk/aws-lambda';
@@ -22,6 +22,25 @@ export = {
     test.done();
   },
 
+  'set removalPolicy to secret'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    // WHEN
+    new secretsmanager.Secret(stack, 'Secret', {
+      removalPolicy: cdk.RemovalPolicy.RETAIN,
+    });
+
+    // THEN
+    expect(stack).to(haveResourceLike('AWS::SecretsManager::Secret',
+      {
+        DeletionPolicy: 'Retain',
+      }, ResourcePart.CompleteDefinition,
+    ));
+
+    test.done();
+  },
+
   'secret with kms'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();