Skip to content

Commit 7dd8b7e

Browse files
mrgrainmrgrain
authored
fix(secretsmanager): secret resource policy already exists in stack (under feature flag) (#24365)
The issue is prevalent with Database clusters, e.g. when a secret with a rotation is used and a grantee is granted access to the db cluster. The root cause of this issue is the Cluster's use of a SecretAttachmentTarget to replace the original secret. This is allowed, since SecretAttachmentTarget do implement the ISecret interface. When policy statements are added, a new resource policy is created using the SecretAttachmentTarget ARN. This only works because in CloudFormation SecretAttachmentTarget returns the ARN of the Secret. However a secret can only have a single resource policy. The above scenario leads to a policy being created for the Secret and one for the SecretAttachmentTarget. Which is then (correctly) rejected by CloudFormation. The fix is to forward any policy changes on the SecretAttachmentTarget to the attached secret. Fixes #24383 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 3b251a5 commit 7dd8b7e

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

43 files changed

+1589
-421
lines changed

packages/@aws-cdk/aws-docdb/test/integ.cluster-rotation.lit.js.snapshot/aws-cdk-docdb-cluster-rotation.assets.json

+3-3
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
11
{
2-
"version": "20.0.0",
2+
"version": "30.1.0",
33
"files": {
4-
"16960a7525b0e7f3fc99af30374461429f32d815db45bab3e136c4a994140575": {
4+
"ffa0280c20139b5a0ec753fdb4365af29fb08ea9703b9139810054417bc99c10": {
55
"source": {
66
"path": "aws-cdk-docdb-cluster-rotation.template.json",
77
"packaging": "file"
88
},
99
"destinations": {
1010
"current_account-current_region": {
1111
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
12-
"objectKey": "16960a7525b0e7f3fc99af30374461429f32d815db45bab3e136c4a994140575.json",
12+
"objectKey": "ffa0280c20139b5a0ec753fdb4365af29fb08ea9703b9139810054417bc99c10.json",
1313
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
1414
}
1515
}

packages/@aws-cdk/aws-docdb/test/integ.cluster-rotation.lit.js.snapshot/aws-cdk-docdb-cluster-rotation.template.json

+2-2
Original file line numberDiff line numberDiff line change
@@ -508,7 +508,7 @@
508508
}
509509
}
510510
},
511-
"DatabaseSecretAttachmentPolicy5ACFE6CA": {
511+
"DatabaseSecretPolicyEE73D3F8": {
512512
"Type": "AWS::SecretsManager::ResourcePolicy",
513513
"Properties": {
514514
"ResourcePolicy": {
@@ -540,7 +540,7 @@
540540
"Version": "2012-10-17"
541541
},
542542
"SecretId": {
543-
"Ref": "DatabaseSecretAttachmentE5D1B020"
543+
"Ref": "DatabaseSecret3B817195"
544544
}
545545
}
546546
},

packages/@aws-cdk/aws-docdb/test/integ.cluster-rotation.lit.js.snapshot/cdk.out

+1-1
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
{"version":"20.0.0"}
1+
{"version":"30.1.0"}

packages/@aws-cdk/aws-docdb/test/integ.cluster-rotation.lit.js.snapshot/integ.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{
2-
"version": "20.0.0",
2+
"version": "30.1.0",
33
"testCases": {
44
"integ.cluster-rotation.lit": {
55
"stacks": [

packages/@aws-cdk/aws-docdb/test/integ.cluster-rotation.lit.js.snapshot/manifest.json

+19-10
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,6 @@
11
{
2-
"version": "20.0.0",
2+
"version": "30.1.0",
33
"artifacts": {
4-
"Tree": {
5-
"type": "cdk:tree",
6-
"properties": {
7-
"file": "tree.json"
8-
}
9-
},
104
"aws-cdk-docdb-cluster-rotation.assets": {
115
"type": "cdk:asset-manifest",
126
"properties": {
@@ -23,7 +17,7 @@
2317
"validateOnSynth": false,
2418
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
2519
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
26-
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/16960a7525b0e7f3fc99af30374461429f32d815db45bab3e136c4a994140575.json",
20+
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ffa0280c20139b5a0ec753fdb4365af29fb08ea9703b9139810054417bc99c10.json",
2721
"requiresBootstrapStackVersion": 6,
2822
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
2923
"additionalDependencies": [
@@ -213,10 +207,10 @@
213207
"data": "DatabaseSecretAttachmentRotationScheduleA4E9F034"
214208
}
215209
],
216-
"/aws-cdk-docdb-cluster-rotation/Database/Secret/Attachment/Policy/Resource": [
210+
"/aws-cdk-docdb-cluster-rotation/Database/Secret/Policy/Resource": [
217211
{
218212
"type": "aws:cdk:logicalId",
219-
"data": "DatabaseSecretAttachmentPolicy5ACFE6CA"
213+
"data": "DatabaseSecretPolicyEE73D3F8"
220214
}
221215
],
222216
"/aws-cdk-docdb-cluster-rotation/Database/Resource": [
@@ -260,9 +254,24 @@
260254
"type": "aws:cdk:logicalId",
261255
"data": "CheckBootstrapVersion"
262256
}
257+
],
258+
"DatabaseSecretAttachmentPolicy5ACFE6CA": [
259+
{
260+
"type": "aws:cdk:logicalId",
261+
"data": "DatabaseSecretAttachmentPolicy5ACFE6CA",
262+
"trace": [
263+
"!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
264+
]
265+
}
263266
]
264267
},
265268
"displayName": "aws-cdk-docdb-cluster-rotation"
269+
},
270+
"Tree": {
271+
"type": "cdk:tree",
272+
"properties": {
273+
"file": "tree.json"
274+
}
266275
}
267276
}
268277
}

packages/@aws-cdk/aws-docdb/test/integ.cluster-rotation.lit.js.snapshot/tree.json

+83-67
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,6 @@
44
"id": "App",
55
"path": "",
66
"children": {
7-
"Tree": {
8-
"id": "Tree",
9-
"path": "Tree",
10-
"constructInfo": {
11-
"fqn": "constructs.Construct",
12-
"version": "10.1.85"
13-
}
14-
},
157
"aws-cdk-docdb-cluster-rotation": {
168
"id": "aws-cdk-docdb-cluster-rotation",
179
"path": "aws-cdk-docdb-cluster-rotation",
@@ -91,8 +83,8 @@
9183
"id": "Acl",
9284
"path": "aws-cdk-docdb-cluster-rotation/VPC/PublicSubnet1/Acl",
9385
"constructInfo": {
94-
"fqn": "constructs.Construct",
95-
"version": "10.1.85"
86+
"fqn": "@aws-cdk/core.Resource",
87+
"version": "0.0.0"
9688
}
9789
},
9890
"RouteTable": {
@@ -258,8 +250,8 @@
258250
"id": "Acl",
259251
"path": "aws-cdk-docdb-cluster-rotation/VPC/PublicSubnet2/Acl",
260252
"constructInfo": {
261-
"fqn": "constructs.Construct",
262-
"version": "10.1.85"
253+
"fqn": "@aws-cdk/core.Resource",
254+
"version": "0.0.0"
263255
}
264256
},
265257
"RouteTable": {
@@ -425,8 +417,8 @@
425417
"id": "Acl",
426418
"path": "aws-cdk-docdb-cluster-rotation/VPC/PrivateSubnet1/Acl",
427419
"constructInfo": {
428-
"fqn": "constructs.Construct",
429-
"version": "10.1.85"
420+
"fqn": "@aws-cdk/core.Resource",
421+
"version": "0.0.0"
430422
}
431423
},
432424
"RouteTable": {
@@ -544,8 +536,8 @@
544536
"id": "Acl",
545537
"path": "aws-cdk-docdb-cluster-rotation/VPC/PrivateSubnet2/Acl",
546538
"constructInfo": {
547-
"fqn": "constructs.Construct",
548-
"version": "10.1.85"
539+
"fqn": "@aws-cdk/core.Resource",
540+
"version": "0.0.0"
549541
}
550542
},
551543
"RouteTable": {
@@ -850,64 +842,64 @@
850842
"fqn": "@aws-cdk/aws-secretsmanager.RotationSchedule",
851843
"version": "0.0.0"
852844
}
853-
},
854-
"Policy": {
855-
"id": "Policy",
856-
"path": "aws-cdk-docdb-cluster-rotation/Database/Secret/Attachment/Policy",
857-
"children": {
858-
"Resource": {
859-
"id": "Resource",
860-
"path": "aws-cdk-docdb-cluster-rotation/Database/Secret/Attachment/Policy/Resource",
861-
"attributes": {
862-
"aws:cdk:cloudformation:type": "AWS::SecretsManager::ResourcePolicy",
863-
"aws:cdk:cloudformation:props": {
864-
"resourcePolicy": {
865-
"Statement": [
866-
{
867-
"Action": "secretsmanager:DeleteSecret",
868-
"Effect": "Deny",
869-
"Principal": {
870-
"AWS": {
871-
"Fn::Join": [
872-
"",
873-
[
874-
"arn:",
875-
{
876-
"Ref": "AWS::Partition"
877-
},
878-
":iam::",
879-
{
880-
"Ref": "AWS::AccountId"
881-
},
882-
":root"
883-
]
884-
]
885-
}
886-
},
887-
"Resource": "*"
845+
}
846+
},
847+
"constructInfo": {
848+
"fqn": "@aws-cdk/aws-secretsmanager.SecretTargetAttachment",
849+
"version": "0.0.0"
850+
}
851+
},
852+
"Policy": {
853+
"id": "Policy",
854+
"path": "aws-cdk-docdb-cluster-rotation/Database/Secret/Policy",
855+
"children": {
856+
"Resource": {
857+
"id": "Resource",
858+
"path": "aws-cdk-docdb-cluster-rotation/Database/Secret/Policy/Resource",
859+
"attributes": {
860+
"aws:cdk:cloudformation:type": "AWS::SecretsManager::ResourcePolicy",
861+
"aws:cdk:cloudformation:props": {
862+
"resourcePolicy": {
863+
"Statement": [
864+
{
865+
"Action": "secretsmanager:DeleteSecret",
866+
"Effect": "Deny",
867+
"Principal": {
868+
"AWS": {
869+
"Fn::Join": [
870+
"",
871+
[
872+
"arn:",
873+
{
874+
"Ref": "AWS::Partition"
875+
},
876+
":iam::",
877+
{
878+
"Ref": "AWS::AccountId"
879+
},
880+
":root"
881+
]
882+
]
888883
}
889-
],
890-
"Version": "2012-10-17"
891-
},
892-
"secretId": {
893-
"Ref": "DatabaseSecretAttachmentE5D1B020"
884+
},
885+
"Resource": "*"
894886
}
895-
}
887+
],
888+
"Version": "2012-10-17"
896889
},
897-
"constructInfo": {
898-
"fqn": "@aws-cdk/aws-secretsmanager.CfnResourcePolicy",
899-
"version": "0.0.0"
890+
"secretId": {
891+
"Ref": "DatabaseSecret3B817195"
900892
}
901893
}
902894
},
903895
"constructInfo": {
904-
"fqn": "@aws-cdk/aws-secretsmanager.ResourcePolicy",
896+
"fqn": "@aws-cdk/aws-secretsmanager.CfnResourcePolicy",
905897
"version": "0.0.0"
906898
}
907899
}
908900
},
909901
"constructInfo": {
910-
"fqn": "@aws-cdk/aws-secretsmanager.SecretTargetAttachment",
902+
"fqn": "@aws-cdk/aws-secretsmanager.ResourcePolicy",
911903
"version": "0.0.0"
912904
}
913905
}
@@ -1025,8 +1017,8 @@
10251017
"id": "SARMapping",
10261018
"path": "aws-cdk-docdb-cluster-rotation/Database/RotationSingleUser/SARMapping",
10271019
"constructInfo": {
1028-
"fqn": "constructs.Construct",
1029-
"version": "10.1.85"
1020+
"fqn": "@aws-cdk/core.CfnMapping",
1021+
"version": "0.0.0"
10301022
}
10311023
},
10321024
"Resource": {
@@ -1120,17 +1112,41 @@
11201112
"fqn": "@aws-cdk/aws-docdb.DatabaseCluster",
11211113
"version": "0.0.0"
11221114
}
1115+
},
1116+
"BootstrapVersion": {
1117+
"id": "BootstrapVersion",
1118+
"path": "aws-cdk-docdb-cluster-rotation/BootstrapVersion",
1119+
"constructInfo": {
1120+
"fqn": "@aws-cdk/core.CfnParameter",
1121+
"version": "0.0.0"
1122+
}
1123+
},
1124+
"CheckBootstrapVersion": {
1125+
"id": "CheckBootstrapVersion",
1126+
"path": "aws-cdk-docdb-cluster-rotation/CheckBootstrapVersion",
1127+
"constructInfo": {
1128+
"fqn": "@aws-cdk/core.CfnRule",
1129+
"version": "0.0.0"
1130+
}
11231131
}
11241132
},
1133+
"constructInfo": {
1134+
"fqn": "@aws-cdk/core.Stack",
1135+
"version": "0.0.0"
1136+
}
1137+
},
1138+
"Tree": {
1139+
"id": "Tree",
1140+
"path": "Tree",
11251141
"constructInfo": {
11261142
"fqn": "constructs.Construct",
1127-
"version": "10.1.85"
1143+
"version": "10.1.252"
11281144
}
11291145
}
11301146
},
11311147
"constructInfo": {
1132-
"fqn": "constructs.Construct",
1133-
"version": "10.1.85"
1148+
"fqn": "@aws-cdk/core.App",
1149+
"version": "0.0.0"
11341150
}
11351151
}
11361152
}

packages/@aws-cdk/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/aws-cdk-rds-cluster-rotation.assets.json

+3-3
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
11
{
2-
"version": "21.0.0",
2+
"version": "30.1.0",
33
"files": {
4-
"dfc2f8e8aa2f2f42357312f7f92524a12cb383c762b91eaecbbefb8ad8400f82": {
4+
"f1be03db0810455e897d5600a00d7d089273d1f89b9a319be25928bf241a9490": {
55
"source": {
66
"path": "aws-cdk-rds-cluster-rotation.template.json",
77
"packaging": "file"
88
},
99
"destinations": {
1010
"current_account-current_region": {
1111
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
12-
"objectKey": "dfc2f8e8aa2f2f42357312f7f92524a12cb383c762b91eaecbbefb8ad8400f82.json",
12+
"objectKey": "f1be03db0810455e897d5600a00d7d089273d1f89b9a319be25928bf241a9490.json",
1313
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
1414
}
1515
}

0 commit comments

Comments
 (0)