Skip to content

Latest commit

 

History

History
1768 lines (1081 loc) · 59.5 KB

API.md

File metadata and controls

1768 lines (1081 loc) · 59.5 KB

API Reference

Constructs

SopsSecret

  • Implements: aws-cdk-lib.aws_secretsmanager.ISecret

A drop in replacement for the normal Secret, that is populated with the encrypted content of the given sops file.

Initializers 

import { SopsSecret } from 'cdk-sops-secrets'

new SopsSecret(scope: Construct, id: string, props: SopsSecretProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props SopsSecretProps No description.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsRequired

Methods

Name Description
toString Returns a string representation of this construct.
addRotationSchedule Adds a rotation schedule to the secret.
addToResourcePolicy Adds a statement to the IAM resource policy associated with this secret.
applyRemovalPolicy Apply the given removal policy to this resource.
attach Attach a target to this secret.
currentVersionId Returns the current versionId that was created via the SopsSync.
denyAccountRootDelete Denies the DeleteSecret action to all principals within the current account.
grantRead Grants reading the secret value to some role.
grantWrite Grants writing and updating the secret value to some role.
secretValueFromJson Interpret the secret as a JSON object and return a field's value from it as a SecretValue.
toString 
public toString(): string

Returns a string representation of this construct.

addRotationSchedule 
public addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule

Adds a rotation schedule to the secret.

idRequired
  • Type: string
optionsRequired
  • Type: aws-cdk-lib.aws_secretsmanager.RotationScheduleOptions
addToResourcePolicy 
public addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult

Adds a statement to the IAM resource policy associated with this secret.

If this secret was created in this stack, a resource policy will be automatically created upon the first call to addToResourcePolicy. If the secret is imported, then this is a no-op.

statementRequired
  • Type: aws-cdk-lib.aws_iam.PolicyStatement
applyRemovalPolicy 
public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: aws-cdk-lib.RemovalPolicy
attach 
public attach(target: ISecretAttachmentTarget): ISecret

Attach a target to this secret.

targetRequired
  • Type: aws-cdk-lib.aws_secretsmanager.ISecretAttachmentTarget
currentVersionId 
public currentVersionId(): string

Returns the current versionId that was created via the SopsSync.

denyAccountRootDelete 
public denyAccountRootDelete(): void

Denies the DeleteSecret action to all principals within the current account.

grantRead 
public grantRead(grantee: IGrantable, versionStages?: string[]): Grant

Grants reading the secret value to some role.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
versionStagesOptional
  • Type: string[]
grantWrite 
public grantWrite(grantee: IGrantable): Grant

Grants writing and updating the secret value to some role.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
secretValueFromJson 
public secretValueFromJson(jsonField: string): SecretValue

Interpret the secret as a JSON object and return a field's value from it as a SecretValue.

jsonFieldRequired
  • Type: string

Static Functions

Name Description
isConstruct Checks if x is a construct.
isConstruct 
import { SopsSecret } from 'cdk-sops-secrets'

SopsSecret.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.

Properties

Name Type Description
node constructs.Node The tree node.
env aws-cdk-lib.ResourceEnvironment The environment this resource belongs to.
secretArn string The ARN of the secret in AWS Secrets Manager.
secretName string The name of the secret.
secretValue aws-cdk-lib.SecretValue Retrieve the value of the stored secret as a SecretValue.
stack aws-cdk-lib.Stack The stack in which this resource is defined.
sync SopsSync No description.
encryptionKey aws-cdk-lib.aws_kms.IKey The customer-managed encryption key that is used to encrypt this secret, if any.
secretFullArn string The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

secretArnRequired 
public readonly secretArn: string;
  • Type: string

The ARN of the secret in AWS Secrets Manager.

Will return the full ARN if available, otherwise a partial arn. For secrets imported by the deprecated fromSecretName, it will return the secretName.

secretNameRequired 
public readonly secretName: string;
  • Type: string

The name of the secret.

For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.

secretValueRequired 
public readonly secretValue: SecretValue;
  • Type: aws-cdk-lib.SecretValue

Retrieve the value of the stored secret as a SecretValue.

stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

syncRequired 
public readonly sync: SopsSync;
encryptionKeyOptional 
public readonly encryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey

The customer-managed encryption key that is used to encrypt this secret, if any.

When not specified, the default KMS key for the account and region is being used.

secretFullArnOptional 
public readonly secretFullArn: string;
  • Type: string

The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).

SopsSync

The custom resource, that is syncing the content from a sops file to a secret.

Initializers 

import { SopsSync } from 'cdk-sops-secrets'

new SopsSync(scope: Construct, id: string, props: SopsSyncProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props SopsSyncProps No description.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsRequired

Methods

Name Description
toString Returns a string representation of this construct.
toString 
public toString(): string

Returns a string representation of this construct.

Static Functions

Name Description
isConstruct Checks if x is a construct.
isConstruct 
import { SopsSync } from 'cdk-sops-secrets'

SopsSync.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.

Properties

Name Type Description
node constructs.Node The tree node.
converToJSON boolean Was the format converted to json?
flatten boolean Was the structure flattened?
sopsFileFormat string The format of the input file.
stringifiedValues boolean Were the values stringified?
versionId string The current versionId of the secret populated via this resource.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

converToJSONRequired 
public readonly converToJSON: boolean;
  • Type: boolean

Was the format converted to json?

flattenRequired 
public readonly flatten: boolean;
  • Type: boolean

Was the structure flattened?

sopsFileFormatRequired 
public readonly sopsFileFormat: string;
  • Type: string

The format of the input file.

stringifiedValuesRequired 
public readonly stringifiedValues: boolean;
  • Type: boolean

Were the values stringified?

versionIdRequired 
public readonly versionId: string;
  • Type: string

The current versionId of the secret populated via this resource.

SopsSyncProvider

  • Implements: aws-cdk-lib.aws_iam.IGrantable

Initializers 

import { SopsSyncProvider } from 'cdk-sops-secrets'

new SopsSyncProvider(scope: Construct, id?: string)
Name Type Description
scope constructs.Construct No description.
id string No description.
scopeRequired
  • Type: constructs.Construct
idOptional
  • Type: string

Methods

Name Description
toString Returns a string representation of this construct.
applyRemovalPolicy Apply the given removal policy to this resource.
addEventSource Adds an event source to this function.
addEventSourceMapping Adds an event source that maps to this AWS Lambda function.
addPermission Adds a permission to the Lambda resource policy.
addToRolePolicy Adds a statement to the IAM role assumed by the instance.
configureAsyncInvoke Configures options for asynchronous invocation.
grantInvoke Grant the given identity permissions to invoke this Lambda.
metric Return the given named metric for this Function.
metricDuration How long execution of this Lambda takes.
metricErrors How many invocations of this Lambda fail.
metricInvocations How often this Lambda is invoked.
metricThrottles How often this Lambda is throttled.
addDependency Using node.addDependency() does not work on this method as the underlying lambda function is modeled as a singleton across the stack. Use this method instead to declare dependencies.
addEnvironment Adds an environment variable to this Lambda function.
addLayers Adds one or more Lambda Layers to this Lambda function.
dependOn The SingletonFunction construct cannot be added as a dependency of another construct using node.addDependency(). Use this method instead to declare this as a dependency of another construct.
addAgeKey No description.
toString 
public toString(): string

Returns a string representation of this construct.

applyRemovalPolicy 
public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: aws-cdk-lib.RemovalPolicy
addEventSource 
public addEventSource(source: IEventSource): void

Adds an event source to this function.

Event sources are implemented in the @aws-cdk/aws-lambda-event-sources module.

The following example adds an SQS Queue as an event source:

import { SqsEventSource } from '@aws-cdk/aws-lambda-event-sources';
myFunction.addEventSource(new SqsEventSource(myQueue));
sourceRequired
  • Type: aws-cdk-lib.aws_lambda.IEventSource
addEventSourceMapping 
public addEventSourceMapping(id: string, options: EventSourceMappingOptions): EventSourceMapping

Adds an event source that maps to this AWS Lambda function.

idRequired
  • Type: string
optionsRequired
  • Type: aws-cdk-lib.aws_lambda.EventSourceMappingOptions
addPermission 
public addPermission(name: string, permission: Permission): void

Adds a permission to the Lambda resource policy.

nameRequired
  • Type: string
permissionRequired
  • Type: aws-cdk-lib.aws_lambda.Permission
addToRolePolicy 
public addToRolePolicy(statement: PolicyStatement): void

Adds a statement to the IAM role assumed by the instance.

statementRequired
  • Type: aws-cdk-lib.aws_iam.PolicyStatement
configureAsyncInvoke 
public configureAsyncInvoke(options: EventInvokeConfigOptions): void

Configures options for asynchronous invocation.

optionsRequired
  • Type: aws-cdk-lib.aws_lambda.EventInvokeConfigOptions
grantInvoke 
public grantInvoke(grantee: IGrantable): Grant

Grant the given identity permissions to invoke this Lambda.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
metric 
public metric(metricName: string, props?: MetricOptions): Metric

Return the given named metric for this Function.

metricNameRequired
  • Type: string
propsOptional
  • Type: aws-cdk-lib.aws_cloudwatch.MetricOptions
metricDuration 
public metricDuration(props?: MetricOptions): Metric

How long execution of this Lambda takes.

Average over 5 minutes

propsOptional
  • Type: aws-cdk-lib.aws_cloudwatch.MetricOptions
metricErrors 
public metricErrors(props?: MetricOptions): Metric

How many invocations of this Lambda fail.

Sum over 5 minutes

propsOptional
  • Type: aws-cdk-lib.aws_cloudwatch.MetricOptions
metricInvocations 
public metricInvocations(props?: MetricOptions): Metric

How often this Lambda is invoked.

Sum over 5 minutes

propsOptional
  • Type: aws-cdk-lib.aws_cloudwatch.MetricOptions
metricThrottles 
public metricThrottles(props?: MetricOptions): Metric

How often this Lambda is throttled.

Sum over 5 minutes

propsOptional
  • Type: aws-cdk-lib.aws_cloudwatch.MetricOptions
addDependency 
public addDependency(up: IDependable): void

Using node.addDependency() does not work on this method as the underlying lambda function is modeled as a singleton across the stack. Use this method instead to declare dependencies.

upRequired
  • Type: constructs.IDependable
addEnvironment 
public addEnvironment(key: string, value: string, options?: EnvironmentOptions): Function

Adds an environment variable to this Lambda function.

If this is a ref to a Lambda function, this operation results in a no-op.

keyRequired
  • Type: string

The environment variable key.

valueRequired
  • Type: string

The environment variable's value.

optionsOptional
  • Type: aws-cdk-lib.aws_lambda.EnvironmentOptions

Environment variable options.

addLayers 
public addLayers(layers: ILayerVersion): void

Adds one or more Lambda Layers to this Lambda function.

layersRequired
  • Type: aws-cdk-lib.aws_lambda.ILayerVersion

the layers to be added.

dependOn 
public dependOn(down: IConstruct): void

The SingletonFunction construct cannot be added as a dependency of another construct using node.addDependency(). Use this method instead to declare this as a dependency of another construct.

downRequired
  • Type: constructs.IConstruct
addAgeKey 
public addAgeKey(key: SecretValue): void
keyRequired
  • Type: aws-cdk-lib.SecretValue

Static Functions

Name Description
isConstruct Checks if x is a construct.
isResource Check whether the given construct is a Resource.
isConstruct 
import { SopsSyncProvider } from 'cdk-sops-secrets'

SopsSyncProvider.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.

isResource 
import { SopsSyncProvider } from 'cdk-sops-secrets'

SopsSyncProvider.isResource(construct: IConstruct)

Check whether the given construct is a Resource.

constructRequired
  • Type: constructs.IConstruct

Properties

Name Type Description
node constructs.Node The tree node.
env aws-cdk-lib.ResourceEnvironment The environment this resource belongs to.
stack aws-cdk-lib.Stack The stack in which this resource is defined.
connections aws-cdk-lib.aws_ec2.Connections Access the Connections object.
functionArn string The ARN fo the function.
functionName string The name of the function.
grantPrincipal aws-cdk-lib.aws_iam.IPrincipal The principal this Lambda Function is running as.
isBoundToVpc boolean Whether or not this Lambda function was bound to a VPC.
latestVersion aws-cdk-lib.aws_lambda.IVersion The $LATEST version of this function.
permissionsNode constructs.Node The construct node where permissions are attached.
role aws-cdk-lib.aws_iam.IRole The IAM role associated with this function.
currentVersion aws-cdk-lib.aws_lambda.Version Returns a lambda.Version which represents the current version of this singleton Lambda function. A new version will be created every time the function's configuration changes.
logGroup aws-cdk-lib.aws_logs.ILogGroup The LogGroup where the Lambda function's logs are made available.
runtime aws-cdk-lib.aws_lambda.Runtime The runtime environment for the Lambda function.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

connectionsRequired 
public readonly connections: Connections;
  • Type: aws-cdk-lib.aws_ec2.Connections

Access the Connections object.

Will fail if not a VPC-enabled Lambda Function

functionArnRequired 
public readonly functionArn: string;
  • Type: string

The ARN fo the function.

functionNameRequired 
public readonly functionName: string;
  • Type: string

The name of the function.

grantPrincipalRequired 
public readonly grantPrincipal: IPrincipal;
  • Type: aws-cdk-lib.aws_iam.IPrincipal

The principal this Lambda Function is running as.

isBoundToVpcRequired 
public readonly isBoundToVpc: boolean;
  • Type: boolean

Whether or not this Lambda function was bound to a VPC.

If this is is false, trying to access the connections object will fail.

latestVersionRequired 
public readonly latestVersion: IVersion;
  • Type: aws-cdk-lib.aws_lambda.IVersion

The $LATEST version of this function.

Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations.

To obtain a reference to an explicit version which references the current function configuration, use lambdaFunction.currentVersion instead.

permissionsNodeRequired 
public readonly permissionsNode: Node;
  • Type: constructs.Node

The construct node where permissions are attached.

roleOptional 
public readonly role: IRole;
  • Type: aws-cdk-lib.aws_iam.IRole

The IAM role associated with this function.

Undefined if the function was imported without a role.

currentVersionRequired 
public readonly currentVersion: Version;
  • Type: aws-cdk-lib.aws_lambda.Version

Returns a lambda.Version which represents the current version of this singleton Lambda function. A new version will be created every time the function's configuration changes.

You can specify options for this version using the currentVersionOptions prop when initializing the lambda.SingletonFunction.

logGroupRequired 
public readonly logGroup: ILogGroup;
  • Type: aws-cdk-lib.aws_logs.ILogGroup

The LogGroup where the Lambda function's logs are made available.

If either logRetention is set or this property is called, a CloudFormation custom resource is added to the stack that pre-creates the log group as part of the stack deployment, if it already doesn't exist, and sets the correct log retention period (never expire, by default).

Further, if the log group already exists and the logRetention is not set, the custom resource will reset the log retention to never expire even if it was configured with a different value.

runtimeRequired 
public readonly runtime: Runtime;
  • Type: aws-cdk-lib.aws_lambda.Runtime

The runtime environment for the Lambda function.

Structs

SopsSecretProps

The configuration options of the SopsSecret.

Initializer 

import { SopsSecretProps } from 'cdk-sops-secrets'

const sopsSecretProps: SopsSecretProps = { ... }

Properties

Name Type Description
description string An optional, human-friendly description of the secret.
encryptionKey aws-cdk-lib.aws_kms.IKey The customer-managed encryption key to use for encrypting the secret value.
generateSecretString aws-cdk-lib.aws_secretsmanager.SecretStringGenerator Configuration for how to generate a secret value.
removalPolicy aws-cdk-lib.RemovalPolicy Policy to apply when the secret is removed from this stack.
replicaRegions aws-cdk-lib.aws_secretsmanager.ReplicaRegion[] A list of regions where to replicate this secret.
secretName string A name for the secret.
sopsFilePath string The filepath to the sops file.
convertToJSON boolean Should the encrypted sops value should be converted to JSON?
flatten boolean Should the structure be flattened?
sopsAgeKey aws-cdk-lib.SecretValue The age key that should be used for encryption.
sopsFileFormat string The format of the sops file.
sopsKmsKey aws-cdk-lib.aws_kms.IKey[] The kmsKey used to encrypt the sops file.
sopsProvider SopsSyncProvider The custom resource provider to use.
stringifyValues boolean Shall all values be flattened?
uploadType UploadType How should the secret be passed to the CustomResource?
descriptionOptional 
public readonly description: string;
  • Type: string
  • Default: No description.

An optional, human-friendly description of the secret.

encryptionKeyOptional 
public readonly encryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey
  • Default: A default KMS key for the account and region is used.

The customer-managed encryption key to use for encrypting the secret value.

generateSecretStringOptional 
public readonly generateSecretString: SecretStringGenerator;
  • Type: aws-cdk-lib.aws_secretsmanager.SecretStringGenerator
  • Default: 32 characters with upper-case letters, lower-case letters, punctuation and numbers (at least one from each category), per the default values of SecretStringGenerator.

Configuration for how to generate a secret value.

removalPolicyOptional 
public readonly removalPolicy: RemovalPolicy;
  • Type: aws-cdk-lib.RemovalPolicy
  • Default: Not set.

Policy to apply when the secret is removed from this stack.

replicaRegionsOptional 
public readonly replicaRegions: ReplicaRegion[];
  • Type: aws-cdk-lib.aws_secretsmanager.ReplicaRegion[]
  • Default: Secret is not replicated

A list of regions where to replicate this secret.

secretNameOptional 
public readonly secretName: string;
  • Type: string
  • Default: A name is generated by CloudFormation.

A name for the secret.

Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.

sopsFilePathRequired 
public readonly sopsFilePath: string;
  • Type: string

The filepath to the sops file.

convertToJSONOptional 
public readonly convertToJSON: boolean;
  • Type: boolean
  • Default: true

Should the encrypted sops value should be converted to JSON?

Only JSON can be handled by cloud formations dynamic references.

flattenOptional 
public readonly flatten: boolean;
  • Type: boolean
  • Default: true

Should the structure be flattened?

The result will be a flat structure and all object keys will be replaced with the full jsonpath as key. This is usefull for dynamic references, as those don't support nested objects.

sopsAgeKeyOptional 
public readonly sopsAgeKey: SecretValue;
  • Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

sopsFileFormatOptional 
public readonly sopsFileFormat: string;
  • Type: string
  • Default: The fileformat will be derived from the file ending

The format of the sops file.

sopsKmsKeyOptional 
public readonly sopsKmsKey: IKey[];
  • Type: aws-cdk-lib.aws_kms.IKey[]
  • Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

sopsProviderOptional 
public readonly sopsProvider: SopsSyncProvider;

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

stringifyValuesOptional 
public readonly stringifyValues: boolean;
  • Type: boolean

Shall all values be flattened?

This is usefull for dynamic references, as there are lookup errors for certain float types

uploadTypeOptional 
public readonly uploadType: UploadType;

How should the secret be passed to the CustomResource?

SopsSyncOptions

Configuration options for the SopsSync.

Initializer 

import { SopsSyncOptions } from 'cdk-sops-secrets'

const sopsSyncOptions: SopsSyncOptions = { ... }

Properties

Name Type Description
sopsFilePath string The filepath to the sops file.
convertToJSON boolean Should the encrypted sops value should be converted to JSON?
flatten boolean Should the structure be flattened?
sopsAgeKey aws-cdk-lib.SecretValue The age key that should be used for encryption.
sopsFileFormat string The format of the sops file.
sopsKmsKey aws-cdk-lib.aws_kms.IKey[] The kmsKey used to encrypt the sops file.
sopsProvider SopsSyncProvider The custom resource provider to use.
stringifyValues boolean Shall all values be flattened?
uploadType UploadType How should the secret be passed to the CustomResource?
sopsFilePathRequired 
public readonly sopsFilePath: string;
  • Type: string

The filepath to the sops file.

convertToJSONOptional 
public readonly convertToJSON: boolean;
  • Type: boolean
  • Default: true

Should the encrypted sops value should be converted to JSON?

Only JSON can be handled by cloud formations dynamic references.

flattenOptional 
public readonly flatten: boolean;
  • Type: boolean
  • Default: true

Should the structure be flattened?

The result will be a flat structure and all object keys will be replaced with the full jsonpath as key. This is usefull for dynamic references, as those don't support nested objects.

sopsAgeKeyOptional 
public readonly sopsAgeKey: SecretValue;
  • Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

sopsFileFormatOptional 
public readonly sopsFileFormat: string;
  • Type: string
  • Default: The fileformat will be derived from the file ending

The format of the sops file.

sopsKmsKeyOptional 
public readonly sopsKmsKey: IKey[];
  • Type: aws-cdk-lib.aws_kms.IKey[]
  • Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

sopsProviderOptional 
public readonly sopsProvider: SopsSyncProvider;

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

stringifyValuesOptional 
public readonly stringifyValues: boolean;
  • Type: boolean

Shall all values be flattened?

This is usefull for dynamic references, as there are lookup errors for certain float types

uploadTypeOptional 
public readonly uploadType: UploadType;

How should the secret be passed to the CustomResource?

SopsSyncProps

The configuration options extended by the target Secret.

Initializer 

import { SopsSyncProps } from 'cdk-sops-secrets'

const sopsSyncProps: SopsSyncProps = { ... }

Properties

Name Type Description
sopsFilePath string The filepath to the sops file.
convertToJSON boolean Should the encrypted sops value should be converted to JSON?
flatten boolean Should the structure be flattened?
sopsAgeKey aws-cdk-lib.SecretValue The age key that should be used for encryption.
sopsFileFormat string The format of the sops file.
sopsKmsKey aws-cdk-lib.aws_kms.IKey[] The kmsKey used to encrypt the sops file.
sopsProvider SopsSyncProvider The custom resource provider to use.
stringifyValues boolean Shall all values be flattened?
uploadType UploadType How should the secret be passed to the CustomResource?
secret aws-cdk-lib.aws_secretsmanager.ISecret The secret that will be populated with the encrypted sops file content.
sopsFilePathRequired 
public readonly sopsFilePath: string;
  • Type: string

The filepath to the sops file.

convertToJSONOptional 
public readonly convertToJSON: boolean;
  • Type: boolean
  • Default: true

Should the encrypted sops value should be converted to JSON?

Only JSON can be handled by cloud formations dynamic references.

flattenOptional 
public readonly flatten: boolean;
  • Type: boolean
  • Default: true

Should the structure be flattened?

The result will be a flat structure and all object keys will be replaced with the full jsonpath as key. This is usefull for dynamic references, as those don't support nested objects.

sopsAgeKeyOptional 
public readonly sopsAgeKey: SecretValue;
  • Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

sopsFileFormatOptional 
public readonly sopsFileFormat: string;
  • Type: string
  • Default: The fileformat will be derived from the file ending

The format of the sops file.

sopsKmsKeyOptional 
public readonly sopsKmsKey: IKey[];
  • Type: aws-cdk-lib.aws_kms.IKey[]
  • Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

sopsProviderOptional 
public readonly sopsProvider: SopsSyncProvider;

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

stringifyValuesOptional 
public readonly stringifyValues: boolean;
  • Type: boolean

Shall all values be flattened?

This is usefull for dynamic references, as there are lookup errors for certain float types

uploadTypeOptional 
public readonly uploadType: UploadType;

How should the secret be passed to the CustomResource?

secretRequired 
public readonly secret: ISecret;
  • Type: aws-cdk-lib.aws_secretsmanager.ISecret

The secret that will be populated with the encrypted sops file content.

Enums

UploadType

Members

Name Description
INLINE Pass the secret data inline (base64 encoded and compressed).
ASSET Uplaod the secert data as asset.
INLINE

Pass the secret data inline (base64 encoded and compressed).

ASSET

Uplaod the secert data as asset.