Skip to content

Latest commit

 

History

History
2013 lines (1219 loc) · 68.6 KB

API.md

File metadata and controls

2013 lines (1219 loc) · 68.6 KB

API Reference

Constructs

SopsSecret

A drop in replacement for the normal Secret, that is populated with the encrypted content of the given sops file.

Initializers 

import { SopsSecret } from 'cdk-sops-secrets'

new SopsSecret(scope: Construct, id: string, props: SopsSecretProps)
Name Type Description
scope @aws-cdk/core.Construct No description.
id string No description.
props SopsSecretProps No description.
scopeRequired
  • Type: @aws-cdk/core.Construct
idRequired
  • Type: string
propsRequired

Methods

Name Description
toString Returns a string representation of this construct.
applyRemovalPolicy Apply the given removal policy to this resource.
addReplicaRegion Adds a replica region for the secret.
addRotationSchedule Adds a rotation schedule to the secret.
addTargetAttachment Adds a target attachment to the secret.
addToResourcePolicy Adds a statement to the IAM resource policy associated with this secret.
attach Attach a target to this secret.
denyAccountRootDelete Denies the DeleteSecret action to all principals within the current account.
grantRead Grants reading the secret value to some role.
grantWrite Grants writing and updating the secret value to some role.
secretValueFromJson Interpret the secret as a JSON object and return a field's value from it as a SecretValue.
toString 
public toString(): string

Returns a string representation of this construct.

applyRemovalPolicy 
public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: @aws-cdk/core.RemovalPolicy
addReplicaRegion 
public addReplicaRegion(region: string, encryptionKey?: IKey): void

Adds a replica region for the secret.

regionRequired
  • Type: string

The name of the region.

encryptionKeyOptional
  • Type: @aws-cdk/aws-kms.IKey

The customer-managed encryption key to use for encrypting the secret value.

addRotationSchedule 
public addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule

Adds a rotation schedule to the secret.

idRequired
  • Type: string
optionsRequired
  • Type: @aws-cdk/aws-secretsmanager.RotationScheduleOptions
addTargetAttachment 
public addTargetAttachment(id: string, options: AttachedSecretOptions): SecretTargetAttachment

Adds a target attachment to the secret.

idRequired
  • Type: string
optionsRequired
  • Type: @aws-cdk/aws-secretsmanager.AttachedSecretOptions
addToResourcePolicy 
public addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult

Adds a statement to the IAM resource policy associated with this secret.

If this secret was created in this stack, a resource policy will be automatically created upon the first call to addToResourcePolicy. If the secret is imported, then this is a no-op.

statementRequired
  • Type: @aws-cdk/aws-iam.PolicyStatement
attach 
public attach(target: ISecretAttachmentTarget): ISecret

Attach a target to this secret.

targetRequired
  • Type: @aws-cdk/aws-secretsmanager.ISecretAttachmentTarget

The target to attach.

denyAccountRootDelete 
public denyAccountRootDelete(): void

Denies the DeleteSecret action to all principals within the current account.

grantRead 
public grantRead(grantee: IGrantable, versionStages?: string[]): Grant

Grants reading the secret value to some role.

granteeRequired
  • Type: @aws-cdk/aws-iam.IGrantable
versionStagesOptional
  • Type: string[]
grantWrite 
public grantWrite(grantee: IGrantable): Grant

Grants writing and updating the secret value to some role.

granteeRequired
  • Type: @aws-cdk/aws-iam.IGrantable
secretValueFromJson 
public secretValueFromJson(jsonField: string): SecretValue

Interpret the secret as a JSON object and return a field's value from it as a SecretValue.

jsonFieldRequired
  • Type: string

Static Functions

Name Description
isConstruct Return whether the given object is a Construct.
isResource Check whether the given construct is a Resource.
fromSecretArn No description.
fromSecretAttributes Import an existing secret into the Stack.
fromSecretCompleteArn Imports a secret by complete ARN.
fromSecretName Imports a secret by secret name;
fromSecretNameV2 Imports a secret by secret name.
fromSecretPartialArn Imports a secret by partial ARN.
isConstruct 
import { SopsSecret } from 'cdk-sops-secrets'

SopsSecret.isConstruct(x: any)

Return whether the given object is a Construct.

xRequired
  • Type: any
isResource 
import { SopsSecret } from 'cdk-sops-secrets'

SopsSecret.isResource(construct: IConstruct)

Check whether the given construct is a Resource.

constructRequired
  • Type: @aws-cdk/core.IConstruct
fromSecretArn 
import { SopsSecret } from 'cdk-sops-secrets'

SopsSecret.fromSecretArn(scope: Construct, id: string, secretArn: string)
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
secretArnRequired
  • Type: string
fromSecretAttributes 
import { SopsSecret } from 'cdk-sops-secrets'

SopsSecret.fromSecretAttributes(scope: Construct, id: string, attrs: SecretAttributes)

Import an existing secret into the Stack.

scopeRequired
  • Type: constructs.Construct

the scope of the import.

idRequired
  • Type: string

the ID of the imported Secret in the construct tree.

attrsRequired
  • Type: @aws-cdk/aws-secretsmanager.SecretAttributes

the attributes of the imported secret.

fromSecretCompleteArn 
import { SopsSecret } from 'cdk-sops-secrets'

SopsSecret.fromSecretCompleteArn(scope: Construct, id: string, secretCompleteArn: string)

Imports a secret by complete ARN.

The complete ARN is the ARN with the Secrets Manager-supplied suffix.

scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
secretCompleteArnRequired
  • Type: string
fromSecretName 
import { SopsSecret } from 'cdk-sops-secrets'

SopsSecret.fromSecretName(scope: Construct, id: string, secretName: string)

Imports a secret by secret name;

the ARN of the Secret will be set to the secret name. A secret with this name must exist in the same account & region.

scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
secretNameRequired
  • Type: string
fromSecretNameV2 
import { SopsSecret } from 'cdk-sops-secrets'

SopsSecret.fromSecretNameV2(scope: Construct, id: string, secretName: string)

Imports a secret by secret name.

A secret with this name must exist in the same account & region. Replaces the deprecated fromSecretName.

scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
secretNameRequired
  • Type: string
fromSecretPartialArn 
import { SopsSecret } from 'cdk-sops-secrets'

SopsSecret.fromSecretPartialArn(scope: Construct, id: string, secretPartialArn: string)

Imports a secret by partial ARN.

The partial ARN is the ARN without the Secrets Manager-supplied suffix.

scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
secretPartialArnRequired
  • Type: string

Properties

Name Type Description
node @aws-cdk/core.ConstructNode The construct tree node associated with this construct.
env @aws-cdk/core.ResourceEnvironment The environment this resource belongs to.
stack @aws-cdk/core.Stack The stack in which this resource is defined.
secretArn string The ARN of the secret in AWS Secrets Manager.
secretName string The name of the secret.
secretValue @aws-cdk/core.SecretValue Retrieve the value of the stored secret as a SecretValue.
encryptionKey @aws-cdk/aws-kms.IKey The customer-managed encryption key that is used to encrypt this secret, if any.
secretFullArn string The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.
sync SopsSync No description.
nodeRequired 
public readonly node: ConstructNode;
  • Type: @aws-cdk/core.ConstructNode

The construct tree node associated with this construct.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: @aws-cdk/core.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

stackRequired 
public readonly stack: Stack;
  • Type: @aws-cdk/core.Stack

The stack in which this resource is defined.

secretArnRequired 
public readonly secretArn: string;
  • Type: string

The ARN of the secret in AWS Secrets Manager.

Will return the full ARN if available, otherwise a partial arn. For secrets imported by the deprecated fromSecretName, it will return the secretName.

secretNameRequired 
public readonly secretName: string;
  • Type: string

The name of the secret.

For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.

secretValueRequired 
public readonly secretValue: SecretValue;
  • Type: @aws-cdk/core.SecretValue

Retrieve the value of the stored secret as a SecretValue.

encryptionKeyOptional 
public readonly encryptionKey: IKey;
  • Type: @aws-cdk/aws-kms.IKey

The customer-managed encryption key that is used to encrypt this secret, if any.

When not specified, the default KMS key for the account and region is being used.

secretFullArnOptional 
public readonly secretFullArn: string;
  • Type: string

The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).

syncRequired 
public readonly sync: SopsSync;

SopsSync

The custom resource, that is syncing the content from a sops file to a secret.

Initializers 

import { SopsSync } from 'cdk-sops-secrets'

new SopsSync(scope: Construct, id: string, props: SopsSyncProps)
Name Type Description
scope @aws-cdk/core.Construct No description.
id string No description.
props SopsSyncProps No description.
scopeRequired
  • Type: @aws-cdk/core.Construct
idRequired
  • Type: string
propsRequired

Methods

Name Description
toString Returns a string representation of this construct.
toString 
public toString(): string

Returns a string representation of this construct.

Static Functions

Name Description
isConstruct Return whether the given object is a Construct.
isConstruct 
import { SopsSync } from 'cdk-sops-secrets'

SopsSync.isConstruct(x: any)

Return whether the given object is a Construct.

xRequired
  • Type: any

Properties

Name Type Description
node @aws-cdk/core.ConstructNode The construct tree node associated with this construct.
converToJSON boolean Was the format converted to json?
flatten boolean Was the structure flattened?
sopsFileFormat string The format of the input file.
stringifiedValues boolean Were the values stringified?
versionId string The current versionId of the secret populated via this resource.
nodeRequired 
public readonly node: ConstructNode;
  • Type: @aws-cdk/core.ConstructNode

The construct tree node associated with this construct.

converToJSONRequired 
public readonly converToJSON: boolean;
  • Type: boolean

Was the format converted to json?

flattenRequired 
public readonly flatten: boolean;
  • Type: boolean

Was the structure flattened?

sopsFileFormatRequired 
public readonly sopsFileFormat: string;
  • Type: string

The format of the input file.

stringifiedValuesRequired 
public readonly stringifiedValues: boolean;
  • Type: boolean

Were the values stringified?

versionIdRequired 
public readonly versionId: string;
  • Type: string

The current versionId of the secret populated via this resource.

SopsSyncProvider

Initializers 

import { SopsSyncProvider } from 'cdk-sops-secrets'

new SopsSyncProvider(scope: Construct, id?: string)
Name Type Description
scope @aws-cdk/core.Construct No description.
id string No description.
scopeRequired
  • Type: @aws-cdk/core.Construct
idOptional
  • Type: string

Methods

Name Description
toString Returns a string representation of this construct.
applyRemovalPolicy Apply the given removal policy to this resource.
addEventSource Adds an event source to this function.
addEventSourceMapping Adds an event source that maps to this AWS Lambda function.
addPermission Adds a permission to the Lambda resource policy.
addToRolePolicy Adds a statement to the IAM role assumed by the instance.
configureAsyncInvoke Configures options for asynchronous invocation.
considerWarningOnInvokeFunctionPermissions A warning will be added to functions under the following conditions: - permissions that include lambda:InvokeFunction are added to the unqualified function.
grantInvoke Grant the given identity permissions to invoke this Lambda.
metric Return the given named metric for this Function.
metricDuration How long execution of this Lambda takes.
metricErrors How many invocations of this Lambda fail.
metricInvocations How often this Lambda is invoked.
metricThrottles How often this Lambda is throttled.
addDependency Using node.addDependency() does not work on this method as the underlying lambda function is modeled as a singleton across the stack. Use this method instead to declare dependencies.
addEnvironment Adds an environment variable to this Lambda function.
addLayers Adds one or more Lambda Layers to this Lambda function.
dependOn The SingletonFunction construct cannot be added as a dependency of another construct using node.addDependency(). Use this method instead to declare this as a dependency of another construct.
addAgeKey No description.
toString 
public toString(): string

Returns a string representation of this construct.

applyRemovalPolicy 
public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: @aws-cdk/core.RemovalPolicy
addEventSource 
public addEventSource(source: IEventSource): void

Adds an event source to this function.

Event sources are implemented in the @aws-cdk/aws-lambda-event-sources module.

The following example adds an SQS Queue as an event source:

import { SqsEventSource } from '@aws-cdk/aws-lambda-event-sources';
myFunction.addEventSource(new SqsEventSource(myQueue));
sourceRequired
  • Type: @aws-cdk/aws-lambda.IEventSource
addEventSourceMapping 
public addEventSourceMapping(id: string, options: EventSourceMappingOptions): EventSourceMapping

Adds an event source that maps to this AWS Lambda function.

idRequired
  • Type: string
optionsRequired
  • Type: @aws-cdk/aws-lambda.EventSourceMappingOptions
addPermission 
public addPermission(name: string, permission: Permission): void

Adds a permission to the Lambda resource policy.

nameRequired
  • Type: string
permissionRequired
  • Type: @aws-cdk/aws-lambda.Permission
addToRolePolicy 
public addToRolePolicy(statement: PolicyStatement): void

Adds a statement to the IAM role assumed by the instance.

statementRequired
  • Type: @aws-cdk/aws-iam.PolicyStatement
configureAsyncInvoke 
public configureAsyncInvoke(options: EventInvokeConfigOptions): void

Configures options for asynchronous invocation.

optionsRequired
  • Type: @aws-cdk/aws-lambda.EventInvokeConfigOptions
considerWarningOnInvokeFunctionPermissions 
public considerWarningOnInvokeFunctionPermissions(scope: Construct, action: string): void

A warning will be added to functions under the following conditions: - permissions that include lambda:InvokeFunction are added to the unqualified function.

function.currentVersion is invoked before or after the permission is created.

This applies only to permissions on Lambda functions, not versions or aliases. This function is overridden as a noOp for QualifiedFunctionBase.

scopeRequired
  • Type: @aws-cdk/core.Construct
actionRequired
  • Type: string
grantInvoke 
public grantInvoke(grantee: IGrantable): Grant

Grant the given identity permissions to invoke this Lambda.

granteeRequired
  • Type: @aws-cdk/aws-iam.IGrantable
metric 
public metric(metricName: string, props?: MetricOptions): Metric

Return the given named metric for this Function.

metricNameRequired
  • Type: string
propsOptional
  • Type: @aws-cdk/aws-cloudwatch.MetricOptions
metricDuration 
public metricDuration(props?: MetricOptions): Metric

How long execution of this Lambda takes.

Average over 5 minutes

propsOptional
  • Type: @aws-cdk/aws-cloudwatch.MetricOptions
metricErrors 
public metricErrors(props?: MetricOptions): Metric

How many invocations of this Lambda fail.

Sum over 5 minutes

propsOptional
  • Type: @aws-cdk/aws-cloudwatch.MetricOptions
metricInvocations 
public metricInvocations(props?: MetricOptions): Metric

How often this Lambda is invoked.

Sum over 5 minutes

propsOptional
  • Type: @aws-cdk/aws-cloudwatch.MetricOptions
metricThrottles 
public metricThrottles(props?: MetricOptions): Metric

How often this Lambda is throttled.

Sum over 5 minutes

propsOptional
  • Type: @aws-cdk/aws-cloudwatch.MetricOptions
addDependency 
public addDependency(up: IDependable): void

Using node.addDependency() does not work on this method as the underlying lambda function is modeled as a singleton across the stack. Use this method instead to declare dependencies.

upRequired
  • Type: @aws-cdk/core.IDependable
addEnvironment 
public addEnvironment(key: string, value: string, options?: EnvironmentOptions): Function

Adds an environment variable to this Lambda function.

If this is a ref to a Lambda function, this operation results in a no-op.

keyRequired
  • Type: string

The environment variable key.

valueRequired
  • Type: string

The environment variable's value.

optionsOptional
  • Type: @aws-cdk/aws-lambda.EnvironmentOptions

Environment variable options.

addLayers 
public addLayers(layers: ILayerVersion): void

Adds one or more Lambda Layers to this Lambda function.

layersRequired
  • Type: @aws-cdk/aws-lambda.ILayerVersion

the layers to be added.

dependOn 
public dependOn(down: IConstruct): void

The SingletonFunction construct cannot be added as a dependency of another construct using node.addDependency(). Use this method instead to declare this as a dependency of another construct.

downRequired
  • Type: @aws-cdk/core.IConstruct
addAgeKey 
public addAgeKey(key: SecretValue): void
keyRequired
  • Type: @aws-cdk/core.SecretValue

Static Functions

Name Description
isConstruct Return whether the given object is a Construct.
isResource Check whether the given construct is a Resource.
isConstruct 
import { SopsSyncProvider } from 'cdk-sops-secrets'

SopsSyncProvider.isConstruct(x: any)

Return whether the given object is a Construct.

xRequired
  • Type: any
isResource 
import { SopsSyncProvider } from 'cdk-sops-secrets'

SopsSyncProvider.isResource(construct: IConstruct)

Check whether the given construct is a Resource.

constructRequired
  • Type: @aws-cdk/core.IConstruct

Properties

Name Type Description
node @aws-cdk/core.ConstructNode The construct tree node associated with this construct.
env @aws-cdk/core.ResourceEnvironment The environment this resource belongs to.
stack @aws-cdk/core.Stack The stack in which this resource is defined.
architecture @aws-cdk/aws-lambda.Architecture The architecture of this Lambda Function.
connections @aws-cdk/aws-ec2.Connections Access the Connections object.
functionArn string The ARN fo the function.
functionName string The name of the function.
grantPrincipal @aws-cdk/aws-iam.IPrincipal The principal this Lambda Function is running as.
isBoundToVpc boolean Whether or not this Lambda function was bound to a VPC.
latestVersion @aws-cdk/aws-lambda.IVersion The $LATEST version of this function.
permissionsNode @aws-cdk/core.ConstructNode The construct node where permissions are attached.
resourceArnsForGrantInvoke string[] The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke().
role @aws-cdk/aws-iam.IRole The IAM role associated with this function.
currentVersion @aws-cdk/aws-lambda.Version Returns a lambda.Version which represents the current version of this singleton Lambda function. A new version will be created every time the function's configuration changes.
logGroup @aws-cdk/aws-logs.ILogGroup The LogGroup where the Lambda function's logs are made available.
runtime @aws-cdk/aws-lambda.Runtime The runtime environment for the Lambda function.
nodeRequired 
public readonly node: ConstructNode;
  • Type: @aws-cdk/core.ConstructNode

The construct tree node associated with this construct.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: @aws-cdk/core.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

stackRequired 
public readonly stack: Stack;
  • Type: @aws-cdk/core.Stack

The stack in which this resource is defined.

architectureRequired 
public readonly architecture: Architecture;
  • Type: @aws-cdk/aws-lambda.Architecture

The architecture of this Lambda Function.

connectionsRequired 
public readonly connections: Connections;
  • Type: @aws-cdk/aws-ec2.Connections

Access the Connections object.

Will fail if not a VPC-enabled Lambda Function

functionArnRequired 
public readonly functionArn: string;
  • Type: string

The ARN fo the function.

functionNameRequired 
public readonly functionName: string;
  • Type: string

The name of the function.

grantPrincipalRequired 
public readonly grantPrincipal: IPrincipal;
  • Type: @aws-cdk/aws-iam.IPrincipal

The principal this Lambda Function is running as.

isBoundToVpcRequired 
public readonly isBoundToVpc: boolean;
  • Type: boolean

Whether or not this Lambda function was bound to a VPC.

If this is is false, trying to access the connections object will fail.

latestVersionRequired 
public readonly latestVersion: IVersion;
  • Type: @aws-cdk/aws-lambda.IVersion

The $LATEST version of this function.

Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations.

To obtain a reference to an explicit version which references the current function configuration, use lambdaFunction.currentVersion instead.

permissionsNodeRequired 
public readonly permissionsNode: ConstructNode;
  • Type: @aws-cdk/core.ConstructNode

The construct node where permissions are attached.

resourceArnsForGrantInvokeRequired 
public readonly resourceArnsForGrantInvoke: string[];
  • Type: string[]

The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke().

roleOptional 
public readonly role: IRole;
  • Type: @aws-cdk/aws-iam.IRole

The IAM role associated with this function.

Undefined if the function was imported without a role.

currentVersionRequired 
public readonly currentVersion: Version;
  • Type: @aws-cdk/aws-lambda.Version

Returns a lambda.Version which represents the current version of this singleton Lambda function. A new version will be created every time the function's configuration changes.

You can specify options for this version using the currentVersionOptions prop when initializing the lambda.SingletonFunction.

logGroupRequired 
public readonly logGroup: ILogGroup;
  • Type: @aws-cdk/aws-logs.ILogGroup

The LogGroup where the Lambda function's logs are made available.

If either logRetention is set or this property is called, a CloudFormation custom resource is added to the stack that pre-creates the log group as part of the stack deployment, if it already doesn't exist, and sets the correct log retention period (never expire, by default).

Further, if the log group already exists and the logRetention is not set, the custom resource will reset the log retention to never expire even if it was configured with a different value.

runtimeRequired 
public readonly runtime: Runtime;
  • Type: @aws-cdk/aws-lambda.Runtime

The runtime environment for the Lambda function.

Structs

SopsSecretProps

The configuration options of the SopsSecret.

Initializer 

import { SopsSecretProps } from 'cdk-sops-secrets'

const sopsSecretProps: SopsSecretProps = { ... }

Properties

Name Type Description
description string An optional, human-friendly description of the secret.
encryptionKey @aws-cdk/aws-kms.IKey The customer-managed encryption key to use for encrypting the secret value.
generateSecretString @aws-cdk/aws-secretsmanager.SecretStringGenerator Configuration for how to generate a secret value.
removalPolicy @aws-cdk/core.RemovalPolicy Policy to apply when the secret is removed from this stack.
replicaRegions @aws-cdk/aws-secretsmanager.ReplicaRegion[] A list of regions where to replicate this secret.
secretName string A name for the secret.
secretStringBeta1 @aws-cdk/aws-secretsmanager.SecretStringValueBeta1 Initial value for the secret.
sopsFilePath string The filepath to the sops file.
convertToJSON boolean Should the encrypted sops value should be converted to JSON?
flatten boolean Should the structure be flattened?
sopsAgeKey @aws-cdk/core.SecretValue The age key that should be used for encryption.
sopsFileFormat string The format of the sops file.
sopsKmsKey @aws-cdk/aws-kms.IKey[] The kmsKey used to encrypt the sops file.
sopsProvider SopsSyncProvider The custom resource provider to use.
stringifyValues boolean Shall all values be flattened?
descriptionOptional 
public readonly description: string;
  • Type: string
  • Default: No description.

An optional, human-friendly description of the secret.

encryptionKeyOptional 
public readonly encryptionKey: IKey;
  • Type: @aws-cdk/aws-kms.IKey
  • Default: A default KMS key for the account and region is used.

The customer-managed encryption key to use for encrypting the secret value.

generateSecretStringOptional 
public readonly generateSecretString: SecretStringGenerator;
  • Type: @aws-cdk/aws-secretsmanager.SecretStringGenerator
  • Default: 32 characters with upper-case letters, lower-case letters, punctuation and numbers (at least one from each category), per the default values of SecretStringGenerator.

Configuration for how to generate a secret value.

Only one of secretString and generateSecretString can be provided.

removalPolicyOptional 
public readonly removalPolicy: RemovalPolicy;
  • Type: @aws-cdk/core.RemovalPolicy
  • Default: Not set.

Policy to apply when the secret is removed from this stack.

replicaRegionsOptional 
public readonly replicaRegions: ReplicaRegion[];
  • Type: @aws-cdk/aws-secretsmanager.ReplicaRegion[]
  • Default: Secret is not replicated

A list of regions where to replicate this secret.

secretNameOptional 
public readonly secretName: string;
  • Type: string
  • Default: A name is generated by CloudFormation.

A name for the secret.

Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.

secretStringBeta1Optional 
public readonly secretStringBeta1: SecretStringValueBeta1;
  • Type: @aws-cdk/aws-secretsmanager.SecretStringValueBeta1
  • Default: SecretsManager generates a new secret value.

Initial value for the secret.

NOTE: *It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).

Specifies text data that you want to encrypt and store in this new version of the secret. May be a simple string value, or a string representation of a JSON structure.

Only one of secretString and generateSecretString can be provided.

sopsFilePathRequired 
public readonly sopsFilePath: string;
  • Type: string

The filepath to the sops file.

convertToJSONOptional 
public readonly convertToJSON: boolean;
  • Type: boolean
  • Default: true

Should the encrypted sops value should be converted to JSON?

Only JSON can be handled by cloud formations dynamic references.

flattenOptional 
public readonly flatten: boolean;
  • Type: boolean
  • Default: true

Should the structure be flattened?

The result will be a flat structure and all object keys will be replaced with the full jsonpath as key. This is usefull for dynamic references, as those don't support nested objects.

sopsAgeKeyOptional 
public readonly sopsAgeKey: SecretValue;
  • Type: @aws-cdk/core.SecretValue

The age key that should be used for encryption.

sopsFileFormatOptional 
public readonly sopsFileFormat: string;
  • Type: string
  • Default: The fileformat will be derived from the file ending

The format of the sops file.

sopsKmsKeyOptional 
public readonly sopsKmsKey: IKey[];
  • Type: @aws-cdk/aws-kms.IKey[]
  • Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

sopsProviderOptional 
public readonly sopsProvider: SopsSyncProvider;

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

stringifyValuesOptional 
public readonly stringifyValues: boolean;
  • Type: boolean

Shall all values be flattened?

This is usefull for dynamic references, as there are lookup errors for certain float types

SopsSyncOptions

Configuration options for the SopsSync.

Initializer 

import { SopsSyncOptions } from 'cdk-sops-secrets'

const sopsSyncOptions: SopsSyncOptions = { ... }

Properties

Name Type Description
sopsFilePath string The filepath to the sops file.
convertToJSON boolean Should the encrypted sops value should be converted to JSON?
flatten boolean Should the structure be flattened?
sopsAgeKey @aws-cdk/core.SecretValue The age key that should be used for encryption.
sopsFileFormat string The format of the sops file.
sopsKmsKey @aws-cdk/aws-kms.IKey[] The kmsKey used to encrypt the sops file.
sopsProvider SopsSyncProvider The custom resource provider to use.
stringifyValues boolean Shall all values be flattened?
sopsFilePathRequired 
public readonly sopsFilePath: string;
  • Type: string

The filepath to the sops file.

convertToJSONOptional 
public readonly convertToJSON: boolean;
  • Type: boolean
  • Default: true

Should the encrypted sops value should be converted to JSON?

Only JSON can be handled by cloud formations dynamic references.

flattenOptional 
public readonly flatten: boolean;
  • Type: boolean
  • Default: true

Should the structure be flattened?

The result will be a flat structure and all object keys will be replaced with the full jsonpath as key. This is usefull for dynamic references, as those don't support nested objects.

sopsAgeKeyOptional 
public readonly sopsAgeKey: SecretValue;
  • Type: @aws-cdk/core.SecretValue

The age key that should be used for encryption.

sopsFileFormatOptional 
public readonly sopsFileFormat: string;
  • Type: string
  • Default: The fileformat will be derived from the file ending

The format of the sops file.

sopsKmsKeyOptional 
public readonly sopsKmsKey: IKey[];
  • Type: @aws-cdk/aws-kms.IKey[]
  • Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

sopsProviderOptional 
public readonly sopsProvider: SopsSyncProvider;

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

stringifyValuesOptional 
public readonly stringifyValues: boolean;
  • Type: boolean

Shall all values be flattened?

This is usefull for dynamic references, as there are lookup errors for certain float types

SopsSyncProps

The configuration options extended by the target Secret.

Initializer 

import { SopsSyncProps } from 'cdk-sops-secrets'

const sopsSyncProps: SopsSyncProps = { ... }

Properties

Name Type Description
sopsFilePath string The filepath to the sops file.
convertToJSON boolean Should the encrypted sops value should be converted to JSON?
flatten boolean Should the structure be flattened?
sopsAgeKey @aws-cdk/core.SecretValue The age key that should be used for encryption.
sopsFileFormat string The format of the sops file.
sopsKmsKey @aws-cdk/aws-kms.IKey[] The kmsKey used to encrypt the sops file.
sopsProvider SopsSyncProvider The custom resource provider to use.
stringifyValues boolean Shall all values be flattened?
secret @aws-cdk/aws-secretsmanager.ISecret The secret that will be populated with the encrypted sops file content.
sopsFilePathRequired 
public readonly sopsFilePath: string;
  • Type: string

The filepath to the sops file.

convertToJSONOptional 
public readonly convertToJSON: boolean;
  • Type: boolean
  • Default: true

Should the encrypted sops value should be converted to JSON?

Only JSON can be handled by cloud formations dynamic references.

flattenOptional 
public readonly flatten: boolean;
  • Type: boolean
  • Default: true

Should the structure be flattened?

The result will be a flat structure and all object keys will be replaced with the full jsonpath as key. This is usefull for dynamic references, as those don't support nested objects.

sopsAgeKeyOptional 
public readonly sopsAgeKey: SecretValue;
  • Type: @aws-cdk/core.SecretValue

The age key that should be used for encryption.

sopsFileFormatOptional 
public readonly sopsFileFormat: string;
  • Type: string
  • Default: The fileformat will be derived from the file ending

The format of the sops file.

sopsKmsKeyOptional 
public readonly sopsKmsKey: IKey[];
  • Type: @aws-cdk/aws-kms.IKey[]
  • Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

sopsProviderOptional 
public readonly sopsProvider: SopsSyncProvider;

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

stringifyValuesOptional 
public readonly stringifyValues: boolean;
  • Type: boolean

Shall all values be flattened?

This is usefull for dynamic references, as there are lookup errors for certain float types

secretRequired 
public readonly secret: ISecret;
  • Type: @aws-cdk/aws-secretsmanager.ISecret

The secret that will be populated with the encrypted sops file content.