API.md

API Reference

Constructs

MultiStringParameter

Initializers

import { MultiStringParameter } from 'cdk-sops-secrets'

new MultiStringParameter(scope: Construct, id: string, props: MultiStringParameterProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	MultiStringParameterProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: MultiStringParameterProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.

---

toString

public toString(): string

Returns a string representation of this construct.

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { MultiStringParameter } from 'cdk-sops-secrets'

MultiStringParameter.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
encryptionKey	aws-cdk-lib.aws_kms.IKey	No description.
env	aws-cdk-lib.ResourceEnvironment	No description.
keyPrefix	string	No description.
keySeparator	string	No description.
stack	aws-cdk-lib.Stack	No description.
sync	SopsSync	No description.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

encryptionKey^Required

public readonly encryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey

---

env^Required

public readonly env: ResourceEnvironment;

• Type: aws-cdk-lib.ResourceEnvironment

---

keyPrefix^Required

public readonly keyPrefix: string;

• Type: string

---

keySeparator^Required

public readonly keySeparator: string;

• Type: string

---

stack^Required

public readonly stack: Stack;

• Type: aws-cdk-lib.Stack

---

sync^Required

public readonly sync: SopsSync;

• Type: SopsSync

---

SopsSecret

• Implements: aws-cdk-lib.aws_secretsmanager.ISecret

A drop in replacement for the normal Secret, that is populated with the encrypted content of the given sops file.

Initializers

import { SopsSecret } from 'cdk-sops-secrets'

new SopsSecret(scope: Construct, id: string, props: SopsSecretProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	SopsSecretProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: SopsSecretProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.
addRotationSchedule	Adds a rotation schedule to the secret.
addToResourcePolicy	Adds a statement to the IAM resource policy associated with this secret.
applyRemovalPolicy	Apply the given removal policy to this resource.
attach	Attach a target to this secret.
currentVersionId	No description.
denyAccountRootDelete	Denies the DeleteSecret action to all principals within the current account.
grantRead	Grants reading the secret value to some role.
grantWrite	Grants writing and updating the secret value to some role.
secretValueFromJson	Interpret the secret as a JSON object and return a field's value from it as a SecretValue.

---

toString

public toString(): string

Returns a string representation of this construct.

addRotationSchedule

public addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule

Adds a rotation schedule to the secret.

id^Required

• Type: string

---

options^Required

• Type: aws-cdk-lib.aws_secretsmanager.RotationScheduleOptions

---

addToResourcePolicy

public addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult

Adds a statement to the IAM resource policy associated with this secret.

If this secret was created in this stack, a resource policy will be automatically created upon the first call to addToResourcePolicy. If the secret is imported, then this is a no-op.

statement^Required

• Type: aws-cdk-lib.aws_iam.PolicyStatement

---

applyRemovalPolicy

public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policy^Required

• Type: aws-cdk-lib.RemovalPolicy

---

attach

public attach(target: ISecretAttachmentTarget): ISecret

Attach a target to this secret.

target^Required

• Type: aws-cdk-lib.aws_secretsmanager.ISecretAttachmentTarget

---

currentVersionId

public currentVersionId(): string

denyAccountRootDelete

public denyAccountRootDelete(): void

Denies the DeleteSecret action to all principals within the current account.

grantRead

public grantRead(grantee: IGrantable, versionStages?: string[]): Grant

Grants reading the secret value to some role.

grantee^Required

• Type: aws-cdk-lib.aws_iam.IGrantable

---

versionStages^Optional

• Type: string[]

---

grantWrite

public grantWrite(_grantee: IGrantable): Grant

Grants writing and updating the secret value to some role.

_grantee^Required

• Type: aws-cdk-lib.aws_iam.IGrantable

---

secretValueFromJson

public secretValueFromJson(jsonField: string): SecretValue

Interpret the secret as a JSON object and return a field's value from it as a SecretValue.

jsonField^Required

• Type: string

---

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { SopsSecret } from 'cdk-sops-secrets'

SopsSecret.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
env	aws-cdk-lib.ResourceEnvironment	The environment this resource belongs to.
secretArn	string	The ARN of the secret in AWS Secrets Manager.
secretName	string	The name of the secret.
secretValue	aws-cdk-lib.SecretValue	Retrieve the value of the stored secret as a SecretValue.
stack	aws-cdk-lib.Stack	The stack in which this resource is defined.
sync	SopsSync	No description.
encryptionKey	aws-cdk-lib.aws_kms.IKey	The customer-managed encryption key that is used to encrypt this secret, if any.
secretFullArn	string	The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

env^Required

public readonly env: ResourceEnvironment;

• Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

---

secretArn^Required

public readonly secretArn: string;

• Type: string

The ARN of the secret in AWS Secrets Manager.

Will return the full ARN if available, otherwise a partial arn. For secrets imported by the deprecated fromSecretName, it will return the secretName.

---

secretName^Required

public readonly secretName: string;

• Type: string

The name of the secret.

For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.

---

secretValue^Required

public readonly secretValue: SecretValue;

• Type: aws-cdk-lib.SecretValue

Retrieve the value of the stored secret as a SecretValue.

---

stack^Required

public readonly stack: Stack;

• Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

---

sync^Required

public readonly sync: SopsSync;

• Type: SopsSync

---

encryptionKey^Optional

public readonly encryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey

The customer-managed encryption key that is used to encrypt this secret, if any.

When not specified, the default KMS key for the account and region is being used.

---

secretFullArn^Optional

public readonly secretFullArn: string;

• Type: string

The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).

---

SopsStringParameter

• Implements: aws-cdk-lib.aws_ssm.IStringParameter

A drop in replacement for the normal String Parameter, that is populated with the encrypted content of the given sops file.

Initializers

import { SopsStringParameter } from 'cdk-sops-secrets'

new SopsStringParameter(scope: Construct, id: string, props: SopsStringParameterProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	SopsStringParameterProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: SopsStringParameterProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.
applyRemovalPolicy	Apply the given removal policy to this resource.
grantRead	Grants read (DescribeParameter, GetParameters, GetParameter, GetParameterHistory) permissions on the SSM Parameter.
grantWrite	Grants write (PutParameter) permissions on the SSM Parameter.

---

toString

public toString(): string

Returns a string representation of this construct.

applyRemovalPolicy

public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policy^Required

• Type: aws-cdk-lib.RemovalPolicy

---

grantRead

public grantRead(grantee: IGrantable): Grant

Grants read (DescribeParameter, GetParameters, GetParameter, GetParameterHistory) permissions on the SSM Parameter.

grantee^Required

• Type: aws-cdk-lib.aws_iam.IGrantable

---

grantWrite

public grantWrite(grantee: IGrantable): Grant

Grants write (PutParameter) permissions on the SSM Parameter.

grantee^Required

• Type: aws-cdk-lib.aws_iam.IGrantable

---

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { SopsStringParameter } from 'cdk-sops-secrets'

SopsStringParameter.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
encryptionKey	aws-cdk-lib.aws_kms.IKey	No description.
env	aws-cdk-lib.ResourceEnvironment	The environment this resource belongs to.
parameterArn	string	The ARN of the SSM Parameter resource.
parameterName	string	The name of the SSM Parameter resource.
parameterType	string	The type of the SSM Parameter resource.
stack	aws-cdk-lib.Stack	The stack in which this resource is defined.
stringValue	string	The parameter value.
sync	SopsSync	No description.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

encryptionKey^Required

public readonly encryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey

---

env^Required

public readonly env: ResourceEnvironment;

• Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

---

parameterArn^Required

public readonly parameterArn: string;

• Type: string

The ARN of the SSM Parameter resource.

---

parameterName^Required

public readonly parameterName: string;

• Type: string

The name of the SSM Parameter resource.

---

parameterType^Required

public readonly parameterType: string;

• Type: string

The type of the SSM Parameter resource.

---

stack^Required

public readonly stack: Stack;

• Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

---

stringValue^Required

public readonly stringValue: string;

• Type: string

The parameter value.

Value must not nest another parameter. Do not use {{}} in the value.

---

sync^Required

public readonly sync: SopsSync;

• Type: SopsSync

---

SopsSync

The custom resource, that is syncing the content from a sops file to a secret.

Initializers

import { SopsSync } from 'cdk-sops-secrets'

new SopsSync(scope: Construct, id: string, props: SopsSyncProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	SopsSyncProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: SopsSyncProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.

---

toString

public toString(): string

Returns a string representation of this construct.

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { SopsSync } from 'cdk-sops-secrets'

SopsSync.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
versionId	string	The current versionId of the secret populated via this resource.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

versionId^Required

public readonly versionId: string;

• Type: string

The current versionId of the secret populated via this resource.

---

SopsSyncProvider

• Implements: aws-cdk-lib.aws_iam.IGrantable

Initializers

import { SopsSyncProvider } from 'cdk-sops-secrets'

new SopsSyncProvider(scope: Construct, id?: string, props?: SopsSyncProviderProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	SopsSyncProviderProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Optional

• Type: string

---

props^Optional

• Type: SopsSyncProviderProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.
applyRemovalPolicy	Apply the given removal policy to this resource.
addEventSource	Adds an event source to this function.
addEventSourceMapping	Adds an event source that maps to this AWS Lambda function.
addFunctionUrl	Adds a url to this lambda function.
addPermission	Adds a permission to the Lambda resource policy.
addToRolePolicy	Adds a statement to the IAM role assumed by the instance.
configureAsyncInvoke	Configures options for asynchronous invocation.
considerWarningOnInvokeFunctionPermissions	A warning will be added to functions under the following conditions: - permissions that include lambda:InvokeFunction are added to the unqualified function.
grantInvoke	Grant the given identity permissions to invoke this Lambda.
grantInvokeCompositePrincipal	Grant multiple principals the ability to invoke this Lambda via CompositePrincipal.
grantInvokeLatestVersion	Grant the given identity permissions to invoke the $LATEST version or unqualified version of this Lambda.
grantInvokeUrl	Grant the given identity permissions to invoke this Lambda Function URL.
grantInvokeVersion	Grant the given identity permissions to invoke the given version of this Lambda.
metric	Return the given named metric for this Function.
metricDuration	How long execution of this Lambda takes.
metricErrors	How many invocations of this Lambda fail.
metricInvocations	How often this Lambda is invoked.
metricThrottles	How often this Lambda is throttled.
addDependency	Using node.addDependency() does not work on this method as the underlying lambda function is modeled as a singleton across the stack. Use this method instead to declare dependencies.
addEnvironment	Adds an environment variable to this Lambda function.
addLayers	Adds one or more Lambda Layers to this Lambda function.
addMetadata	Use this method to write to the construct tree.
dependOn	The SingletonFunction construct cannot be added as a dependency of another construct using node.addDependency(). Use this method instead to declare this as a dependency of another construct.
addAgeKey	No description.

---

toString

public toString(): string

Returns a string representation of this construct.

applyRemovalPolicy

public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policy^Required

• Type: aws-cdk-lib.RemovalPolicy

---

addEventSource

public addEventSource(source: IEventSource): void

Adds an event source to this function.

Event sources are implemented in the aws-cdk-lib/aws-lambda-event-sources module.

The following example adds an SQS Queue as an event source:

import { SqsEventSource } from 'aws-cdk-lib/aws-lambda-event-sources';
myFunction.addEventSource(new SqsEventSource(myQueue));

source^Required

• Type: aws-cdk-lib.aws_lambda.IEventSource

---

addEventSourceMapping

public addEventSourceMapping(id: string, options: EventSourceMappingOptions): EventSourceMapping

Adds an event source that maps to this AWS Lambda function.

id^Required

• Type: string

---

options^Required

• Type: aws-cdk-lib.aws_lambda.EventSourceMappingOptions

---

addFunctionUrl

public addFunctionUrl(options?: FunctionUrlOptions): FunctionUrl

Adds a url to this lambda function.

options^Optional

• Type: aws-cdk-lib.aws_lambda.FunctionUrlOptions

---

addPermission

public addPermission(name: string, permission: Permission): void

Adds a permission to the Lambda resource policy.

name^Required

• Type: string

---

permission^Required

• Type: aws-cdk-lib.aws_lambda.Permission

---

addToRolePolicy

public addToRolePolicy(statement: PolicyStatement): void

Adds a statement to the IAM role assumed by the instance.

statement^Required

• Type: aws-cdk-lib.aws_iam.PolicyStatement

---

configureAsyncInvoke

public configureAsyncInvoke(options: EventInvokeConfigOptions): void

Configures options for asynchronous invocation.

options^Required

• Type: aws-cdk-lib.aws_lambda.EventInvokeConfigOptions

---

considerWarningOnInvokeFunctionPermissions

public considerWarningOnInvokeFunctionPermissions(scope: Construct, action: string): void

A warning will be added to functions under the following conditions: - permissions that include lambda:InvokeFunction are added to the unqualified function.

function.currentVersion is invoked before or after the permission is created.

This applies only to permissions on Lambda functions, not versions or aliases. This function is overridden as a noOp for QualifiedFunctionBase.

scope^Required

• Type: constructs.Construct

---

action^Required

• Type: string

---

grantInvoke

public grantInvoke(grantee: IGrantable): Grant

Grant the given identity permissions to invoke this Lambda.

grantee^Required

• Type: aws-cdk-lib.aws_iam.IGrantable

---

grantInvokeCompositePrincipal

public grantInvokeCompositePrincipal(compositePrincipal: CompositePrincipal): Grant[]

Grant multiple principals the ability to invoke this Lambda via CompositePrincipal.

compositePrincipal^Required

• Type: aws-cdk-lib.aws_iam.CompositePrincipal

---

grantInvokeLatestVersion

public grantInvokeLatestVersion(grantee: IGrantable): Grant

Grant the given identity permissions to invoke the $LATEST version or unqualified version of this Lambda.

grantee^Required

• Type: aws-cdk-lib.aws_iam.IGrantable

---

grantInvokeUrl

public grantInvokeUrl(grantee: IGrantable): Grant

Grant the given identity permissions to invoke this Lambda Function URL.

grantee^Required

• Type: aws-cdk-lib.aws_iam.IGrantable

---

grantInvokeVersion

public grantInvokeVersion(grantee: IGrantable, version: IVersion): Grant

Grant the given identity permissions to invoke the given version of this Lambda.

grantee^Required

• Type: aws-cdk-lib.aws_iam.IGrantable

---

version^Required

• Type: aws-cdk-lib.aws_lambda.IVersion

---

metric

public metric(metricName: string, props?: MetricOptions): Metric

Return the given named metric for this Function.

metricName^Required

• Type: string

---

props^Optional

• Type: aws-cdk-lib.aws_cloudwatch.MetricOptions

---

metricDuration

public metricDuration(props?: MetricOptions): Metric

How long execution of this Lambda takes.

Average over 5 minutes

props^Optional

• Type: aws-cdk-lib.aws_cloudwatch.MetricOptions

---

metricErrors

public metricErrors(props?: MetricOptions): Metric

How many invocations of this Lambda fail.

Sum over 5 minutes

props^Optional

• Type: aws-cdk-lib.aws_cloudwatch.MetricOptions

---

metricInvocations

public metricInvocations(props?: MetricOptions): Metric

How often this Lambda is invoked.

Sum over 5 minutes

props^Optional

• Type: aws-cdk-lib.aws_cloudwatch.MetricOptions

---

metricThrottles

public metricThrottles(props?: MetricOptions): Metric

How often this Lambda is throttled.

Sum over 5 minutes

props^Optional

• Type: aws-cdk-lib.aws_cloudwatch.MetricOptions

---

addDependency

public addDependency(up: ...IDependable[]): void

Using node.addDependency() does not work on this method as the underlying lambda function is modeled as a singleton across the stack. Use this method instead to declare dependencies.

up^Required

• Type: ...constructs.IDependable[]

---

addEnvironment

public addEnvironment(key: string, value: string, options?: EnvironmentOptions): Function

Adds an environment variable to this Lambda function.

If this is a ref to a Lambda function, this operation results in a no-op.

key^Required

• Type: string

The environment variable key.

---

value^Required

• Type: string

The environment variable's value.

---

options^Optional

• Type: aws-cdk-lib.aws_lambda.EnvironmentOptions

Environment variable options.

---

addLayers

public addLayers(layers: ...ILayerVersion[]): void

Adds one or more Lambda Layers to this Lambda function.

layers^Required

• Type: ...aws-cdk-lib.aws_lambda.ILayerVersion[]

the layers to be added.

---

addMetadata

public addMetadata(type: string, data: any, options?: MetadataOptions): void

Use this method to write to the construct tree.

The metadata entries are written to the Cloud Assembly Manifest if the treeMetadata property is specified in the props of the App that contains this Construct.

type^Required

• Type: string

---

data^Required

• Type: any

---

options^Optional

• Type: constructs.MetadataOptions

---

dependOn

public dependOn(down: IConstruct): void

The SingletonFunction construct cannot be added as a dependency of another construct using node.addDependency(). Use this method instead to declare this as a dependency of another construct.

down^Required

• Type: constructs.IConstruct

---

addAgeKey

public addAgeKey(key: SecretValue): void

key^Required

• Type: aws-cdk-lib.SecretValue

---

Static Functions

Name	Description
isConstruct	Checks if x is a construct.
isOwnedResource	Returns true if the construct was created by CDK, and false otherwise.
isResource	Check whether the given construct is a Resource.

---

isConstruct

import { SopsSyncProvider } from 'cdk-sops-secrets'

SopsSyncProvider.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

isOwnedResource

import { SopsSyncProvider } from 'cdk-sops-secrets'

SopsSyncProvider.isOwnedResource(construct: IConstruct)

Returns true if the construct was created by CDK, and false otherwise.

construct^Required

• Type: constructs.IConstruct

---

isResource

import { SopsSyncProvider } from 'cdk-sops-secrets'

SopsSyncProvider.isResource(construct: IConstruct)

Check whether the given construct is a Resource.

construct^Required

• Type: constructs.IConstruct

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
env	aws-cdk-lib.ResourceEnvironment	The environment this resource belongs to.
stack	aws-cdk-lib.Stack	The stack in which this resource is defined.
architecture	aws-cdk-lib.aws_lambda.Architecture	The architecture of this Lambda Function.
connections	aws-cdk-lib.aws_ec2.Connections	Access the Connections object.
functionArn	string	The ARN fo the function.
functionName	string	The name of the function.
grantPrincipal	aws-cdk-lib.aws_iam.IPrincipal	The principal this Lambda Function is running as.
isBoundToVpc	boolean	Whether or not this Lambda function was bound to a VPC.
latestVersion	aws-cdk-lib.aws_lambda.IVersion	The $LATEST version of this function.
permissionsNode	constructs.Node	The construct node where permissions are attached.
resourceArnsForGrantInvoke	string[]	The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke().
role	aws-cdk-lib.aws_iam.IRole	The IAM role associated with this function.
constructName	string	The name of the singleton function.
currentVersion	aws-cdk-lib.aws_lambda.Version	Returns a lambda.Version which represents the current version of this singleton Lambda function. A new version will be created every time the function's configuration changes.
logGroup	aws-cdk-lib.aws_logs.ILogGroup	The LogGroup where the Lambda function's logs are made available.
runtime	aws-cdk-lib.aws_lambda.Runtime	The runtime environment for the Lambda function.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

env^Required

public readonly env: ResourceEnvironment;

• Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

---

stack^Required

public readonly stack: Stack;

• Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

---

architecture^Required

public readonly architecture: Architecture;

• Type: aws-cdk-lib.aws_lambda.Architecture

The architecture of this Lambda Function.

---

connections^Required

public readonly connections: Connections;

• Type: aws-cdk-lib.aws_ec2.Connections

Access the Connections object.

Will fail if not a VPC-enabled Lambda Function

---

functionArn^Required

public readonly functionArn: string;

• Type: string

The ARN fo the function.

---

functionName^Required

public readonly functionName: string;

• Type: string

The name of the function.

---

grantPrincipal^Required

public readonly grantPrincipal: IPrincipal;

• Type: aws-cdk-lib.aws_iam.IPrincipal

The principal this Lambda Function is running as.

---

isBoundToVpc^Required

public readonly isBoundToVpc: boolean;

• Type: boolean

Whether or not this Lambda function was bound to a VPC.

If this is is false, trying to access the connections object will fail.

---

latestVersion^Required

public readonly latestVersion: IVersion;

• Type: aws-cdk-lib.aws_lambda.IVersion

The $LATEST version of this function.

Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations.

To obtain a reference to an explicit version which references the current function configuration, use lambdaFunction.currentVersion instead.

---

permissionsNode^Required

public readonly permissionsNode: Node;

• Type: constructs.Node

The construct node where permissions are attached.

---

resourceArnsForGrantInvoke^Required

public readonly resourceArnsForGrantInvoke: string[];

• Type: string[]

The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke().

---

role^Optional

public readonly role: IRole;

• Type: aws-cdk-lib.aws_iam.IRole

The IAM role associated with this function.

Undefined if the function was imported without a role.

---

constructName^Required

public readonly constructName: string;

• Type: string

The name of the singleton function.

It acts as a unique ID within its CDK stack.

---

currentVersion^Required

public readonly currentVersion: Version;

• Type: aws-cdk-lib.aws_lambda.Version

Returns a lambda.Version which represents the current version of this singleton Lambda function. A new version will be created every time the function's configuration changes.

You can specify options for this version using the currentVersionOptions prop when initializing the lambda.SingletonFunction.

---

logGroup^Required

public readonly logGroup: ILogGroup;

• Type: aws-cdk-lib.aws_logs.ILogGroup

The LogGroup where the Lambda function's logs are made available.

If either logRetention is set or this property is called, a CloudFormation custom resource is added to the stack that pre-creates the log group as part of the stack deployment, if it already doesn't exist, and sets the correct log retention period (never expire, by default).

Further, if the log group already exists and the logRetention is not set, the custom resource will reset the log retention to never expire even if it was configured with a different value.

---

runtime^Required

public readonly runtime: Runtime;

• Type: aws-cdk-lib.aws_lambda.Runtime

The runtime environment for the Lambda function.

---

Structs

MultiStringParameterProps

Initializer

import { MultiStringParameterProps } from 'cdk-sops-secrets'

const multiStringParameterProps: MultiStringParameterProps = { ... }

Properties

Name	Type	Description
assetEncryptionKey	aws-cdk-lib.aws_kms.IKey	The encryption key used by the CDK default Asset S3 Bucket.
autoGenerateIamPermissions	boolean	Should this construct automatically create IAM permissions?
sopsAgeKey	aws-cdk-lib.SecretValue	The age key that should be used for encryption.
sopsFileFormat	string	The format of the sops file.
sopsFilePath	string	The filepath to the sops file.
sopsKmsKey	aws-cdk-lib.aws_kms.IKey[]	The kmsKey used to encrypt the sops file.
sopsProvider	SopsSyncProvider	The custom resource provider to use.
sopsS3Bucket	string	If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
sopsS3Key	string	If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
uploadType	UploadType	How should the secret be passed to the CustomResource?
encryptionKey	aws-cdk-lib.aws_kms.IKey	The customer-managed encryption key to use for encrypting the secret value.
description	string	Information about the parameter that you want to add to the system.
tier	aws-cdk-lib.aws_ssm.ParameterTier	The tier of the string parameter.
keyPrefix	string	The prefix used for all parameters.
keySeparator	string	The seperator used to seperate keys.

---

assetEncryptionKey^Optional

public readonly assetEncryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey
• Default: Trying to get the key using the CDK Bootstrap context.

The encryption key used by the CDK default Asset S3 Bucket.

---

autoGenerateIamPermissions^Optional

public readonly autoGenerateIamPermissions: boolean;

• Type: boolean
• Default: true

Should this construct automatically create IAM permissions?

---

sopsAgeKey^Optional

public readonly sopsAgeKey: SecretValue;

• Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

---

sopsFileFormat^Optional

public readonly sopsFileFormat: string;

• Type: string
• Default: The fileformat will be derived from the file ending

The format of the sops file.

---

sopsFilePath^Optional

public readonly sopsFilePath: string;

• Type: string

The filepath to the sops file.

---

sopsKmsKey^Optional

public readonly sopsKmsKey: IKey[];

• Type: aws-cdk-lib.aws_kms.IKey[]
• Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

---

sopsProvider^Optional

public readonly sopsProvider: SopsSyncProvider;

• Type: SopsSyncProvider
• Default: A new singleton provider will be created

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

---

sopsS3Bucket^Optional

public readonly sopsS3Bucket: string;

• Type: string

If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

---

sopsS3Key^Optional

public readonly sopsS3Key: string;

• Type: string

If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

---

uploadType^Optional

public readonly uploadType: UploadType;

• Type: UploadType
• Default: INLINE

How should the secret be passed to the CustomResource?

---

encryptionKey^Required

public readonly encryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey
• Default: A default KMS key for the account and region is used.

The customer-managed encryption key to use for encrypting the secret value.

---

description^Optional

public readonly description: string;

• Type: string
• Default: none

Information about the parameter that you want to add to the system.

---

tier^Optional

public readonly tier: ParameterTier;

• Type: aws-cdk-lib.aws_ssm.ParameterTier
• Default: undefined

The tier of the string parameter.

---

keyPrefix^Optional

public readonly keyPrefix: string;

• Type: string
• Default: '/'

The prefix used for all parameters.

---

keySeparator^Optional

public readonly keySeparator: string;

• Type: string
• Default: '/'

The seperator used to seperate keys.

---

SopsCommonParameterProps

The configuration options of the StringParameter.

Initializer

import { SopsCommonParameterProps } from 'cdk-sops-secrets'

const sopsCommonParameterProps: SopsCommonParameterProps = { ... }

Properties

Name	Type	Description
assetEncryptionKey	aws-cdk-lib.aws_kms.IKey	The encryption key used by the CDK default Asset S3 Bucket.
autoGenerateIamPermissions	boolean	Should this construct automatically create IAM permissions?
sopsAgeKey	aws-cdk-lib.SecretValue	The age key that should be used for encryption.
sopsFileFormat	string	The format of the sops file.
sopsFilePath	string	The filepath to the sops file.
sopsKmsKey	aws-cdk-lib.aws_kms.IKey[]	The kmsKey used to encrypt the sops file.
sopsProvider	SopsSyncProvider	The custom resource provider to use.
sopsS3Bucket	string	If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
sopsS3Key	string	If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
uploadType	UploadType	How should the secret be passed to the CustomResource?
encryptionKey	aws-cdk-lib.aws_kms.IKey	The customer-managed encryption key to use for encrypting the secret value.
description	string	Information about the parameter that you want to add to the system.
tier	aws-cdk-lib.aws_ssm.ParameterTier	The tier of the string parameter.

---

assetEncryptionKey^Optional

public readonly assetEncryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey
• Default: Trying to get the key using the CDK Bootstrap context.

The encryption key used by the CDK default Asset S3 Bucket.

---

autoGenerateIamPermissions^Optional

public readonly autoGenerateIamPermissions: boolean;

• Type: boolean
• Default: true

Should this construct automatically create IAM permissions?

---

sopsAgeKey^Optional

public readonly sopsAgeKey: SecretValue;

• Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

---

sopsFileFormat^Optional

public readonly sopsFileFormat: string;

• Type: string
• Default: The fileformat will be derived from the file ending

The format of the sops file.

---

sopsFilePath^Optional

public readonly sopsFilePath: string;

• Type: string

The filepath to the sops file.

---

sopsKmsKey^Optional

public readonly sopsKmsKey: IKey[];

• Type: aws-cdk-lib.aws_kms.IKey[]
• Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

---

sopsProvider^Optional

public readonly sopsProvider: SopsSyncProvider;

• Type: SopsSyncProvider
• Default: A new singleton provider will be created

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

---

sopsS3Bucket^Optional

public readonly sopsS3Bucket: string;

• Type: string

If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

---

sopsS3Key^Optional

public readonly sopsS3Key: string;

• Type: string

If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

---

uploadType^Optional

public readonly uploadType: UploadType;

• Type: UploadType
• Default: INLINE

How should the secret be passed to the CustomResource?

---

encryptionKey^Required

public readonly encryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey
• Default: A default KMS key for the account and region is used.

The customer-managed encryption key to use for encrypting the secret value.

---

description^Optional

public readonly description: string;

• Type: string
• Default: none

Information about the parameter that you want to add to the system.

---

tier^Optional

public readonly tier: ParameterTier;

• Type: aws-cdk-lib.aws_ssm.ParameterTier
• Default: undefined

The tier of the string parameter.

---

SopsSecretProps

The configuration options of the SopsSecret.

Initializer

import { SopsSecretProps } from 'cdk-sops-secrets'

const sopsSecretProps: SopsSecretProps = { ... }

Properties

Name	Type	Description
assetEncryptionKey	aws-cdk-lib.aws_kms.IKey	The encryption key used by the CDK default Asset S3 Bucket.
autoGenerateIamPermissions	boolean	Should this construct automatically create IAM permissions?
sopsAgeKey	aws-cdk-lib.SecretValue	The age key that should be used for encryption.
sopsFileFormat	string	The format of the sops file.
sopsFilePath	string	The filepath to the sops file.
sopsKmsKey	aws-cdk-lib.aws_kms.IKey[]	The kmsKey used to encrypt the sops file.
sopsProvider	SopsSyncProvider	The custom resource provider to use.
sopsS3Bucket	string	If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
sopsS3Key	string	If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
uploadType	UploadType	How should the secret be passed to the CustomResource?
description	string	An optional, human-friendly description of the secret.
encryptionKey	aws-cdk-lib.aws_kms.IKey	The customer-managed encryption key to use for encrypting the secret value.
rawOutput	RawOutput	Should the secret parsed and transformed to json?
removalPolicy	aws-cdk-lib.RemovalPolicy	Policy to apply when the secret is removed from this stack.
replicaRegions	aws-cdk-lib.aws_secretsmanager.ReplicaRegion[]	A list of regions where to replicate this secret.
secretName	string	A name for the secret.

---

assetEncryptionKey^Optional

public readonly assetEncryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey
• Default: Trying to get the key using the CDK Bootstrap context.

The encryption key used by the CDK default Asset S3 Bucket.

---

autoGenerateIamPermissions^Optional

public readonly autoGenerateIamPermissions: boolean;

• Type: boolean
• Default: true

Should this construct automatically create IAM permissions?

---

sopsAgeKey^Optional

public readonly sopsAgeKey: SecretValue;

• Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

---

sopsFileFormat^Optional

public readonly sopsFileFormat: string;

• Type: string
• Default: The fileformat will be derived from the file ending

The format of the sops file.

---

sopsFilePath^Optional

public readonly sopsFilePath: string;

• Type: string

The filepath to the sops file.

---

sopsKmsKey^Optional

public readonly sopsKmsKey: IKey[];

• Type: aws-cdk-lib.aws_kms.IKey[]
• Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

---

sopsProvider^Optional

public readonly sopsProvider: SopsSyncProvider;

• Type: SopsSyncProvider
• Default: A new singleton provider will be created

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

---

sopsS3Bucket^Optional

public readonly sopsS3Bucket: string;

• Type: string

If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

---

sopsS3Key^Optional

public readonly sopsS3Key: string;

• Type: string

If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

---

uploadType^Optional

public readonly uploadType: UploadType;

• Type: UploadType
• Default: INLINE

How should the secret be passed to the CustomResource?

---

description^Optional

public readonly description: string;

• Type: string
• Default: No description.

An optional, human-friendly description of the secret.

---

encryptionKey^Optional

public readonly encryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey
• Default: A default KMS key for the account and region is used.

The customer-managed encryption key to use for encrypting the secret value.

---

rawOutput^Optional

public readonly rawOutput: RawOutput;

• Type: RawOutput
• Default: undefined - no raw output

Should the secret parsed and transformed to json?

---

removalPolicy^Optional

public readonly removalPolicy: RemovalPolicy;

• Type: aws-cdk-lib.RemovalPolicy
• Default: Not set.

Policy to apply when the secret is removed from this stack.

---

replicaRegions^Optional

public readonly replicaRegions: ReplicaRegion[];

• Type: aws-cdk-lib.aws_secretsmanager.ReplicaRegion[]
• Default: Secret is not replicated

A list of regions where to replicate this secret.

---

secretName^Optional

public readonly secretName: string;

• Type: string
• Default: A name is generated by CloudFormation.

A name for the secret.

Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.

---

SopsStringParameterProps

Initializer

import { SopsStringParameterProps } from 'cdk-sops-secrets'

const sopsStringParameterProps: SopsStringParameterProps = { ... }

Properties

Name	Type	Description
assetEncryptionKey	aws-cdk-lib.aws_kms.IKey	The encryption key used by the CDK default Asset S3 Bucket.
autoGenerateIamPermissions	boolean	Should this construct automatically create IAM permissions?
sopsAgeKey	aws-cdk-lib.SecretValue	The age key that should be used for encryption.
sopsFileFormat	string	The format of the sops file.
sopsFilePath	string	The filepath to the sops file.
sopsKmsKey	aws-cdk-lib.aws_kms.IKey[]	The kmsKey used to encrypt the sops file.
sopsProvider	SopsSyncProvider	The custom resource provider to use.
sopsS3Bucket	string	If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
sopsS3Key	string	If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
uploadType	UploadType	How should the secret be passed to the CustomResource?
encryptionKey	aws-cdk-lib.aws_kms.IKey	The customer-managed encryption key to use for encrypting the secret value.
description	string	Information about the parameter that you want to add to the system.
tier	aws-cdk-lib.aws_ssm.ParameterTier	The tier of the string parameter.
parameterName	string	The name of the parameter.

---

assetEncryptionKey^Optional

public readonly assetEncryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey
• Default: Trying to get the key using the CDK Bootstrap context.

The encryption key used by the CDK default Asset S3 Bucket.

---

autoGenerateIamPermissions^Optional

public readonly autoGenerateIamPermissions: boolean;

• Type: boolean
• Default: true

Should this construct automatically create IAM permissions?

---

sopsAgeKey^Optional

public readonly sopsAgeKey: SecretValue;

• Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

---

sopsFileFormat^Optional

public readonly sopsFileFormat: string;

• Type: string
• Default: The fileformat will be derived from the file ending

The format of the sops file.

---

sopsFilePath^Optional

public readonly sopsFilePath: string;

• Type: string

The filepath to the sops file.

---

sopsKmsKey^Optional

public readonly sopsKmsKey: IKey[];

• Type: aws-cdk-lib.aws_kms.IKey[]
• Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

---

sopsProvider^Optional

public readonly sopsProvider: SopsSyncProvider;

• Type: SopsSyncProvider
• Default: A new singleton provider will be created

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

---

sopsS3Bucket^Optional

public readonly sopsS3Bucket: string;

• Type: string

If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

---

sopsS3Key^Optional

public readonly sopsS3Key: string;

• Type: string

If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

---

uploadType^Optional

public readonly uploadType: UploadType;

• Type: UploadType
• Default: INLINE

How should the secret be passed to the CustomResource?

---

encryptionKey^Required

public readonly encryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey
• Default: A default KMS key for the account and region is used.

The customer-managed encryption key to use for encrypting the secret value.

---

description^Optional

public readonly description: string;

• Type: string
• Default: none

Information about the parameter that you want to add to the system.

---

tier^Optional

public readonly tier: ParameterTier;

• Type: aws-cdk-lib.aws_ssm.ParameterTier
• Default: undefined

The tier of the string parameter.

---

parameterName^Optional

public readonly parameterName: string;

• Type: string
• Default: a name will be generated by CloudFormation

The name of the parameter.

---

SopsSyncOptions

Configuration options for the SopsSync.

Initializer

import { SopsSyncOptions } from 'cdk-sops-secrets'

const sopsSyncOptions: SopsSyncOptions = { ... }

Properties

Name	Type	Description
assetEncryptionKey	aws-cdk-lib.aws_kms.IKey	The encryption key used by the CDK default Asset S3 Bucket.
autoGenerateIamPermissions	boolean	Should this construct automatically create IAM permissions?
sopsAgeKey	aws-cdk-lib.SecretValue	The age key that should be used for encryption.
sopsFileFormat	string	The format of the sops file.
sopsFilePath	string	The filepath to the sops file.
sopsKmsKey	aws-cdk-lib.aws_kms.IKey[]	The kmsKey used to encrypt the sops file.
sopsProvider	SopsSyncProvider	The custom resource provider to use.
sopsS3Bucket	string	If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
sopsS3Key	string	If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
uploadType	UploadType	How should the secret be passed to the CustomResource?

---

assetEncryptionKey^Optional

public readonly assetEncryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey
• Default: Trying to get the key using the CDK Bootstrap context.

The encryption key used by the CDK default Asset S3 Bucket.

---

autoGenerateIamPermissions^Optional

public readonly autoGenerateIamPermissions: boolean;

• Type: boolean
• Default: true

Should this construct automatically create IAM permissions?

---

sopsAgeKey^Optional

public readonly sopsAgeKey: SecretValue;

• Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

---

sopsFileFormat^Optional

public readonly sopsFileFormat: string;

• Type: string
• Default: The fileformat will be derived from the file ending

The format of the sops file.

---

sopsFilePath^Optional

public readonly sopsFilePath: string;

• Type: string

The filepath to the sops file.

---

sopsKmsKey^Optional

public readonly sopsKmsKey: IKey[];

• Type: aws-cdk-lib.aws_kms.IKey[]
• Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

---

sopsProvider^Optional

public readonly sopsProvider: SopsSyncProvider;

• Type: SopsSyncProvider
• Default: A new singleton provider will be created

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

---

sopsS3Bucket^Optional

public readonly sopsS3Bucket: string;

• Type: string

If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

---

sopsS3Key^Optional

public readonly sopsS3Key: string;

• Type: string

If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

---

uploadType^Optional

public readonly uploadType: UploadType;

• Type: UploadType
• Default: INLINE

How should the secret be passed to the CustomResource?

---

SopsSyncProps

The configuration options extended by the target Secret / Parameter.

Initializer

import { SopsSyncProps } from 'cdk-sops-secrets'

const sopsSyncProps: SopsSyncProps = { ... }

Properties

Name	Type	Description
assetEncryptionKey	aws-cdk-lib.aws_kms.IKey	The encryption key used by the CDK default Asset S3 Bucket.
autoGenerateIamPermissions	boolean	Should this construct automatically create IAM permissions?
sopsAgeKey	aws-cdk-lib.SecretValue	The age key that should be used for encryption.
sopsFileFormat	string	The format of the sops file.
sopsFilePath	string	The filepath to the sops file.
sopsKmsKey	aws-cdk-lib.aws_kms.IKey[]	The kmsKey used to encrypt the sops file.
sopsProvider	SopsSyncProvider	The custom resource provider to use.
sopsS3Bucket	string	If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
sopsS3Key	string	If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
uploadType	UploadType	How should the secret be passed to the CustomResource?
resourceType	ResourceType	Will this Sync deploy a Secret or Parameter(s).
target	string	The target to populate with the sops file content.
encryptionKey	aws-cdk-lib.aws_kms.IKey	The encryption key used for encrypting the ssm parameter if parameterName is set.
flattenSeparator	string	If the structure should be flattened use the provided separator between keys.
parameterNames	string[]	No description.
secret	aws-cdk-lib.aws_secretsmanager.ISecret	No description.

---

assetEncryptionKey^Optional

public readonly assetEncryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey
• Default: Trying to get the key using the CDK Bootstrap context.

The encryption key used by the CDK default Asset S3 Bucket.

---

autoGenerateIamPermissions^Optional

public readonly autoGenerateIamPermissions: boolean;

• Type: boolean
• Default: true

Should this construct automatically create IAM permissions?

---

sopsAgeKey^Optional

public readonly sopsAgeKey: SecretValue;

• Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

---

sopsFileFormat^Optional

public readonly sopsFileFormat: string;

• Type: string
• Default: The fileformat will be derived from the file ending

The format of the sops file.

---

sopsFilePath^Optional

public readonly sopsFilePath: string;

• Type: string

The filepath to the sops file.

---

sopsKmsKey^Optional

public readonly sopsKmsKey: IKey[];

• Type: aws-cdk-lib.aws_kms.IKey[]
• Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

---

sopsProvider^Optional

public readonly sopsProvider: SopsSyncProvider;

• Type: SopsSyncProvider
• Default: A new singleton provider will be created

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

---

sopsS3Bucket^Optional

public readonly sopsS3Bucket: string;

• Type: string

If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

---

sopsS3Key^Optional

public readonly sopsS3Key: string;

• Type: string

If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

---

uploadType^Optional

public readonly uploadType: UploadType;

• Type: UploadType
• Default: INLINE

How should the secret be passed to the CustomResource?

---

resourceType^Required

public readonly resourceType: ResourceType;

• Type: ResourceType

Will this Sync deploy a Secret or Parameter(s).

---

target^Required

public readonly target: string;

• Type: string

The target to populate with the sops file content.

for secret, it's the name or arn of the secret

• for parameter, it's the name of the parameter
• for parameter multi, it's the prefix of the parameters

---

encryptionKey^Optional

public readonly encryptionKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey

The encryption key used for encrypting the ssm parameter if parameterName is set.

---

flattenSeparator^Optional

public readonly flattenSeparator: string;

• Type: string
• Default: undefined

If the structure should be flattened use the provided separator between keys.

---

parameterNames^Optional

public readonly parameterNames: string[];

• Type: string[]

---

secret^Optional

public readonly secret: ISecret;

• Type: aws-cdk-lib.aws_secretsmanager.ISecret

---

SopsSyncProviderProps

Configuration options for a custom SopsSyncProvider.

Initializer

import { SopsSyncProviderProps } from 'cdk-sops-secrets'

const sopsSyncProviderProps: SopsSyncProviderProps = { ... }

Properties

Name	Type	Description
role	aws-cdk-lib.aws_iam.IRole	The role that should be used for the custom resource provider.
securityGroups	aws-cdk-lib.aws_ec2.ISecurityGroup[]	Only if vpc is supplied: The list of security groups to associate with the Lambda's network interfaces.
vpc	aws-cdk-lib.aws_ec2.IVpc	VPC network to place Lambda network interfaces.
vpcSubnets	aws-cdk-lib.aws_ec2.SubnetSelection	Where to place the network interfaces within the VPC.

---

role^Optional

public readonly role: IRole;

• Type: aws-cdk-lib.aws_iam.IRole
• Default: a new role will be created

The role that should be used for the custom resource provider.

If you don't specify any, a new role will be created with all required permissions

---

securityGroups^Optional

public readonly securityGroups: ISecurityGroup[];

• Type: aws-cdk-lib.aws_ec2.ISecurityGroup[]
• Default: A dedicated security group will be created for the lambda function.

Only if vpc is supplied: The list of security groups to associate with the Lambda's network interfaces.

---

vpc^Optional

public readonly vpc: IVpc;

• Type: aws-cdk-lib.aws_ec2.IVpc
• Default: Lambda function is not placed within a VPC.

VPC network to place Lambda network interfaces.

---

vpcSubnets^Optional

public readonly vpcSubnets: SubnetSelection;

• Type: aws-cdk-lib.aws_ec2.SubnetSelection
• Default: Subnets will be chosen automatically.

Where to place the network interfaces within the VPC.

---

Enums

RawOutput

Members

Name	Description
STRING	Parse the secret as a string.
BINARY	Parse the secret as a binary.

---

STRING

Parse the secret as a string.

---

BINARY

Parse the secret as a binary.

---

ResourceType

Members

Name	Description
SECRET	No description.
SECRET_RAW	No description.
SECRET_BINARY	No description.
PARAMETER	No description.
PARAMETER_MULTI	No description.

---

SECRET

---

SECRET_RAW

---

SECRET_BINARY

---

PARAMETER

---

PARAMETER_MULTI

---

UploadType

Members

Name	Description
INLINE	Pass the secret data inline (base64 encoded and compressed).
ASSET	Uplaod the secert data as asset.

---

INLINE

Pass the secret data inline (base64 encoded and compressed).

---

ASSET

Uplaod the secert data as asset.

---