feat: Add encrypted string parameter (#1041)

* feat: Add encrypted string parameter

* chore: refactor and add test

* chore: development tools

* fix: import

---------

Co-authored-by: Thomas Geese <[email protected]>
Co-authored-by: Markus Siebert <[email protected]>
Co-authored-by: Markus <[email protected]>

.go-version

@@ -0,0 +1 @@
+1.22.3

.tool-versions

@@ -0,0 +1 @@
+golang 1.22.3

lambda/events/event_create_s3_parameter_raw_simple.json

@@ -0,0 +1,17 @@
+{
+  "RequestType": "Create",
+  "LogicalResourceId": "LogicalResourceId",
+  "ResourceProperties": {
+    "ParameterName": "arn:aws:ssm:eu-central-1:123456789012:parameter/testsecret",
+    "SopsS3File": {
+      "Bucket": "..",
+      "Key": "../test-secrets/binary/sopsfile.enc-age.binary"
+    },
+    "Format": "binary",
+    "ConvertToJSON": "false",
+    "SopsAgeKey": "AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3"
+  },
+  "ResourceType": "Custom::SOPS::Secret",
+  "RequestId": "RequestId",
+  "StackId": "StackId"
+}

lambda/go.mod

@@ -1,6 +1,6 @@
 module github.com/markussiebert/cdk-sops-secrets
 
-go 1.22.0
+go 1.22.3
 
 require (
 	github.com/aws/aws-lambda-go v1.47.0

lambda/handler_parameter_raw_test.go

@@ -0,0 +1,15 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/gkampitakis/go-snaps/snaps"
+)
+
+func Test_FullWorkflow_Create_S3_Parameter_RAW_Simple(t *testing.T) {
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_parameter_raw_simple.json")
+
+	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
+	check(err)
+	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
+}

lambda/handler_env_test.go → lambda/handler_secret_env_test.go

@@ -7,15 +7,15 @@ import (
 )
 
 func Test_FullWorkflow_Create_S3_ENV_Simple(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_env_simple.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_env_simple.json")
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
 }
 
 func Test_FullWorkflow_Create_S3_ENV_as_JSON_Simple(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_env_as_json_simple.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_env_as_json_simple.json")
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)

lambda/handler_json_test.go → lambda/handler_secret_json_test.go

@@ -7,38 +7,38 @@ import (
 )
 
 func Test_FullWorkflow_Create_S3_JSON_Simple(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_json_simple.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_json_simple.json")
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
 }
 
 func Test_FullWorkflow_Create_S3_JSON_Complex(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_json_complex.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_json_complex.json")
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
 }
 
 func Test_FullWorkflow_Create_S3_JSON_Complex_StringifyValues(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_json_complex_stringify.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_json_complex_stringify.json")
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
 }
 func Test_FullWorkflow_Create_S3_JSON_Complex_Flat(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_json_complex_flat.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_json_complex_flat.json")
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
 }
 
 func Test_FullWorkflow_Create_INLINE_JSON_Simple(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_json_simple.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_json_simple.json")
 	event = fileToInline(event)
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
@@ -47,7 +47,7 @@ func Test_FullWorkflow_Create_INLINE_JSON_Simple(t *testing.T) {
 }
 
 func Test_FullWorkflow_Create_INLINE_JSON_Complex(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_json_complex.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_json_complex.json")
 	event = fileToInline(event)
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
@@ -56,15 +56,15 @@ func Test_FullWorkflow_Create_INLINE_JSON_Complex(t *testing.T) {
 }
 
 func Test_FullWorkflow_Create_INLINE_JSON_Complex_StringifyValues(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_json_complex_stringify.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_json_complex_stringify.json")
 	event = fileToInline(event)
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
 }
 func Test_FullWorkflow_Create_INLINE_JSON_Complex_Flat(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_json_complex_flat.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_json_complex_flat.json")
 	event = fileToInline(event)
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)

lambda/handler_raw_test.go → lambda/handler_secret_raw_test.go

@@ -7,7 +7,7 @@ import (
 )
 
 func Test_FullWorkflow_Create_S3_RAW_Simple(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_raw_simple.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_raw_simple.json")
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)

lambda/handler_yaml_test.go → lambda/handler_secret_yaml_test.go

@@ -7,55 +7,55 @@ import (
 )
 
 func Test_FullWorkflow_Create_S3_YAML_Simple(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_yaml_simple.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_yaml_simple.json")
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
 }
 
 func Test_FullWorkflow_Create_S3_YAML_as_JSON_Simple(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_yaml_as_json_simple.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_yaml_as_json_simple.json")
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
 }
 
 func Test_FullWorkflow_Create_S3_YAML_Complex(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_yaml_complex.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_yaml_complex.json")
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
 }
 
 func Test_FullWorkflow_Create_S3_YAML_as_JSON_Complex(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_yaml_as_json_complex.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_yaml_as_json_complex.json")
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
 }
 
 func Test_FullWorkflow_Create_S3_YAML_Complex_Flat(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_yaml_complex_flat.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_yaml_complex_flat.json")
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
 }
 
 func Test_FullWorkflow_Create_S3_YAML_as_JSON_Complex_Flat(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_yaml_as_json_complex_flat.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_yaml_as_json_complex_flat.json")
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
 }
 
 func Test_FullWorkflow_Create_INLINE_YAML_Simple(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_yaml_simple.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_yaml_simple.json")
 	event = fileToInline(event)
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
@@ -64,7 +64,7 @@ func Test_FullWorkflow_Create_INLINE_YAML_Simple(t *testing.T) {
 }
 
 func Test_FullWorkflow_Create_INLINE_YAML_as_JSON_Simple(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_yaml_as_json_simple.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_yaml_as_json_simple.json")
 	event = fileToInline(event)
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
@@ -73,7 +73,7 @@ func Test_FullWorkflow_Create_INLINE_YAML_as_JSON_Simple(t *testing.T) {
 }
 
 func Test_FullWorkflow_Create_INLINE_YAML_Complex(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_yaml_complex.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_yaml_complex.json")
 	event = fileToInline(event)
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
@@ -82,15 +82,15 @@ func Test_FullWorkflow_Create_INLINE_YAML_Complex(t *testing.T) {
 }
 
 func Test_FullWorkflow_Create_INLINE_YAML_as_JSON_Complex(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_yaml_as_json_complex.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_yaml_as_json_complex.json")
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
 	check(err)
 	snaps.MatchSnapshot(t, ">>>syncSopsToSecretsmanager", phys, data, err)
 }
 
 func Test_FullWorkflow_Create_INLINE_YAML_Complex_Flat(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_yaml_complex_flat.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_yaml_complex_flat.json")
 	event = fileToInline(event)
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)
@@ -99,7 +99,7 @@ func Test_FullWorkflow_Create_INLINE_YAML_Complex_Flat(t *testing.T) {
 }
 
 func Test_FullWorkflow_Create_INLINE_YAML_as_JSON_Complex_Flat(t *testing.T) {
-	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_yaml_as_json_complex_flat.json")
+	mocks, ctx, event := prepareHandler(t, "events/event_create_s3_secret_yaml_as_json_complex_flat.json")
 	event = fileToInline(event)
 
 	phys, data, err := mocks.syncSopsToSecretsmanager(ctx, event)