-
Notifications
You must be signed in to change notification settings - Fork 4k
/
rotation-schedule.ts
419 lines (357 loc) · 14.5 KB
/
rotation-schedule.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
import { Construct } from 'constructs';
import { ISecret, Secret } from './secret';
import { CfnRotationSchedule } from './secretsmanager.generated';
import * as ec2 from '../../aws-ec2';
import { Schedule } from '../../aws-events';
import * as iam from '../../aws-iam';
import * as kms from '../../aws-kms';
import * as lambda from '../../aws-lambda';
import { Duration, Resource, Stack } from '../../core';
/**
* The default set of characters we exclude from generated passwords for database users.
* It's a combination of characters that have a tendency to cause problems in shell scripts,
* some engine-specific characters (for example, Oracle doesn't like '@' in its passwords),
* and some that trip up other services, like DMS.
*/
const DEFAULT_PASSWORD_EXCLUDE_CHARS = " %+~`#$&*()|[]{}:;<>?!'/@\"\\";
/**
* Options to add a rotation schedule to a secret.
*/
export interface RotationScheduleOptions {
/**
* A Lambda function that can rotate the secret.
*
* @default - either `rotationLambda` or `hostedRotation` must be specified
*/
readonly rotationLambda?: lambda.IFunction;
/**
* Hosted rotation
*
* @default - either `rotationLambda` or `hostedRotation` must be specified
*/
readonly hostedRotation?: HostedRotation;
/**
* Specifies the number of days after the previous rotation before
* Secrets Manager triggers the next automatic rotation.
*
* The minimum value is 4 hours.
* The maximum value is 1000 days.
*
* A value of zero (`Duration.days(0)`) will not create RotationRules.
*
* @default Duration.days(30)
*/
readonly automaticallyAfter?: Duration;
/**
* Specifies whether to rotate the secret immediately or wait until the next
* scheduled rotation window.
*
* @default true
*/
readonly rotateImmediatelyOnUpdate?: boolean;
}
/**
* Construction properties for a RotationSchedule.
*/
export interface RotationScheduleProps extends RotationScheduleOptions {
/**
* The secret to rotate.
*
* If hosted rotation is used, this must be a JSON string with the following format:
*
* ```
* {
* "engine": <required: database engine>,
* "host": <required: instance host name>,
* "username": <required: username>,
* "password": <required: password>,
* "dbname": <optional: database name>,
* "port": <optional: if not specified, default port will be used>,
* "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>
* }
* ```
*
* This is typically the case for a secret referenced from an `AWS::SecretsManager::SecretTargetAttachment`
* or an `ISecret` returned by the `attach()` method of `Secret`.
*/
readonly secret: ISecret;
}
/**
* A rotation schedule.
*/
export class RotationSchedule extends Resource {
constructor(scope: Construct, id: string, props: RotationScheduleProps) {
super(scope, id);
if ((!props.rotationLambda && !props.hostedRotation) || (props.rotationLambda && props.hostedRotation)) {
throw new Error('One of `rotationLambda` or `hostedRotation` must be specified.');
}
if (props.rotationLambda?.permissionsNode.defaultChild) {
if (props.secret.encryptionKey) {
props.secret.encryptionKey.grantEncryptDecrypt(
new kms.ViaServicePrincipal(
`secretsmanager.${Stack.of(this).region}.amazonaws.com`,
props.rotationLambda.grantPrincipal,
),
);
}
const grant = props.rotationLambda.grantInvoke(new iam.ServicePrincipal('secretsmanager.amazonaws.com'));
grant.applyBefore(this);
props.rotationLambda.addToRolePolicy(
new iam.PolicyStatement({
actions: [
'secretsmanager:DescribeSecret',
'secretsmanager:GetSecretValue',
'secretsmanager:PutSecretValue',
'secretsmanager:UpdateSecretVersionStage',
],
resources: [props.secret.secretFullArn ? props.secret.secretFullArn : `${props.secret.secretArn}-??????`],
}),
);
props.rotationLambda.addToRolePolicy(
new iam.PolicyStatement({
actions: [
'secretsmanager:GetRandomPassword',
],
resources: ['*'],
}),
);
}
let scheduleExpression: string | undefined;
if (props.automaticallyAfter) {
const automaticallyAfterMillis = props.automaticallyAfter.toMilliseconds();
if (automaticallyAfterMillis > 0) {
if (automaticallyAfterMillis < Duration.hours(4).toMilliseconds()) {
throw new Error(`automaticallyAfter must not be smaller than 4 hours, got ${props.automaticallyAfter.toHours()} hours`);
}
if (automaticallyAfterMillis > Duration.days(1000).toMilliseconds()) {
throw new Error(`automaticallyAfter must not be greater than 1000 days, got ${props.automaticallyAfter.toDays()} days`);
}
scheduleExpression = Schedule.rate(props.automaticallyAfter).expressionString;
}
} else {
scheduleExpression = Schedule.rate(Duration.days(30)).expressionString;
}
let rotationRules: CfnRotationSchedule.RotationRulesProperty | undefined;
if (scheduleExpression) {
rotationRules = {
scheduleExpression,
};
}
new CfnRotationSchedule(this, 'Resource', {
secretId: props.secret.secretArn,
rotationLambdaArn: props.rotationLambda?.functionArn,
hostedRotationLambda: props.hostedRotation?.bind(props.secret, this),
rotationRules,
rotateImmediatelyOnUpdate: props.rotateImmediatelyOnUpdate,
});
// Prevent secrets deletions when rotation is in place
props.secret.denyAccountRootDelete();
}
}
/**
* Single user hosted rotation options
*/
export interface SingleUserHostedRotationOptions {
/**
* A name for the Lambda created to rotate the secret
*
* @default - a CloudFormation generated name
*/
readonly functionName?: string;
/**
* A list of security groups for the Lambda created to rotate the secret
*
* @default - a new security group is created
*/
readonly securityGroups?: ec2.ISecurityGroup[];
/**
* The VPC where the Lambda rotation function will run.
*
* @default - the Lambda is not deployed in a VPC
*/
readonly vpc?: ec2.IVpc;
/**
* The type of subnets in the VPC where the Lambda rotation function will run.
*
* @default - the Vpc default strategy if not specified.
*/
readonly vpcSubnets?: ec2.SubnetSelection;
/**
* A string of the characters that you don't want in the password
*
* @default the same exclude characters as the ones used for the
* secret or " %+~`#$&*()|[]{}:;<>?!'/@\"\\"
*/
readonly excludeCharacters?: string;
}
/**
* Multi user hosted rotation options
*/
export interface MultiUserHostedRotationOptions extends SingleUserHostedRotationOptions {
/**
* The master secret for a multi user rotation scheme
*/
readonly masterSecret: ISecret;
}
/**
* A hosted rotation
*/
export class HostedRotation implements ec2.IConnectable {
/** MySQL Single User */
public static mysqlSingleUser(options: SingleUserHostedRotationOptions = {}) {
return new HostedRotation(HostedRotationType.MYSQL_SINGLE_USER, options);
}
/** MySQL Multi User */
public static mysqlMultiUser(options: MultiUserHostedRotationOptions) {
return new HostedRotation(HostedRotationType.MYSQL_MULTI_USER, options, options.masterSecret);
}
/** PostgreSQL Single User */
public static postgreSqlSingleUser(options: SingleUserHostedRotationOptions = {}) {
return new HostedRotation(HostedRotationType.POSTGRESQL_SINGLE_USER, options);
}
/** PostgreSQL Multi User */
public static postgreSqlMultiUser(options: MultiUserHostedRotationOptions) {
return new HostedRotation(HostedRotationType.POSTGRESQL_MULTI_USER, options, options.masterSecret);
}
/** Oracle Single User */
public static oracleSingleUser(options: SingleUserHostedRotationOptions = {}) {
return new HostedRotation(HostedRotationType.ORACLE_SINGLE_USER, options);
}
/** Oracle Multi User */
public static oracleMultiUser(options: MultiUserHostedRotationOptions) {
return new HostedRotation(HostedRotationType.ORACLE_MULTI_USER, options, options.masterSecret);
}
/** MariaDB Single User */
public static mariaDbSingleUser(options: SingleUserHostedRotationOptions = {}) {
return new HostedRotation(HostedRotationType.MARIADB_SINGLE_USER, options);
}
/** MariaDB Multi User */
public static mariaDbMultiUser(options: MultiUserHostedRotationOptions) {
return new HostedRotation(HostedRotationType.MARIADB_MULTI_USER, options, options.masterSecret);
}
/** SQL Server Single User */
public static sqlServerSingleUser(options: SingleUserHostedRotationOptions = {}) {
return new HostedRotation(HostedRotationType.SQLSERVER_SINGLE_USER, options);
}
/** SQL Server Multi User */
public static sqlServerMultiUser(options: MultiUserHostedRotationOptions) {
return new HostedRotation(HostedRotationType.SQLSERVER_MULTI_USER, options, options.masterSecret);
}
/** Redshift Single User */
public static redshiftSingleUser(options: SingleUserHostedRotationOptions = {}) {
return new HostedRotation(HostedRotationType.REDSHIFT_SINGLE_USER, options);
}
/** Redshift Multi User */
public static redshiftMultiUser(options: MultiUserHostedRotationOptions) {
return new HostedRotation(HostedRotationType.REDSHIFT_MULTI_USER, options, options.masterSecret);
}
/** MongoDB Single User */
public static mongoDbSingleUser(options: SingleUserHostedRotationOptions = {}) {
return new HostedRotation(HostedRotationType.MONGODB_SINGLE_USER, options);
}
/** MongoDB Multi User */
public static mongoDbMultiUser(options: MultiUserHostedRotationOptions) {
return new HostedRotation(HostedRotationType.MONGODB_MULTI_USER, options, options.masterSecret);
}
private _connections?: ec2.Connections;
private constructor(
private readonly type: HostedRotationType,
private readonly props: SingleUserHostedRotationOptions | MultiUserHostedRotationOptions,
private readonly masterSecret?: ISecret,
) {
if (type.isMultiUser && !masterSecret) {
throw new Error('The `masterSecret` must be specified when using the multi user scheme.');
}
}
/**
* Binds this hosted rotation to a secret
*/
public bind(secret: ISecret, scope: Construct): CfnRotationSchedule.HostedRotationLambdaProperty {
// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html
Stack.of(scope).addTransform('AWS::SecretsManager-2020-07-23');
if (!this.props.vpc && this.props.securityGroups) {
throw new Error('`vpc` must be specified when specifying `securityGroups`.');
}
if (this.props.vpc) {
this._connections = new ec2.Connections({
securityGroups: this.props.securityGroups || [new ec2.SecurityGroup(scope, 'SecurityGroup', {
vpc: this.props.vpc,
})],
});
}
// Prevent master secret deletion when rotation is in place
if (this.masterSecret) {
this.masterSecret.denyAccountRootDelete();
}
let masterSecretArn: string | undefined;
if (this.masterSecret?.secretFullArn) {
masterSecretArn = this.masterSecret.secretArn;
} else if (this.masterSecret) { // ISecret as an imported secret with partial ARN
masterSecretArn = this.masterSecret.secretArn + '-??????';
}
const defaultExcludeCharacters = Secret.isSecret(secret)
? secret.excludeCharacters ?? DEFAULT_PASSWORD_EXCLUDE_CHARS
: DEFAULT_PASSWORD_EXCLUDE_CHARS;
return {
rotationType: this.type.name,
kmsKeyArn: secret.encryptionKey?.keyArn,
masterSecretArn: masterSecretArn,
masterSecretKmsKeyArn: this.masterSecret?.encryptionKey?.keyArn,
rotationLambdaName: this.props.functionName,
vpcSecurityGroupIds: this._connections?.securityGroups?.map(s => s.securityGroupId).join(','),
vpcSubnetIds: this.props.vpc?.selectSubnets(this.props.vpcSubnets).subnetIds.join(','),
excludeCharacters: this.props.excludeCharacters ?? defaultExcludeCharacters,
};
}
/**
* Security group connections for this hosted rotation
*/
public get connections() {
if (!this.props.vpc) {
throw new Error('Cannot use connections for a hosted rotation that is not deployed in a VPC');
}
// If we are in a vpc and bind() has been called _connections should be defined
if (!this._connections) {
throw new Error('Cannot use connections for a hosted rotation that has not been bound to a secret');
}
return this._connections;
}
}
/**
* Hosted rotation type
*/
export class HostedRotationType {
/** MySQL Single User */
public static readonly MYSQL_SINGLE_USER = new HostedRotationType('MySQLSingleUser');
/** MySQL Multi User */
public static readonly MYSQL_MULTI_USER = new HostedRotationType('MySQLMultiUser', true);
/** PostgreSQL Single User */
public static readonly POSTGRESQL_SINGLE_USER = new HostedRotationType('PostgreSQLSingleUser');
/** PostgreSQL Multi User */
public static readonly POSTGRESQL_MULTI_USER = new HostedRotationType('PostgreSQLMultiUser', true);
/** Oracle Single User */
public static readonly ORACLE_SINGLE_USER = new HostedRotationType('OracleSingleUser');
/** Oracle Multi User */
public static readonly ORACLE_MULTI_USER = new HostedRotationType('OracleMultiUser', true);
/** MariaDB Single User */
public static readonly MARIADB_SINGLE_USER = new HostedRotationType('MariaDBSingleUser');
/** MariaDB Multi User */
public static readonly MARIADB_MULTI_USER = new HostedRotationType('MariaDBMultiUser', true);
/** SQL Server Single User */
public static readonly SQLSERVER_SINGLE_USER = new HostedRotationType('SQLServerSingleUser')
/** SQL Server Multi User */
public static readonly SQLSERVER_MULTI_USER = new HostedRotationType('SQLServerMultiUser', true);
/** Redshift Single User */
public static readonly REDSHIFT_SINGLE_USER = new HostedRotationType('RedshiftSingleUser')
/** Redshift Multi User */
public static readonly REDSHIFT_MULTI_USER = new HostedRotationType('RedshiftMultiUser', true);
/** MongoDB Single User */
public static readonly MONGODB_SINGLE_USER = new HostedRotationType('MongoDBSingleUser');
/** MongoDB Multi User */
public static readonly MONGODB_MULTI_USER = new HostedRotationType('MongoDBMultiUser', true);
/**
* @param name The type of rotation
* @param isMultiUser Whether the rotation uses the mutli user scheme
*/
private constructor(public readonly name: string, public readonly isMultiUser?: boolean) {}
}