diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/aws-cdk-rds-cluster-rotation.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/aws-cdk-rds-cluster-rotation.assets.json index a6d7a71f73597..bf149212b906a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/aws-cdk-rds-cluster-rotation.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/aws-cdk-rds-cluster-rotation.assets.json @@ -1,7 +1,7 @@ { - "version": "31.0.0", + "version": "32.0.0", "files": { - "a633d33a056f9a9a775353c3902b2da4fa8318b43707e565b45a591da0888305": { + "c62036466c88b9e1cc7a3ba34aa9d9be5ec760159fac241679198e1e98655fea": { "source": { "path": "aws-cdk-rds-cluster-rotation.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "a633d33a056f9a9a775353c3902b2da4fa8318b43707e565b45a591da0888305.json", + "objectKey": "c62036466c88b9e1cc7a3ba34aa9d9be5ec760159fac241679198e1e98655fea.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/aws-cdk-rds-cluster-rotation.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/aws-cdk-rds-cluster-rotation.template.json index dcf03b6f8e08a..76898e4c7f19c 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/aws-cdk-rds-cluster-rotation.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/aws-cdk-rds-cluster-rotation.template.json @@ -915,6 +915,7 @@ "SecretId": { "Ref": "CustomRotationOptionsSecretAttachment697A23BF" }, + "RotateImmediatelyOnUpdate": false, "RotationLambdaARN": { "Fn::GetAtt": [ "CustomRotationOptionsRotationSingleUserC555446F", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/cdk.out index 7925065efbcc4..f0b901e7c06e5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"31.0.0"} \ No newline at end of file +{"version":"32.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/integ.json index 6bb0c26d856fa..5e16b1d82a80b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "testCases": { "integ.cluster-rotation.lit": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/manifest.json index e7c77a659a445..6f6fb73759afc 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "artifacts": { "aws-cdk-rds-cluster-rotation.assets": { "type": "cdk:asset-manifest", @@ -17,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a633d33a056f9a9a775353c3902b2da4fa8318b43707e565b45a591da0888305.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c62036466c88b9e1cc7a3ba34aa9d9be5ec760159fac241679198e1e98655fea.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -234,28 +234,19 @@ "/aws-cdk-rds-cluster-rotation/Database/Resource": [ { "type": "aws:cdk:logicalId", - "data": "DatabaseB269D8BB", - "trace": [ - "!!DESTRUCTIVE_CHANGES: MAY_REPLACE" - ] + "data": "DatabaseB269D8BB" } ], "/aws-cdk-rds-cluster-rotation/Database/Instance1": [ { "type": "aws:cdk:logicalId", - "data": "DatabaseInstance1844F58FD", - "trace": [ - "!!DESTRUCTIVE_CHANGES: MAY_REPLACE" - ] + "data": "DatabaseInstance1844F58FD" } ], "/aws-cdk-rds-cluster-rotation/Database/Instance2": [ { "type": "aws:cdk:logicalId", - "data": "DatabaseInstance2AA380DEE", - "trace": [ - "!!DESTRUCTIVE_CHANGES: MAY_REPLACE" - ] + "data": "DatabaseInstance2AA380DEE" } ], "/aws-cdk-rds-cluster-rotation/Database/RotationSingleUser/SecurityGroup/Resource": [ @@ -321,28 +312,19 @@ "/aws-cdk-rds-cluster-rotation/CustomRotationOptions/Resource": [ { "type": "aws:cdk:logicalId", - "data": "CustomRotationOptions7CA9E132", - "trace": [ - "!!DESTRUCTIVE_CHANGES: MAY_REPLACE" - ] + "data": "CustomRotationOptions7CA9E132" } ], "/aws-cdk-rds-cluster-rotation/CustomRotationOptions/Instance1": [ { "type": "aws:cdk:logicalId", - "data": "CustomRotationOptionsInstance1D693E87C", - "trace": [ - "!!DESTRUCTIVE_CHANGES: MAY_REPLACE" - ] + "data": "CustomRotationOptionsInstance1D693E87C" } ], "/aws-cdk-rds-cluster-rotation/CustomRotationOptions/Instance2": [ { "type": "aws:cdk:logicalId", - "data": "CustomRotationOptionsInstance2A21FADD8", - "trace": [ - "!!DESTRUCTIVE_CHANGES: MAY_REPLACE" - ] + "data": "CustomRotationOptionsInstance2A21FADD8" } ], "/aws-cdk-rds-cluster-rotation/CustomRotationOptions/RotationSingleUser/SARMapping": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/tree.json index 49635bd17853e..303d47b2591e6 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.js.snapshot/tree.json @@ -31,8 +31,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", + "version": "0.0.0" } }, "PublicSubnet1": { @@ -75,16 +75,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" } }, "Acl": { "id": "Acl", "path": "aws-cdk-rds-cluster-rotation/VPC/PublicSubnet1/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -105,8 +105,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" } }, "RouteTableAssociation": { @@ -124,8 +124,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" } }, "DefaultRoute": { @@ -144,8 +144,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" } }, "EIP": { @@ -164,8 +164,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "version": "0.0.0" } }, "NATGateway": { @@ -192,14 +192,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "version": "0.0.0" } }, "PublicSubnet2": { @@ -242,16 +242,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" } }, "Acl": { "id": "Acl", "path": "aws-cdk-rds-cluster-rotation/VPC/PublicSubnet2/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -272,8 +272,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" } }, "RouteTableAssociation": { @@ -291,8 +291,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" } }, "DefaultRoute": { @@ -311,8 +311,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" } }, "EIP": { @@ -331,8 +331,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "version": "0.0.0" } }, "NATGateway": { @@ -359,14 +359,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "version": "0.0.0" } }, "PrivateSubnet1": { @@ -409,16 +409,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" } }, "Acl": { "id": "Acl", "path": "aws-cdk-rds-cluster-rotation/VPC/PrivateSubnet1/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -439,8 +439,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" } }, "RouteTableAssociation": { @@ -458,8 +458,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" } }, "DefaultRoute": { @@ -478,14 +478,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "version": "0.0.0" } }, "PrivateSubnet2": { @@ -528,16 +528,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" } }, "Acl": { "id": "Acl", "path": "aws-cdk-rds-cluster-rotation/VPC/PrivateSubnet2/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -558,8 +558,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" } }, "RouteTableAssociation": { @@ -577,8 +577,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" } }, "DefaultRoute": { @@ -597,14 +597,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "version": "0.0.0" } }, "IGW": { @@ -622,8 +622,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway", + "version": "0.0.0" } }, "VPCGW": { @@ -641,14 +641,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.Vpc", + "version": "0.0.0" } }, "SecurityGroup": { @@ -675,14 +675,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "version": "0.0.0" } }, "Endpoint": { @@ -741,14 +741,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "version": "0.0.0" } }, "Resource": { @@ -793,14 +793,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCEndpoint", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.InterfaceVpcEndpoint", + "version": "0.0.0" } }, "Database": { @@ -829,14 +829,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.CfnDBSubnetGroup", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.SubnetGroup", + "version": "0.0.0" } }, "SecurityGroup": { @@ -863,8 +863,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "version": "0.0.0" } }, "from awscdkrdsclusterrotationDatabaseRotationSingleUserSecurityGroup0FFF34B1:{IndirectPort}": { @@ -902,22 +902,22 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "version": "0.0.0" } }, "AuroraMySqlDatabaseClusterEngineDefaultParameterGroup": { "id": "AuroraMySqlDatabaseClusterEngineDefaultParameterGroup", "path": "aws-cdk-rds-cluster-rotation/Database/AuroraMySqlDatabaseClusterEngineDefaultParameterGroup", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Secret": { @@ -950,8 +950,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.CfnSecret", + "version": "0.0.0" } }, "Attachment": { @@ -974,8 +974,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.CfnSecretTargetAttachment", + "version": "0.0.0" } }, "RotationSchedule": { @@ -1003,20 +1003,20 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.CfnRotationSchedule", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.RotationSchedule", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.SecretTargetAttachment", + "version": "0.0.0" } }, "Policy": { @@ -1063,20 +1063,20 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.CfnResourcePolicy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.ResourcePolicy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.DatabaseSecret", + "version": "0.0.0" } }, "Resource": { @@ -1127,16 +1127,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.CfnDBCluster", + "version": "0.0.0" } }, "Instance1Wrapper": { "id": "Instance1Wrapper", "path": "aws-cdk-rds-cluster-rotation/Database/Instance1Wrapper", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Instance1": { @@ -1156,16 +1156,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.CfnDBInstance", + "version": "0.0.0" } }, "Instance2Wrapper": { "id": "Instance2Wrapper", "path": "aws-cdk-rds-cluster-rotation/Database/Instance2Wrapper", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Instance2": { @@ -1185,8 +1185,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.CfnDBInstance", + "version": "0.0.0" } }, "RotationSingleUser": { @@ -1217,22 +1217,22 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "version": "0.0.0" } }, "SARMapping": { "id": "SARMapping", "path": "aws-cdk-rds-cluster-rotation/Database/RotationSingleUser/SARMapping", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.CfnMapping", + "version": "0.0.0" } }, "Resource": { @@ -1303,28 +1303,28 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_sam.CfnApplication", + "version": "0.0.0" } }, "RotationLambda": { "id": "RotationLambda", "path": "aws-cdk-rds-cluster-rotation/Database/RotationSingleUser/RotationLambda", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_lambda.FunctionBase", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.SecretRotation", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.DatabaseCluster", + "version": "0.0.0" } }, "CustomRotationOptions": { @@ -1353,14 +1353,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.CfnDBSubnetGroup", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.SubnetGroup", + "version": "0.0.0" } }, "SecurityGroup": { @@ -1387,8 +1387,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "version": "0.0.0" } }, "from awscdkrdsclusterrotationSecurityGroupB986D266:{IndirectPort}": { @@ -1426,22 +1426,22 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "version": "0.0.0" } }, "AuroraMySqlDatabaseClusterEngineDefaultParameterGroup": { "id": "AuroraMySqlDatabaseClusterEngineDefaultParameterGroup", "path": "aws-cdk-rds-cluster-rotation/CustomRotationOptions/AuroraMySqlDatabaseClusterEngineDefaultParameterGroup", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Secret": { @@ -1474,8 +1474,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.CfnSecret", + "version": "0.0.0" } }, "Attachment": { @@ -1498,8 +1498,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.CfnSecretTargetAttachment", + "version": "0.0.0" } }, "RotationSchedule": { @@ -1515,6 +1515,7 @@ "secretId": { "Ref": "CustomRotationOptionsSecretAttachment697A23BF" }, + "rotateImmediatelyOnUpdate": false, "rotationLambdaArn": { "Fn::GetAtt": [ "CustomRotationOptionsRotationSingleUserC555446F", @@ -1527,20 +1528,20 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.CfnRotationSchedule", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.RotationSchedule", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.SecretTargetAttachment", + "version": "0.0.0" } }, "Policy": { @@ -1587,20 +1588,20 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.CfnResourcePolicy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.ResourcePolicy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.DatabaseSecret", + "version": "0.0.0" } }, "Resource": { @@ -1651,16 +1652,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.CfnDBCluster", + "version": "0.0.0" } }, "Instance1Wrapper": { "id": "Instance1Wrapper", "path": "aws-cdk-rds-cluster-rotation/CustomRotationOptions/Instance1Wrapper", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Instance1": { @@ -1680,16 +1681,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.CfnDBInstance", + "version": "0.0.0" } }, "Instance2Wrapper": { "id": "Instance2Wrapper", "path": "aws-cdk-rds-cluster-rotation/CustomRotationOptions/Instance2Wrapper", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Instance2": { @@ -1709,8 +1710,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.CfnDBInstance", + "version": "0.0.0" } }, "RotationSingleUser": { @@ -1721,8 +1722,8 @@ "id": "SARMapping", "path": "aws-cdk-rds-cluster-rotation/CustomRotationOptions/RotationSingleUser/SARMapping", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.CfnMapping", + "version": "0.0.0" } }, "Resource": { @@ -1797,50 +1798,50 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_sam.CfnApplication", + "version": "0.0.0" } }, "RotationLambda": { "id": "RotationLambda", "path": "aws-cdk-rds-cluster-rotation/CustomRotationOptions/RotationSingleUser/RotationLambda", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_lambda.FunctionBase", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_secretsmanager.SecretRotation", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_rds.DatabaseCluster", + "version": "0.0.0" } }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "aws-cdk-rds-cluster-rotation/BootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "aws-cdk-rds-cluster-rotation/CheckBootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" } }, "Tree": { @@ -1848,13 +1849,13 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.ts index 00bde4a53f5cf..44361c072fca1 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.cluster-rotation.lit.ts @@ -54,6 +54,7 @@ clusterWithCustomRotationOptions.addRotationSingleUser({ securityGroup, vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }, endpoint: endpoint, + rotateImmediatelyOnUpdate: false, }); /// !hide diff --git a/packages/aws-cdk-lib/aws-rds/README.md b/packages/aws-cdk-lib/aws-rds/README.md index 1768cad3c9914..ad9d8580c6c46 100644 --- a/packages/aws-cdk-lib/aws-rds/README.md +++ b/packages/aws-cdk-lib/aws-rds/README.md @@ -613,10 +613,9 @@ const address = instance.instanceEndpoint.socketAddress; // "HOSTNAME:PORT" When the master password is generated and stored in AWS Secrets Manager, it can be rotated automatically: ```ts -import * as cdk from 'aws-cdk-lib'; - declare const instance: rds.DatabaseInstance; declare const mySecurityGroup: ec2.SecurityGroup; + instance.addRotationSingleUser({ automaticallyAfter: Duration.days(7), // defaults to 30 days excludeCharacters: '!@#$%^&*', // defaults to the set " %+~`#$&*()|[]{}:;<>?!'/@\"\\" @@ -674,6 +673,20 @@ instance.addRotationSingleUser({ See also [@aws-cdk/aws-secretsmanager](https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-secretsmanager/README.md) for credentials rotation of existing clusters/instances. +By default, any stack updates will cause AWS Secrets Manager to rotate a secret immediately. To prevent this behavior and wait until the next scheduled rotation window specified via the `automaticallyAfter` property, set the `rotateImmediatelyOnUpdate` property to false: + +```ts +declare const instance: rds.DatabaseInstance; +declare const mySecurityGroup: ec2.SecurityGroup; + +instance.addRotationSingleUser({ + automaticallyAfter: Duration.days(7), // defaults to 30 days + excludeCharacters: '!@#$%^&*', // defaults to the set " %+~`#$&*()|[]{}:;<>?!'/@\"\\" + securityGroup: mySecurityGroup, // defaults to an auto-created security group + rotateImmediatelyOnUpdate: false, // defaults to true +}); +``` + ## IAM Authentication You can also authenticate to a database instance using AWS Identity and Access Management (IAM) database authentication; diff --git a/packages/aws-cdk-lib/aws-rds/lib/props.ts b/packages/aws-cdk-lib/aws-rds/lib/props.ts index 76cd204416b8a..0ff6a95ee50de 100644 --- a/packages/aws-cdk-lib/aws-rds/lib/props.ts +++ b/packages/aws-cdk-lib/aws-rds/lib/props.ts @@ -499,6 +499,14 @@ export interface CommonRotationUserOptions { * @default - a new security group is created */ readonly securityGroup?: ec2.ISecurityGroup; + + /** + * Specifies whether to rotate the secret immediately or wait until the next + * scheduled rotation window. + * + * @default true + */ + readonly rotateImmediatelyOnUpdate?: boolean; } /** diff --git a/packages/aws-cdk-lib/aws-rds/test/cluster.test.ts b/packages/aws-cdk-lib/aws-rds/test/cluster.test.ts index afb8472295e2b..460f5a18e41d5 100644 --- a/packages/aws-cdk-lib/aws-rds/test/cluster.test.ts +++ b/packages/aws-cdk-lib/aws-rds/test/cluster.test.ts @@ -1929,6 +1929,72 @@ describe('cluster', () => { }); }); + test('addRotationSingleUser() without immediate rotation', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'VPC'); + const cluster = new DatabaseCluster(stack, 'Database', { + engine: DatabaseClusterEngine.AURORA_MYSQL, + writer: ClusterInstance.serverlessV2('writer'), + vpc, + }); + + // WHEN + cluster.addRotationSingleUser({ rotateImmediatelyOnUpdate: false }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::SecretsManager::RotationSchedule', { + SecretId: { + Ref: 'DatabaseSecretAttachmentE5D1B020', + }, + RotationLambdaARN: { + 'Fn::GetAtt': [ + 'DatabaseRotationSingleUser65F55654', + 'Outputs.RotationLambdaARN', + ], + }, + RotationRules: { + AutomaticallyAfterDays: 30, + }, + RotateImmediatelyOnUpdate: false, + }); + }); + + test('addRotationMultiUser() without immediate rotation', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'VPC'); + const cluster = new DatabaseCluster(stack, 'Database', { + engine: DatabaseClusterEngine.AURORA_MYSQL, + writer: ClusterInstance.serverlessV2('writer'), + vpc, + }); + const userSecret = new DatabaseSecret(stack, 'UserSecret', { username: 'user' }); + + // WHEN + cluster.addRotationMultiUser('user', { + secret: userSecret.attach(cluster), + rotateImmediatelyOnUpdate: false, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::SecretsManager::RotationSchedule', { + SecretId: { + Ref: 'UserSecretAttachment16ACBE6D', + }, + RotationLambdaARN: { + 'Fn::GetAtt': [ + 'DatabaseuserECD1FB0C', + 'Outputs.RotationLambdaARN', + ], + }, + RotationRules: { + AutomaticallyAfterDays: 30, + }, + RotateImmediatelyOnUpdate: false, + }); + }); + test('throws when trying to add rotation to a cluster without secret', () => { // GIVEN const stack = new cdk.Stack(); diff --git a/packages/aws-cdk-lib/aws-secretsmanager/README.md b/packages/aws-cdk-lib/aws-secretsmanager/README.md index 989da6bf614d4..0835e5bcd78f6 100644 --- a/packages/aws-cdk-lib/aws-secretsmanager/README.md +++ b/packages/aws-cdk-lib/aws-secretsmanager/README.md @@ -93,8 +93,6 @@ const secret = new secretsmanager.Secret(this, 'Secret', { encryptionKey: key }) secret.grantRead(otherAccount); ``` -## Rotating a Secret - ### Using a Custom Lambda Function A rotation schedule can be added to a Secret using a custom Lambda function: @@ -108,6 +106,7 @@ const secret = new secretsmanager.Secret(this, 'Secret'); secret.addRotationSchedule('RotationSchedule', { rotationLambda: fn, automaticallyAfter: Duration.days(15), + rotateImmediatelyOnUpdate: false, // default is true }); ``` @@ -124,7 +123,6 @@ const secret = new secretsmanager.Secret(this, 'Secret'); secret.addRotationSchedule('RotationSchedule', { hostedRotation: secretsmanager.HostedRotation.mysqlSingleUser(), - rotateImmediatelyOnUpdate: false, // by default, Secrets Manager rotates the secret immediately }); ``` @@ -202,6 +200,25 @@ new secretsmanager.SecretRotation(this, 'SecretRotation', { }); ``` +By default, any stack updates will cause AWS Secrets Manager to rotate a secret immediately. To prevent this behavior and wait until the next scheduled rotation window specified via the `automaticallyAfter` property, set the `rotateImmediatelyOnUpdate` property to false: + +```ts +declare const myUserSecret: secretsmanager.Secret; +declare const myMasterSecret: secretsmanager.Secret; +declare const myDatabase: ec2.IConnectable; +declare const myVpc: ec2.Vpc; + +new secretsmanager.SecretRotation(this, 'SecretRotation', { + application: secretsmanager.SecretRotationApplication.MYSQL_ROTATION_MULTI_USER, + secret: myUserSecret, // The secret that will be rotated + masterSecret: myMasterSecret, // The secret used for the rotation + target: myDatabase, + vpc: myVpc, + automaticallyAfter: Duration.days(7), + rotateImmediatelyOnUpdate: false, +}); +``` + See also [aws-rds](https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-rds/README.md) where credentials generation and rotation is integrated. diff --git a/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts b/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts index 736bf715ee435..411199c3f3aa6 100644 --- a/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts +++ b/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts @@ -47,7 +47,7 @@ export interface RotationScheduleOptions { * Specifies whether to rotate the secret immediately or wait until the next * scheduled rotation window. * - * @default - secret is rotated immediately + * @default true */ readonly rotateImmediatelyOnUpdate?: boolean; } diff --git a/packages/aws-cdk-lib/aws-secretsmanager/lib/secret-rotation.ts b/packages/aws-cdk-lib/aws-secretsmanager/lib/secret-rotation.ts index a84dcdcfe13b2..5bef0004a5d62 100644 --- a/packages/aws-cdk-lib/aws-secretsmanager/lib/secret-rotation.ts +++ b/packages/aws-cdk-lib/aws-secretsmanager/lib/secret-rotation.ts @@ -259,6 +259,14 @@ export interface SecretRotationProps { * @default https://secretsmanager..amazonaws.com */ readonly endpoint?: ec2.IInterfaceVpcEndpoint; + + /** + * Specifies whether to rotate the secret immediately or wait until the next + * scheduled rotation window. + * + * @default true + */ + readonly rotateImmediatelyOnUpdate?: boolean; } /** @@ -342,6 +350,7 @@ export class SecretRotation extends Construct { props.secret.addRotationSchedule('RotationSchedule', { rotationLambda, automaticallyAfter: props.automaticallyAfter, + rotateImmediatelyOnUpdate: props.rotateImmediatelyOnUpdate, }); // Prevent master secret deletion when rotation is in place diff --git a/packages/aws-cdk-lib/aws-secretsmanager/test/secret-rotation.test.ts b/packages/aws-cdk-lib/aws-secretsmanager/test/secret-rotation.test.ts index 074658d96b70d..0d24a57fed8ab 100644 --- a/packages/aws-cdk-lib/aws-secretsmanager/test/secret-rotation.test.ts +++ b/packages/aws-cdk-lib/aws-secretsmanager/test/secret-rotation.test.ts @@ -271,6 +271,22 @@ test('secret rotation allows passing an empty string for excludeCharacters', () }); }); +test('secret rotation without immediate rotation', () => { + // WHEN + new secretsmanager.SecretRotation(stack, 'SecretRotation', { + application: secretsmanager.SecretRotationApplication.MARIADB_ROTATION_SINGLE_USER, + secret, + target, + vpc, + rotateImmediatelyOnUpdate: false, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::SecretsManager::RotationSchedule', { + RotateImmediatelyOnUpdate: false, + }); +}); + test('throws when connections object has no default port range', () => { // WHEN const targetWithoutDefaultPort = new ec2.Connections({