-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
secretsmanager: Removal Policy set on the secret is not applied to the Resource Policy of the secret #30408
Comments
@grbinho , thanks for reaching out. RemovalPolicy is not set on Resource policy because of the following -
Resources
[+] AWS::KMS::Key KeyTest KeyTestDB4145CA
[+] AWS::SecretsManager::Secret my-secret-01 mysecret01CE6DE629
[+] AWS::SecretsManager::ResourcePolicy my-secret-01/Policy mysecret01PolicyB5B07F62
|
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Describe the bug
If
removalPolicy
of a secret is set to retain, that is not propagated toResourcePolicy
created/updated for that secret by callingaddToResourcePolicy
.Expected Behavior
When
removalPolicy
is set toRETAIN
and secret resource removed from CDK code, I expected thatResourcePolicy
of that secret is also retained.Current Behavior
When
removalPolicy
is set toRETAIN
, and secret resource is removed from CDK code,ResourcePolicy
of the secret is deleted.Reproduction Steps
To replicate this, first create a Secret with a custom resource policy.
Change CDK code and remove the above snipped.
Expectation is that both secret and policy remain in AWS account after deploying.
Possible Solution
removalPolicy
is not applied to theResourcePolicy
construct inaddToResourcePolicy
function.https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts#L438
applyRemovalPolicy
does not consider secrets resource policyhttps://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts#L655
Additional Information/Context
No response
CDK CLI Version
2.118.0 (build a40f2ec)
Framework Version
No response
Node.js Version
v18.20.2
OS
MacOS Sonoma 14.5 (23F79)
Language
TypeScript
Language Version
5.4.5
Other information
No response
The text was updated successfully, but these errors were encountered: