aws · rix0rrr · Mar 26, 2019 · Mar 13, 2019 · Mar 20, 2019 · Mar 20, 2019
diff --git a/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts b/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts
@@ -75,7 +75,7 @@ export interface SecretProps {
  * @default 32 characters with upper-case letters, lower-case letters, punctuation and numbers (at least one from each
  * category), per the default values of ``SecretStringGenerator``.
  */
- generateSecretString?: SecretStringGenerator;
+ generateSecretString?: SecretStringGenerator | TemplatedSecretStringGenerator;
 
  /**
  * A name for the secret. Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to

diff --git a/packages/@aws-cdk/aws-secretsmanager/test/integ.secret.lit.expected.json b/packages/@aws-cdk/aws-secretsmanager/test/integ.secret.lit.expected.json
@@ -79,6 +79,46 @@
  }
  }
  }
+ },
+ "TemplatedSecret3D98B577": {
+ "Type": "AWS::SecretsManager::Secret",
+ "Properties": {
+ "GenerateSecretString": {
+ "GenerateStringKey": "password",
+ "SecretStringTemplate": "{\"username\":\"user\"}"
+ }
+ }
+ },
+ "OtherUser6093621C": {
+ "Type": "AWS::IAM::User",
+ "Properties": {
+ "LoginProfile": {
+ "Password": {
+ "Fn::Join": [
+ "",
+ [
+ "{{resolve:secretsmanager:",
+ {
+ "Ref": "TemplatedSecret3D98B577"
+ },
+ ":SecretString:password::}}"
+ ]
+ ]
+ }
+ },
+ "UserName": {
+ "Fn::Join": [
+ "",
+ [
+ "{{resolve:secretsmanager:",
+ {
+ "Ref": "TemplatedSecret3D98B577"
+ },
+ ":SecretString:username::}}"
+ ]
+ ]
+ }
+ }
  }
  }
 }
diff --git a/packages/@aws-cdk/aws-secretsmanager/test/integ.secret.lit.ts b/packages/@aws-cdk/aws-secretsmanager/test/integ.secret.lit.ts
@@ -9,12 +9,26 @@ class SecretsManagerStack extends cdk.Stack {
  const role = new iam.Role(this, 'TestRole', { assumedBy: new iam.AccountRootPrincipal() });
 
  /// !show
+ // Default secret
  const secret = new secretsManager.Secret(this, 'Secret');
  secret.grantRead(role);
 
  new iam.User(this, 'User', {
  password: secret.stringValue
  });
+
+ // Templated secret
+ const templatedSecret = new secretsManager.Secret(this, 'TemplatedSecret', {
+ generateSecretString: {
+ secretStringTemplate: JSON.stringify({ username: 'user' }),
+ generateStringKey: 'password'
+ }
+ });
+
+ new iam.User(this, 'OtherUser', {
+ userName: templatedSecret.jsonFieldValue('username'),
+ password: templatedSecret.jsonFieldValue('password')
+ });
  /// !hide
  }
 }

diff --git a/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts b/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts
@@ -21,6 +21,29 @@ export = {
  test.done();
  },
 
+ 'templated secret string'(test: Test) {
+ // GIVEN
+ const stack = new cdk.Stack();
+
+ // WHEN
+ new secretsmanager.Secret(stack, 'Secret', {
+ generateSecretString: {
+ secretStringTemplate: JSON.stringify({ username: 'username' }),
+ generateStringKey: 'password'
+ }
+ });
+
+ // THEN
+ expect(stack).to(haveResource('AWS::SecretsManager::Secret', {
+ GenerateSecretString: {
+ SecretStringTemplate: '{"username":"username"}',
+ GenerateStringKey: 'password'
+ }
+ }));
+
+ test.done();
+ },
+
  'grantRead'(test: Test) {
  // GIVEN
  const stack = new cdk.Stack();