diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json index f21330a12b17c..f8b5c879ce48a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json @@ -144,7 +144,10 @@ "RotationRules": { "AutomaticallyAfterDays": 30 } - } + }, + "DependsOn": [ + "LambdaInvokeN0a2GKfZP0JmDqDEVhhu6A0TUv3NyNbk4YMFKNc69846677" + ] }, "SecretPolicy06C9821C": { "Type": "AWS::SecretsManager::ResourcePolicy", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.ts index eedd5f6654472..18cdb2597de5f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.ts @@ -2,6 +2,7 @@ import * as kms from 'aws-cdk-lib/aws-kms'; import * as lambda from 'aws-cdk-lib/aws-lambda'; import * as cdk from 'aws-cdk-lib'; import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager'; +import * as integ from '@aws-cdk/integ-tests-alpha'; class TestStack extends cdk.Stack { constructor(scope: cdk.App, id: string) { @@ -24,5 +25,11 @@ class TestStack extends cdk.Stack { } const app = new cdk.App(); -new TestStack(app, 'cdk-integ-secret-lambda-rotation'); + +const stack = new TestStack(app, 'cdk-integ-secret-lambda-rotation'); + +new integ.IntegTest(app, 'cdk-integ-secret-lambda-rotation-test', { + testCases: [stack], +}); + app.synth(); diff --git a/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts b/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts index 411199c3f3aa6..b2460667599f1 100644 --- a/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts +++ b/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts @@ -100,7 +100,8 @@ export class RotationSchedule extends Resource { ); } - props.rotationLambda.grantInvoke(new iam.ServicePrincipal('secretsmanager.amazonaws.com')); + const grant = props.rotationLambda.grantInvoke(new iam.ServicePrincipal('secretsmanager.amazonaws.com')); + grant.applyBefore(this); props.rotationLambda.addToRolePolicy( new iam.PolicyStatement({ diff --git a/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts b/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts index 2452c751c7830..8e2052f02ca1d 100644 --- a/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts +++ b/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts @@ -629,3 +629,25 @@ describe('manual rotations', () => { checkRotationNotSet(Duration.millis(0)); }); }); + +test('rotation schedule should have a dependency on lambda permissions', () => { + // GIVEN + const secret = new secretsmanager.Secret(stack, 'Secret'); + const rotationLambda = new lambda.Function(stack, 'Lambda', { + runtime: lambda.Runtime.NODEJS_14_X, + code: lambda.Code.fromInline('export.handler = event => event;'), + handler: 'index.handler', + }); + + // WHEN + secret.addRotationSchedule('RotationSchedule', { + rotationLambda, + }); + + // THEN + Template.fromStack(stack).hasResource('AWS::SecretsManager::RotationSchedule', { + DependsOn: [ + 'LambdaInvokeN0a2GKfZP0JmDqDEVhhu6A0TUv3NyNbk4YMFKNc69846677', + ], + }); +});