From 0eec29c02422e9919e56b222744357686f009f29 Mon Sep 17 00:00:00 2001 From: Luca Pizzini Date: Wed, 26 Jul 2023 12:37:43 +0200 Subject: [PATCH 1/2] fix(secretsmanager): fixed unreliable lambda rotation schedule resource creation --- ...integ-secret-lambda-rotation.template.json | 5 ++++- .../lib/rotation-schedule.ts | 3 ++- .../test/rotation-schedule.test.ts | 22 +++++++++++++++++++ 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json index f21330a12b17c..f8b5c879ce48a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json @@ -144,7 +144,10 @@ "RotationRules": { "AutomaticallyAfterDays": 30 } - } + }, + "DependsOn": [ + "LambdaInvokeN0a2GKfZP0JmDqDEVhhu6A0TUv3NyNbk4YMFKNc69846677" + ] }, "SecretPolicy06C9821C": { "Type": "AWS::SecretsManager::ResourcePolicy", diff --git a/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts b/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts index 411199c3f3aa6..b2460667599f1 100644 --- a/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts +++ b/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts @@ -100,7 +100,8 @@ export class RotationSchedule extends Resource { ); } - props.rotationLambda.grantInvoke(new iam.ServicePrincipal('secretsmanager.amazonaws.com')); + const grant = props.rotationLambda.grantInvoke(new iam.ServicePrincipal('secretsmanager.amazonaws.com')); + grant.applyBefore(this); props.rotationLambda.addToRolePolicy( new iam.PolicyStatement({ diff --git a/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts b/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts index 2452c751c7830..8e2052f02ca1d 100644 --- a/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts +++ b/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts @@ -629,3 +629,25 @@ describe('manual rotations', () => { checkRotationNotSet(Duration.millis(0)); }); }); + +test('rotation schedule should have a dependency on lambda permissions', () => { + // GIVEN + const secret = new secretsmanager.Secret(stack, 'Secret'); + const rotationLambda = new lambda.Function(stack, 'Lambda', { + runtime: lambda.Runtime.NODEJS_14_X, + code: lambda.Code.fromInline('export.handler = event => event;'), + handler: 'index.handler', + }); + + // WHEN + secret.addRotationSchedule('RotationSchedule', { + rotationLambda, + }); + + // THEN + Template.fromStack(stack).hasResource('AWS::SecretsManager::RotationSchedule', { + DependsOn: [ + 'LambdaInvokeN0a2GKfZP0JmDqDEVhhu6A0TUv3NyNbk4YMFKNc69846677', + ], + }); +}); From 0d3145ee9f4e5de11f1910017e51888f0e3af73d Mon Sep 17 00:00:00 2001 From: Luca Pizzini Date: Fri, 18 Aug 2023 08:47:31 +0200 Subject: [PATCH 2/2] updated integration test --- .../aws-secretsmanager/test/integ.lambda-rotation.ts | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.ts index eedd5f6654472..18cdb2597de5f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.ts @@ -2,6 +2,7 @@ import * as kms from 'aws-cdk-lib/aws-kms'; import * as lambda from 'aws-cdk-lib/aws-lambda'; import * as cdk from 'aws-cdk-lib'; import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager'; +import * as integ from '@aws-cdk/integ-tests-alpha'; class TestStack extends cdk.Stack { constructor(scope: cdk.App, id: string) { @@ -24,5 +25,11 @@ class TestStack extends cdk.Stack { } const app = new cdk.App(); -new TestStack(app, 'cdk-integ-secret-lambda-rotation'); + +const stack = new TestStack(app, 'cdk-integ-secret-lambda-rotation'); + +new integ.IntegTest(app, 'cdk-integ-secret-lambda-rotation-test', { + testCases: [stack], +}); + app.synth();