search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.51k stars 3.85k forks source link

SecretsManager: is there feature to set a day of week rather that specifying number #31002

Open PreranaAmirapu opened 1 month ago

PreranaAmirapu commented 1 month ago

Describe the bug

    self.harness_secret.add_rotation_schedule(
        "RotationSchedule", rotation_lambda=rotate_delegates_function, automatically_after=Duration.days(7)
    )

this is the code I have written where it rotates after 7 days , but i want my secret to rotate on sunday only. I have tried below code but it is not working 

    cfn_rotation_schedule = secretsmanager.CfnRotationSchedule(
        self, "RotationSchedule",
        secret_id=self.example_secret.secret_arn,
        rotation_lambda_arn=rotate_delegates_function.function_arn,
        rotation_rules=secretsmanager.CfnRotationSchedule.RotationRulesProperty(
            schedule_expression="cron(0 12 ? * SUN *)",
        )
    )

Expected Behavior

rotate on every sunday

Current Behavior

  cfn_rotation_schedule = secretsmanager.CfnRotationSchedule(
        self, "RotationSchedule",
        secret_id=self.example_secret.secret_arn,
        rotation_lambda_arn=rotate_delegates_function.function_arn,
        rotation_rules=secretsmanager.CfnRotationSchedule.RotationRulesProperty(
            schedule_expression="cron(0 12 ? * SUN *)",
        )
    )

it is not throwing error but the lambda is not attaching to the secret

Reproduction Steps

-

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.147.0

Framework Version

No response

Node.js Version

v22.4.1

OS

mac

Language

Python

Language Version

No response

Other information

No response

khushail commented 1 month ago

Hey @PreranaAmirapu , thanks for reaching out.

Here is a doc explaining variations of cron expressions - https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html#rotate-secrets_schedule-cron

I ran the below code and it added lambda successfully -


        # a sample rotation lambda for secret rotation
        rotation_lambda = aws_lambda.Function(
            self, "RotationLambda",
            runtime=aws_lambda.Runtime.PYTHON_3_8,
            handler="index.handler",
            code=aws_lambda.Code.from_inline("def handler(event, context): return 'Hello, CDK!';"),
        )

        rotation_lambda.add_permission("SecretRotationPermission",
            principal= iam.ServicePrincipal("secretsmanager.amazonaws.com"),
            action="lambda:InvokeFunction",
            source_arn="arn:aws:secretsmanager:us-east-1:111111111111:secret:testSecret-rn4rW4",
        )

        cfn_rotation_schedule = secretmanager.CfnRotationSchedule(
            self, "RotationSchedule",
            secret_id="arn:aws:secretsmanager:us-east-1:111111111111:secret:testSecret-rn4rW4",
            rotation_lambda_arn=rotation_lambda.function_arn,
            rotation_rules=secretmanager.CfnRotationSchedule.RotationRulesProperty(
                schedule_expression="cron(0 8 ? * SUN *)",
            )
        )

Here is a snapshot of this being attached-

Screenshot 2024-08-01 at 1 30 38 PM

Let us know if this works!

PreranaAmirapu commented 1 month ago

my code: 

    rotate_delegates_function.add_permission(
        "SecretRotationPermission",
        principal=iam.ServicePrincipal("secretsmanager.amazonaws.com"),
        action="lambda:InvokeFunction",
        source_arn=self.harness_secret.secret_arn,
    )

    secretsmanager.CfnRotationSchedule(
        self, "RotationSchedule",
        secret_id=self.harness_secret.secret_arn,
        rotation_lambda_arn=rotate_delegates_function.function_arn,
        rotation_rules=secretsmanager.CfnRotationSchedule.RotationRulesProperty(
            schedule_expression="cron(0 12 ? * SUN *)",
        )
    )

error: Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amaz onaws.com. (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 63a6dea7-0f5c-4294-8db9-8ff9652d85d9; Proxy: null)

even though I have added the above permission , it is not applying

PreranaAmirapu commented 1 month ago
Screenshot 2024-08-02 at 9 44 32 PM

the permission is added I guess

khushail commented 1 month ago

@PreranaAmirapu , so looks like the code is working ? right ?

PreranaAmirapu commented 1 month ago

I'm getting this error Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amaz onaws.com. (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 63a6dea7-0f5c-4294-8db9-8ff9652d85d9; Proxy: null)

khushail commented 1 month ago

@PreranaAmirapu , this error only indicates that function policy needs to be added which is added in the given code. These are the alternatives you could try -

  1. Could you please specify the complete arn in the Source_Arn, instead of using a reference.
  2. run this command in terminal - 
    aws lambda add-permission 
      --function-name secrets_manager 
      --principal secretsmanager.amazonaws.com 
      --action lambda:InvokeFunction 
      --statement-id SecretsManagerAccess

Replace function name with your lambda function name.

Let me know if this works