Skip to content

API.md

Latest commit

 

History

History
3440 lines (2126 loc) · 124 KB

API.md

File metadata and controls

3440 lines (2126 loc) · 124 KB

API Reference

Constructs

MultiStringParameter

Initializers 

import { MultiStringParameter } from 'cdk-sops-secrets'

new MultiStringParameter(scope: Construct, id: string, props: MultiStringParameterProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props MultiStringParameterProps No description.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsRequired

Methods

Name Description
toString Returns a string representation of this construct.
toString 
public toString(): string

Returns a string representation of this construct.

Static Functions

Name Description
isConstruct Checks if x is a construct.
isConstruct 
import { MultiStringParameter } from 'cdk-sops-secrets'

MultiStringParameter.isConstruct(x: any)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: any

Any object.

Properties

Name Type Description
node constructs.Node The tree node.
encryptionKey aws-cdk-lib.aws_kms.IKey No description.
env aws-cdk-lib.interfaces.ResourceEnvironment No description.
keyPrefix string No description.
keySeparator string No description.
stack aws-cdk-lib.Stack No description.
sync SopsSync No description.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

encryptionKeyRequired 
public readonly encryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey
envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.interfaces.ResourceEnvironment
keyPrefixRequired 
public readonly keyPrefix: string;
  • Type: string
keySeparatorRequired 
public readonly keySeparator: string;
  • Type: string
stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack
syncRequired 
public readonly sync: SopsSync;

SopsSecret

  • Implements: aws-cdk-lib.aws_secretsmanager.ISecret

A drop in replacement for the normal Secret, that is populated with the encrypted content of the given sops file.

Initializers 

import { SopsSecret } from 'cdk-sops-secrets'

new SopsSecret(scope: Construct, id: string, props: SopsSecretProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props SopsSecretProps No description.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsRequired

Methods

Name Description
toString Returns a string representation of this construct.
addRotationSchedule Adds a rotation schedule to the secret.
addToResourcePolicy Adds a statement to the IAM resource policy associated with this secret.
applyRemovalPolicy Apply the given removal policy to this resource.
attach Attach a target to this secret.
cfnDynamicReferenceKey Returns a key which can be used within an AWS CloudFormation dynamic reference to dynamically load this secret from AWS Secrets Manager.
currentVersionId No description.
denyAccountRootDelete Denies the DeleteSecret action to all principals within the current account.
grantRead Grants reading the secret value to some role.
grantWrite Grants writing and updating the secret value to some role.
secretValueFromJson Interpret the secret as a JSON object and return a field's value from it as a SecretValue.
toString 
public toString(): string

Returns a string representation of this construct.

addRotationSchedule 
public addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule

Adds a rotation schedule to the secret.

idRequired
  • Type: string
optionsRequired
  • Type: aws-cdk-lib.aws_secretsmanager.RotationScheduleOptions
addToResourcePolicy 
public addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult

Adds a statement to the IAM resource policy associated with this secret.

If this secret was created in this stack, a resource policy will be automatically created upon the first call to addToResourcePolicy. If the secret is imported, then this is a no-op.

statementRequired
  • Type: aws-cdk-lib.aws_iam.PolicyStatement
applyRemovalPolicy 
public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: aws-cdk-lib.RemovalPolicy
attach 
public attach(target: ISecretAttachmentTarget): ISecret

Attach a target to this secret.

targetRequired
  • Type: aws-cdk-lib.aws_secretsmanager.ISecretAttachmentTarget
cfnDynamicReferenceKey 
public cfnDynamicReferenceKey(options?: SecretsManagerSecretOptions): string

Returns a key which can be used within an AWS CloudFormation dynamic reference to dynamically load this secret from AWS Secrets Manager.

optionsOptional
  • Type: aws-cdk-lib.SecretsManagerSecretOptions
currentVersionId 
public currentVersionId(): string
denyAccountRootDelete 
public denyAccountRootDelete(): void

Denies the DeleteSecret action to all principals within the current account.

grantRead 
public grantRead(grantee: IGrantable, versionStages?: string[]): Grant

Grants reading the secret value to some role.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
versionStagesOptional
  • Type: string[]
grantWrite 
public grantWrite(_grantee: IGrantable): Grant

Grants writing and updating the secret value to some role.

_granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
secretValueFromJson 
public secretValueFromJson(jsonField: string): SecretValue

Interpret the secret as a JSON object and return a field's value from it as a SecretValue.

jsonFieldRequired
  • Type: string

Static Functions

Name Description
isConstruct Checks if x is a construct.
isConstruct 
import { SopsSecret } from 'cdk-sops-secrets'

SopsSecret.isConstruct(x: any)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: any

Any object.

Properties

Name Type Description
node constructs.Node The tree node.
env aws-cdk-lib.interfaces.ResourceEnvironment The environment this resource belongs to.
secretArn string The ARN of the secret in AWS Secrets Manager.
secretName string The name of the secret.
secretRef aws-cdk-lib.interfaces.aws_secretsmanager.SecretReference A reference to a Secret resource.
secretValue aws-cdk-lib.SecretValue Retrieve the value of the stored secret as a SecretValue.
stack aws-cdk-lib.Stack The stack in which this resource is defined.
sync SopsSync No description.
encryptionKey aws-cdk-lib.aws_kms.IKey The customer-managed encryption key that is used to encrypt this secret, if any.
secretFullArn string The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.interfaces.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed in a Stack (those created by creating new class instances like new Role(), new Bucket(), etc.), this is always the same as the environment of the stack they belong to.

For referenced resources (those obtained from referencing methods like Role.fromRoleArn(), Bucket.fromBucketName(), etc.), they might be different than the stack they were imported into.

secretArnRequired 
public readonly secretArn: string;
  • Type: string

The ARN of the secret in AWS Secrets Manager.

Will return the full ARN if available, otherwise a partial arn. For secrets imported by the deprecated fromSecretName, it will return the secretName.

secretNameRequired 
public readonly secretName: string;
  • Type: string

The name of the secret.

For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.

secretRefRequired 
public readonly secretRef: SecretReference;
  • Type: aws-cdk-lib.interfaces.aws_secretsmanager.SecretReference

A reference to a Secret resource.

secretValueRequired 
public readonly secretValue: SecretValue;
  • Type: aws-cdk-lib.SecretValue

Retrieve the value of the stored secret as a SecretValue.

stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

syncRequired 
public readonly sync: SopsSync;
encryptionKeyOptional 
public readonly encryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey

The customer-managed encryption key that is used to encrypt this secret, if any.

When not specified, the default KMS key for the account and region is being used.

secretFullArnOptional 
public readonly secretFullArn: string;
  • Type: string

The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).

SopsStringParameter

  • Implements: aws-cdk-lib.aws_ssm.IStringParameter

A drop in replacement for the normal String Parameter, that is populated with the encrypted content of the given sops file.

Initializers 

import { SopsStringParameter } from 'cdk-sops-secrets'

new SopsStringParameter(scope: Construct, id: string, props: SopsStringParameterProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props SopsStringParameterProps No description.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsRequired

Methods

Name Description
toString Returns a string representation of this construct.
applyRemovalPolicy Apply the given removal policy to this resource.
grantRead Grants read (DescribeParameter, GetParameters, GetParameter, GetParameterHistory) permissions on the SSM Parameter.
grantWrite Grants write (PutParameter) permissions on the SSM Parameter.
toString 
public toString(): string

Returns a string representation of this construct.

applyRemovalPolicy 
public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: aws-cdk-lib.RemovalPolicy
grantRead 
public grantRead(grantee: IGrantable): Grant

Grants read (DescribeParameter, GetParameters, GetParameter, GetParameterHistory) permissions on the SSM Parameter.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
grantWrite 
public grantWrite(grantee: IGrantable): Grant

Grants write (PutParameter) permissions on the SSM Parameter.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable

Static Functions

Name Description
isConstruct Checks if x is a construct.
isConstruct 
import { SopsStringParameter } from 'cdk-sops-secrets'

SopsStringParameter.isConstruct(x: any)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: any

Any object.

Properties

Name Type Description
node constructs.Node The tree node.
encryptionKey aws-cdk-lib.aws_kms.IKey No description.
env aws-cdk-lib.interfaces.ResourceEnvironment The environment this resource belongs to.
parameterArn string The ARN of the SSM Parameter resource.
parameterName string The name of the SSM Parameter resource.
parameterRef aws-cdk-lib.interfaces.aws_ssm.ParameterReference A reference to a Parameter resource.
parameterType string The type of the SSM Parameter resource.
stack aws-cdk-lib.Stack The stack in which this resource is defined.
stringValue string The parameter value.
sync SopsSync No description.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

encryptionKeyRequired 
public readonly encryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey
envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.interfaces.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed in a Stack (those created by creating new class instances like new Role(), new Bucket(), etc.), this is always the same as the environment of the stack they belong to.

For referenced resources (those obtained from referencing methods like Role.fromRoleArn(), Bucket.fromBucketName(), etc.), they might be different than the stack they were imported into.

parameterArnRequired 
public readonly parameterArn: string;
  • Type: string

The ARN of the SSM Parameter resource.

parameterNameRequired 
public readonly parameterName: string;
  • Type: string

The name of the SSM Parameter resource.

parameterRefRequired 
public readonly parameterRef: ParameterReference;
  • Type: aws-cdk-lib.interfaces.aws_ssm.ParameterReference

A reference to a Parameter resource.

parameterTypeRequired 
public readonly parameterType: string;
  • Type: string

The type of the SSM Parameter resource.

stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

stringValueRequired 
public readonly stringValue: string;
  • Type: string

The parameter value.

Value must not nest another parameter. Do not use {{}} in the value.

syncRequired 
public readonly sync: SopsSync;

SopsSync

The custom resource, that is syncing the content from a sops file to a secret.

Initializers 

import { SopsSync } from 'cdk-sops-secrets'

new SopsSync(scope: Construct, id: string, props: SopsSyncProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props SopsSyncProps No description.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsRequired

Methods

Name Description
toString Returns a string representation of this construct.
toString 
public toString(): string

Returns a string representation of this construct.

Static Functions

Name Description
isConstruct Checks if x is a construct.
isConstruct 
import { SopsSync } from 'cdk-sops-secrets'

SopsSync.isConstruct(x: any)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: any

Any object.

Properties

Name Type Description
node constructs.Node The tree node.
versionId string The current versionId of the secret populated via this resource.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

versionIdRequired 
public readonly versionId: string;
  • Type: string

The current versionId of the secret populated via this resource.

SopsSyncProvider

  • Implements: aws-cdk-lib.aws_iam.IGrantable

Initializers 

import { SopsSyncProvider } from 'cdk-sops-secrets'

new SopsSyncProvider(scope: Construct, id?: string, props?: SopsSyncProviderProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props SopsSyncProviderProps No description.
scopeRequired
  • Type: constructs.Construct
idOptional
  • Type: string
propsOptional

Methods

Name Description
toString Returns a string representation of this construct.
applyRemovalPolicy Apply the given removal policy to this resource.
addEventSource Adds an event source to this function.
addEventSourceMapping Adds an event source that maps to this AWS Lambda function.
addFunctionUrl Adds a url to this lambda function.
addPermission Adds a permission to the Lambda resource policy.
addToRolePolicy Adds a statement to the IAM role assumed by the instance.
configureAsyncInvoke Configures options for asynchronous invocation.
considerWarningOnInvokeFunctionPermissions A warning will be added to functions under the following conditions: - permissions that include lambda:InvokeFunction are added to the unqualified function.
grantInvoke Grant the given identity permissions to invoke this Lambda.
grantInvokeCompositePrincipal Grant multiple principals the ability to invoke this Lambda via CompositePrincipal.
grantInvokeLatestVersion Grant the given identity permissions to invoke the $LATEST version or unqualified version of this Lambda.
grantInvokeUrl Grant the given identity permissions to invoke this Lambda Function URL.
grantInvokeVersion Grant the given identity permissions to invoke the given version of this Lambda.
metric Return the given named metric for this Function.
metricDuration How long execution of this Lambda takes.
metricErrors How many invocations of this Lambda fail.
metricInvocations How often this Lambda is invoked.
metricThrottles How often this Lambda is throttled.
addDependency Using node.addDependency() does not work on this method as the underlying lambda function is modeled as a singleton across the stack. Use this method instead to declare dependencies.
addEnvironment Adds an environment variable to this Lambda function.
addLayers Adds one or more Lambda Layers to this Lambda function.
addMetadata Use this method to write to the construct tree.
dependOn The SingletonFunction construct cannot be added as a dependency of another construct using node.addDependency(). Use this method instead to declare this as a dependency of another construct.
addAgeKey No description.
toString 
public toString(): string

Returns a string representation of this construct.

applyRemovalPolicy 
public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: aws-cdk-lib.RemovalPolicy
addEventSource 
public addEventSource(source: IEventSource): void

Adds an event source to this function.

Event sources are implemented in the aws-cdk-lib/aws-lambda-event-sources module.

The following example adds an SQS Queue as an event source:

import { SqsEventSource } from 'aws-cdk-lib/aws-lambda-event-sources';
myFunction.addEventSource(new SqsEventSource(myQueue));
sourceRequired
  • Type: aws-cdk-lib.aws_lambda.IEventSource
addEventSourceMapping 
public addEventSourceMapping(id: string, options: EventSourceMappingOptions): EventSourceMapping

Adds an event source that maps to this AWS Lambda function.

idRequired
  • Type: string
optionsRequired
  • Type: aws-cdk-lib.aws_lambda.EventSourceMappingOptions
addFunctionUrl 
public addFunctionUrl(options?: FunctionUrlOptions): FunctionUrl

Adds a url to this lambda function.

optionsOptional
  • Type: aws-cdk-lib.aws_lambda.FunctionUrlOptions
addPermission 
public addPermission(name: string, permission: Permission): void

Adds a permission to the Lambda resource policy.

nameRequired
  • Type: string
permissionRequired
  • Type: aws-cdk-lib.aws_lambda.Permission
addToRolePolicy 
public addToRolePolicy(statement: PolicyStatement): void

Adds a statement to the IAM role assumed by the instance.

statementRequired
  • Type: aws-cdk-lib.aws_iam.PolicyStatement
configureAsyncInvoke 
public configureAsyncInvoke(options: EventInvokeConfigOptions): void

Configures options for asynchronous invocation.

optionsRequired
  • Type: aws-cdk-lib.aws_lambda.EventInvokeConfigOptions
considerWarningOnInvokeFunctionPermissions 
public considerWarningOnInvokeFunctionPermissions(scope: Construct, action: string): void

A warning will be added to functions under the following conditions: - permissions that include lambda:InvokeFunction are added to the unqualified function.

function.currentVersion is invoked before or after the permission is created.

This applies only to permissions on Lambda functions, not versions or aliases. This function is overridden as a noOp for QualifiedFunctionBase.

scopeRequired
  • Type: constructs.Construct
actionRequired
  • Type: string
grantInvoke 
public grantInvoke(grantee: IGrantable): Grant

Grant the given identity permissions to invoke this Lambda.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
grantInvokeCompositePrincipal 
public grantInvokeCompositePrincipal(compositePrincipal: CompositePrincipal): Grant[]

Grant multiple principals the ability to invoke this Lambda via CompositePrincipal.

compositePrincipalRequired
  • Type: aws-cdk-lib.aws_iam.CompositePrincipal
grantInvokeLatestVersion 
public grantInvokeLatestVersion(grantee: IGrantable): Grant

Grant the given identity permissions to invoke the $LATEST version or unqualified version of this Lambda.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
grantInvokeUrl 
public grantInvokeUrl(grantee: IGrantable): Grant

Grant the given identity permissions to invoke this Lambda Function URL.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
grantInvokeVersion 
public grantInvokeVersion(grantee: IGrantable, version: IVersion): Grant

Grant the given identity permissions to invoke the given version of this Lambda.

granteeRequired
  • Type: aws-cdk-lib.aws_iam.IGrantable
versionRequired
  • Type: aws-cdk-lib.aws_lambda.IVersion
metric 
public metric(metricName: string, props?: MetricOptions): Metric

Return the given named metric for this Function.

metricNameRequired
  • Type: string
propsOptional
  • Type: aws-cdk-lib.aws_cloudwatch.MetricOptions
metricDuration 
public metricDuration(props?: MetricOptions): Metric

How long execution of this Lambda takes.

Average over 5 minutes

propsOptional
  • Type: aws-cdk-lib.aws_cloudwatch.MetricOptions
metricErrors 
public metricErrors(props?: MetricOptions): Metric

How many invocations of this Lambda fail.

Sum over 5 minutes

propsOptional
  • Type: aws-cdk-lib.aws_cloudwatch.MetricOptions
metricInvocations 
public metricInvocations(props?: MetricOptions): Metric

How often this Lambda is invoked.

Sum over 5 minutes

propsOptional
  • Type: aws-cdk-lib.aws_cloudwatch.MetricOptions
metricThrottles 
public metricThrottles(props?: MetricOptions): Metric

How often this Lambda is throttled.

Sum over 5 minutes

propsOptional
  • Type: aws-cdk-lib.aws_cloudwatch.MetricOptions
addDependency 
public addDependency(up: ...IDependable[]): void

Using node.addDependency() does not work on this method as the underlying lambda function is modeled as a singleton across the stack. Use this method instead to declare dependencies.

upRequired
  • Type: ...constructs.IDependable[]
addEnvironment 
public addEnvironment(key: string, value: string, options?: EnvironmentOptions): Function

Adds an environment variable to this Lambda function.

If this is a ref to a Lambda function, this operation results in a no-op.

keyRequired
  • Type: string

The environment variable key.

valueRequired
  • Type: string

The environment variable's value.

optionsOptional
  • Type: aws-cdk-lib.aws_lambda.EnvironmentOptions

Environment variable options.

addLayers 
public addLayers(layers: ...ILayerVersion[]): void

Adds one or more Lambda Layers to this Lambda function.

layersRequired
  • Type: ...aws-cdk-lib.aws_lambda.ILayerVersion[]

the layers to be added.

addMetadata 
public addMetadata(type: string, data: any, options?: MetadataOptions): void

Use this method to write to the construct tree.

The metadata entries are written to the Cloud Assembly Manifest if the treeMetadata property is specified in the props of the App that contains this Construct.

typeRequired
  • Type: string
dataRequired
  • Type: any
optionsOptional
  • Type: constructs.MetadataOptions
dependOn 
public dependOn(down: IConstruct): void

The SingletonFunction construct cannot be added as a dependency of another construct using node.addDependency(). Use this method instead to declare this as a dependency of another construct.

downRequired
  • Type: constructs.IConstruct
addAgeKey 
public addAgeKey(key: SecretValue): void
keyRequired
  • Type: aws-cdk-lib.SecretValue

Static Functions

Name Description
isConstruct Checks if x is a construct.
isOwnedResource Returns true if the construct was created by CDK, and false otherwise.
isResource Check whether the given construct is a Resource.
isConstruct 
import { SopsSyncProvider } from 'cdk-sops-secrets'

SopsSyncProvider.isConstruct(x: any)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: any

Any object.

isOwnedResource 
import { SopsSyncProvider } from 'cdk-sops-secrets'

SopsSyncProvider.isOwnedResource(construct: IConstruct)

Returns true if the construct was created by CDK, and false otherwise.

constructRequired
  • Type: constructs.IConstruct
isResource 
import { SopsSyncProvider } from 'cdk-sops-secrets'

SopsSyncProvider.isResource(construct: IConstruct)

Check whether the given construct is a Resource.

constructRequired
  • Type: constructs.IConstruct

Properties

Name Type Description
node constructs.Node The tree node.
env aws-cdk-lib.interfaces.ResourceEnvironment The environment this resource belongs to.
stack aws-cdk-lib.Stack The stack in which this resource is defined.
architecture aws-cdk-lib.aws_lambda.Architecture The architecture of this Lambda Function.
connections aws-cdk-lib.aws_ec2.Connections Access the Connections object.
functionArn string The ARN fo the function.
functionName string The name of the function.
functionRef aws-cdk-lib.interfaces.aws_lambda.FunctionReference A reference to a Function resource.
grantPrincipal aws-cdk-lib.aws_iam.IPrincipal The principal this Lambda Function is running as.
isBoundToVpc boolean Whether or not this Lambda function was bound to a VPC.
latestVersion aws-cdk-lib.aws_lambda.IVersion The $LATEST version of this function.
permissionsNode constructs.Node The construct node where permissions are attached.
resourceArnsForGrantInvoke string[] The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke().
role aws-cdk-lib.aws_iam.IRole The IAM role associated with this function.
tenancyConfig aws-cdk-lib.aws_lambda.TenancyConfig The tenancy configuration for this function.
constructName string The name of the singleton function.
currentVersion aws-cdk-lib.aws_lambda.Version Returns a lambda.Version which represents the current version of this singleton Lambda function. A new version will be created every time the function's configuration changes.
logGroup aws-cdk-lib.aws_logs.ILogGroup The LogGroup where the Lambda function's logs are made available.
runtime aws-cdk-lib.aws_lambda.Runtime The runtime environment for the Lambda function.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

envRequired 
public readonly env: ResourceEnvironment;
  • Type: aws-cdk-lib.interfaces.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed in a Stack (those created by creating new class instances like new Role(), new Bucket(), etc.), this is always the same as the environment of the stack they belong to.

For referenced resources (those obtained from referencing methods like Role.fromRoleArn(), Bucket.fromBucketName(), etc.), they might be different than the stack they were imported into.

stackRequired 
public readonly stack: Stack;
  • Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

architectureRequired 
public readonly architecture: Architecture;
  • Type: aws-cdk-lib.aws_lambda.Architecture

The architecture of this Lambda Function.

connectionsRequired 
public readonly connections: Connections;
  • Type: aws-cdk-lib.aws_ec2.Connections

Access the Connections object.

Will fail if not a VPC-enabled Lambda Function

functionArnRequired 
public readonly functionArn: string;
  • Type: string

The ARN fo the function.

functionNameRequired 
public readonly functionName: string;
  • Type: string

The name of the function.

functionRefRequired 
public readonly functionRef: FunctionReference;
  • Type: aws-cdk-lib.interfaces.aws_lambda.FunctionReference

A reference to a Function resource.

grantPrincipalRequired 
public readonly grantPrincipal: IPrincipal;
  • Type: aws-cdk-lib.aws_iam.IPrincipal

The principal this Lambda Function is running as.

isBoundToVpcRequired 
public readonly isBoundToVpc: boolean;
  • Type: boolean

Whether or not this Lambda function was bound to a VPC.

If this is is false, trying to access the connections object will fail.

latestVersionRequired 
public readonly latestVersion: IVersion;
  • Type: aws-cdk-lib.aws_lambda.IVersion

The $LATEST version of this function.

Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations.

To obtain a reference to an explicit version which references the current function configuration, use lambdaFunction.currentVersion instead.

permissionsNodeRequired 
public readonly permissionsNode: Node;
  • Type: constructs.Node

The construct node where permissions are attached.

resourceArnsForGrantInvokeRequired 
public readonly resourceArnsForGrantInvoke: string[];
  • Type: string[]

The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke().

roleOptional 
public readonly role: IRole;
  • Type: aws-cdk-lib.aws_iam.IRole

The IAM role associated with this function.

Undefined if the function was imported without a role.

tenancyConfigOptional 
public readonly tenancyConfig: TenancyConfig;
  • Type: aws-cdk-lib.aws_lambda.TenancyConfig

The tenancy configuration for this function.

constructNameRequired 
public readonly constructName: string;
  • Type: string

The name of the singleton function.

It acts as a unique ID within its CDK stack.

currentVersionRequired 
public readonly currentVersion: Version;
  • Type: aws-cdk-lib.aws_lambda.Version

Returns a lambda.Version which represents the current version of this singleton Lambda function. A new version will be created every time the function's configuration changes.

You can specify options for this version using the currentVersionOptions prop when initializing the lambda.SingletonFunction.

logGroupRequired 
public readonly logGroup: ILogGroup;
  • Type: aws-cdk-lib.aws_logs.ILogGroup

The LogGroup where the Lambda function's logs are made available.

If either logRetention is set or this property is called, a CloudFormation custom resource is added to the stack that pre-creates the log group as part of the stack deployment, if it already doesn't exist, and sets the correct log retention period (never expire, by default).

Further, if the log group already exists and the logRetention is not set, the custom resource will reset the log retention to never expire even if it was configured with a different value.

runtimeRequired 
public readonly runtime: Runtime;
  • Type: aws-cdk-lib.aws_lambda.Runtime

The runtime environment for the Lambda function.

Constants

Name Type Description
PROPERTY_INJECTION_ID string Uniquely identifies this class.
PROPERTY_INJECTION_IDRequired 
public readonly PROPERTY_INJECTION_ID: string;
  • Type: string

Uniquely identifies this class.

Structs

MultiStringParameterProps

Initializer 

import { MultiStringParameterProps } from 'cdk-sops-secrets'

const multiStringParameterProps: MultiStringParameterProps = { ... }

Properties

Name Type Description
assetEncryptionKey aws-cdk-lib.aws_kms.IKey The encryption key used by the CDK default Asset S3 Bucket.
autoGenerateIamPermissions boolean Should this construct automatically create IAM permissions?
sopsAgeKey aws-cdk-lib.SecretValue The age key that should be used for encryption.
sopsFileFormat string The format of the sops file.
sopsFilePath string The filepath to the sops file.
sopsKmsKey aws-cdk-lib.aws_kms.IKey[] The kmsKey used to encrypt the sops file.
sopsProvider SopsSyncProvider The custom resource provider to use.
sopsS3Bucket string If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
sopsS3Key string If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
uploadType UploadType How should the secret be passed to the CustomResource?
encryptionKey aws-cdk-lib.aws_kms.IKey The customer-managed encryption key to use for encrypting the secret value.
description string Information about the parameter that you want to add to the system.
tier aws-cdk-lib.aws_ssm.ParameterTier The tier of the string parameter.
keyPrefix string The prefix used for all parameters.
keySeparator string The seperator used to seperate keys.
assetEncryptionKeyOptional 
public readonly assetEncryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey
  • Default: Trying to get the key using the CDK Bootstrap context.

The encryption key used by the CDK default Asset S3 Bucket.

autoGenerateIamPermissionsOptional 
public readonly autoGenerateIamPermissions: boolean;
  • Type: boolean
  • Default: true

Should this construct automatically create IAM permissions?

sopsAgeKeyOptional 
public readonly sopsAgeKey: SecretValue;
  • Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

sopsFileFormatOptional 
public readonly sopsFileFormat: string;
  • Type: string
  • Default: The fileformat will be derived from the file ending

The format of the sops file.

sopsFilePathOptional 
public readonly sopsFilePath: string;
  • Type: string

The filepath to the sops file.

sopsKmsKeyOptional 
public readonly sopsKmsKey: IKey[];
  • Type: aws-cdk-lib.aws_kms.IKey[]
  • Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

sopsProviderOptional 
public readonly sopsProvider: SopsSyncProvider;

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

sopsS3BucketOptional 
public readonly sopsS3Bucket: string;
  • Type: string

If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

sopsS3KeyOptional 
public readonly sopsS3Key: string;
  • Type: string

If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

uploadTypeOptional 
public readonly uploadType: UploadType;

How should the secret be passed to the CustomResource?

encryptionKeyRequired 
public readonly encryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey
  • Default: A default KMS key for the account and region is used.

The customer-managed encryption key to use for encrypting the secret value.

descriptionOptional 
public readonly description: string;
  • Type: string
  • Default: none

Information about the parameter that you want to add to the system.

tierOptional 
public readonly tier: ParameterTier;
  • Type: aws-cdk-lib.aws_ssm.ParameterTier
  • Default: undefined

The tier of the string parameter.

keyPrefixOptional 
public readonly keyPrefix: string;
  • Type: string
  • Default: '/'

The prefix used for all parameters.

keySeparatorOptional 
public readonly keySeparator: string;
  • Type: string
  • Default: '/'

The seperator used to seperate keys.

SopsCommonParameterProps

The configuration options of the StringParameter.

Initializer 

import { SopsCommonParameterProps } from 'cdk-sops-secrets'

const sopsCommonParameterProps: SopsCommonParameterProps = { ... }

Properties

Name Type Description
assetEncryptionKey aws-cdk-lib.aws_kms.IKey The encryption key used by the CDK default Asset S3 Bucket.
autoGenerateIamPermissions boolean Should this construct automatically create IAM permissions?
sopsAgeKey aws-cdk-lib.SecretValue The age key that should be used for encryption.
sopsFileFormat string The format of the sops file.
sopsFilePath string The filepath to the sops file.
sopsKmsKey aws-cdk-lib.aws_kms.IKey[] The kmsKey used to encrypt the sops file.
sopsProvider SopsSyncProvider The custom resource provider to use.
sopsS3Bucket string If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
sopsS3Key string If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
uploadType UploadType How should the secret be passed to the CustomResource?
encryptionKey aws-cdk-lib.aws_kms.IKey The customer-managed encryption key to use for encrypting the secret value.
description string Information about the parameter that you want to add to the system.
tier aws-cdk-lib.aws_ssm.ParameterTier The tier of the string parameter.
assetEncryptionKeyOptional 
public readonly assetEncryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey
  • Default: Trying to get the key using the CDK Bootstrap context.

The encryption key used by the CDK default Asset S3 Bucket.

autoGenerateIamPermissionsOptional 
public readonly autoGenerateIamPermissions: boolean;
  • Type: boolean
  • Default: true

Should this construct automatically create IAM permissions?

sopsAgeKeyOptional 
public readonly sopsAgeKey: SecretValue;
  • Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

sopsFileFormatOptional 
public readonly sopsFileFormat: string;
  • Type: string
  • Default: The fileformat will be derived from the file ending

The format of the sops file.

sopsFilePathOptional 
public readonly sopsFilePath: string;
  • Type: string

The filepath to the sops file.

sopsKmsKeyOptional 
public readonly sopsKmsKey: IKey[];
  • Type: aws-cdk-lib.aws_kms.IKey[]
  • Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

sopsProviderOptional 
public readonly sopsProvider: SopsSyncProvider;

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

sopsS3BucketOptional 
public readonly sopsS3Bucket: string;
  • Type: string

If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

sopsS3KeyOptional 
public readonly sopsS3Key: string;
  • Type: string

If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

uploadTypeOptional 
public readonly uploadType: UploadType;

How should the secret be passed to the CustomResource?

encryptionKeyRequired 
public readonly encryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey
  • Default: A default KMS key for the account and region is used.

The customer-managed encryption key to use for encrypting the secret value.

descriptionOptional 
public readonly description: string;
  • Type: string
  • Default: none

Information about the parameter that you want to add to the system.

tierOptional 
public readonly tier: ParameterTier;
  • Type: aws-cdk-lib.aws_ssm.ParameterTier
  • Default: undefined

The tier of the string parameter.

SopsSecretProps

The configuration options of the SopsSecret.

Initializer 

import { SopsSecretProps } from 'cdk-sops-secrets'

const sopsSecretProps: SopsSecretProps = { ... }

Properties

Name Type Description
assetEncryptionKey aws-cdk-lib.aws_kms.IKey The encryption key used by the CDK default Asset S3 Bucket.
autoGenerateIamPermissions boolean Should this construct automatically create IAM permissions?
sopsAgeKey aws-cdk-lib.SecretValue The age key that should be used for encryption.
sopsFileFormat string The format of the sops file.
sopsFilePath string The filepath to the sops file.
sopsKmsKey aws-cdk-lib.aws_kms.IKey[] The kmsKey used to encrypt the sops file.
sopsProvider SopsSyncProvider The custom resource provider to use.
sopsS3Bucket string If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
sopsS3Key string If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
uploadType UploadType How should the secret be passed to the CustomResource?
description string An optional, human-friendly description of the secret.
encryptionKey aws-cdk-lib.aws_kms.IKey The customer-managed encryption key to use for encrypting the secret value.
rawOutput RawOutput Should the secret parsed and transformed to json?
removalPolicy aws-cdk-lib.RemovalPolicy Policy to apply when the secret is removed from this stack.
replicaRegions aws-cdk-lib.aws_secretsmanager.ReplicaRegion[] A list of regions where to replicate this secret.
secretName string A name for the secret.
assetEncryptionKeyOptional 
public readonly assetEncryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey
  • Default: Trying to get the key using the CDK Bootstrap context.

The encryption key used by the CDK default Asset S3 Bucket.

autoGenerateIamPermissionsOptional 
public readonly autoGenerateIamPermissions: boolean;
  • Type: boolean
  • Default: true

Should this construct automatically create IAM permissions?

sopsAgeKeyOptional 
public readonly sopsAgeKey: SecretValue;
  • Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

sopsFileFormatOptional 
public readonly sopsFileFormat: string;
  • Type: string
  • Default: The fileformat will be derived from the file ending

The format of the sops file.

sopsFilePathOptional 
public readonly sopsFilePath: string;
  • Type: string

The filepath to the sops file.

sopsKmsKeyOptional 
public readonly sopsKmsKey: IKey[];
  • Type: aws-cdk-lib.aws_kms.IKey[]
  • Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

sopsProviderOptional 
public readonly sopsProvider: SopsSyncProvider;

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

sopsS3BucketOptional 
public readonly sopsS3Bucket: string;
  • Type: string

If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

sopsS3KeyOptional 
public readonly sopsS3Key: string;
  • Type: string

If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

uploadTypeOptional 
public readonly uploadType: UploadType;

How should the secret be passed to the CustomResource?

descriptionOptional 
public readonly description: string;
  • Type: string
  • Default: No description.

An optional, human-friendly description of the secret.

encryptionKeyOptional 
public readonly encryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey
  • Default: A default KMS key for the account and region is used.

The customer-managed encryption key to use for encrypting the secret value.

rawOutputOptional 
public readonly rawOutput: RawOutput;
  • Type: RawOutput
  • Default: undefined - STRING for binary secrets, else no raw output

Should the secret parsed and transformed to json?

removalPolicyOptional 
public readonly removalPolicy: RemovalPolicy;
  • Type: aws-cdk-lib.RemovalPolicy
  • Default: Not set.

Policy to apply when the secret is removed from this stack.

replicaRegionsOptional 
public readonly replicaRegions: ReplicaRegion[];
  • Type: aws-cdk-lib.aws_secretsmanager.ReplicaRegion[]
  • Default: Secret is not replicated

A list of regions where to replicate this secret.

secretNameOptional 
public readonly secretName: string;
  • Type: string
  • Default: A name is generated by CloudFormation.

A name for the secret.

Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.

SopsStringParameterProps

Initializer 

import { SopsStringParameterProps } from 'cdk-sops-secrets'

const sopsStringParameterProps: SopsStringParameterProps = { ... }

Properties

Name Type Description
assetEncryptionKey aws-cdk-lib.aws_kms.IKey The encryption key used by the CDK default Asset S3 Bucket.
autoGenerateIamPermissions boolean Should this construct automatically create IAM permissions?
sopsAgeKey aws-cdk-lib.SecretValue The age key that should be used for encryption.
sopsFileFormat string The format of the sops file.
sopsFilePath string The filepath to the sops file.
sopsKmsKey aws-cdk-lib.aws_kms.IKey[] The kmsKey used to encrypt the sops file.
sopsProvider SopsSyncProvider The custom resource provider to use.
sopsS3Bucket string If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
sopsS3Key string If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
uploadType UploadType How should the secret be passed to the CustomResource?
encryptionKey aws-cdk-lib.aws_kms.IKey The customer-managed encryption key to use for encrypting the secret value.
description string Information about the parameter that you want to add to the system.
tier aws-cdk-lib.aws_ssm.ParameterTier The tier of the string parameter.
parameterName string The name of the parameter.
assetEncryptionKeyOptional 
public readonly assetEncryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey
  • Default: Trying to get the key using the CDK Bootstrap context.

The encryption key used by the CDK default Asset S3 Bucket.

autoGenerateIamPermissionsOptional 
public readonly autoGenerateIamPermissions: boolean;
  • Type: boolean
  • Default: true

Should this construct automatically create IAM permissions?

sopsAgeKeyOptional 
public readonly sopsAgeKey: SecretValue;
  • Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

sopsFileFormatOptional 
public readonly sopsFileFormat: string;
  • Type: string
  • Default: The fileformat will be derived from the file ending

The format of the sops file.

sopsFilePathOptional 
public readonly sopsFilePath: string;
  • Type: string

The filepath to the sops file.

sopsKmsKeyOptional 
public readonly sopsKmsKey: IKey[];
  • Type: aws-cdk-lib.aws_kms.IKey[]
  • Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

sopsProviderOptional 
public readonly sopsProvider: SopsSyncProvider;

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

sopsS3BucketOptional 
public readonly sopsS3Bucket: string;
  • Type: string

If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

sopsS3KeyOptional 
public readonly sopsS3Key: string;
  • Type: string

If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

uploadTypeOptional 
public readonly uploadType: UploadType;

How should the secret be passed to the CustomResource?

encryptionKeyRequired 
public readonly encryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey
  • Default: A default KMS key for the account and region is used.

The customer-managed encryption key to use for encrypting the secret value.

descriptionOptional 
public readonly description: string;
  • Type: string
  • Default: none

Information about the parameter that you want to add to the system.

tierOptional 
public readonly tier: ParameterTier;
  • Type: aws-cdk-lib.aws_ssm.ParameterTier
  • Default: undefined

The tier of the string parameter.

parameterNameOptional 
public readonly parameterName: string;
  • Type: string
  • Default: a name will be generated by CloudFormation

The name of the parameter.

SopsSyncOptions

Configuration options for the SopsSync.

Initializer 

import { SopsSyncOptions } from 'cdk-sops-secrets'

const sopsSyncOptions: SopsSyncOptions = { ... }

Properties

Name Type Description
assetEncryptionKey aws-cdk-lib.aws_kms.IKey The encryption key used by the CDK default Asset S3 Bucket.
autoGenerateIamPermissions boolean Should this construct automatically create IAM permissions?
sopsAgeKey aws-cdk-lib.SecretValue The age key that should be used for encryption.
sopsFileFormat string The format of the sops file.
sopsFilePath string The filepath to the sops file.
sopsKmsKey aws-cdk-lib.aws_kms.IKey[] The kmsKey used to encrypt the sops file.
sopsProvider SopsSyncProvider The custom resource provider to use.
sopsS3Bucket string If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
sopsS3Key string If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
uploadType UploadType How should the secret be passed to the CustomResource?
assetEncryptionKeyOptional 
public readonly assetEncryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey
  • Default: Trying to get the key using the CDK Bootstrap context.

The encryption key used by the CDK default Asset S3 Bucket.

autoGenerateIamPermissionsOptional 
public readonly autoGenerateIamPermissions: boolean;
  • Type: boolean
  • Default: true

Should this construct automatically create IAM permissions?

sopsAgeKeyOptional 
public readonly sopsAgeKey: SecretValue;
  • Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

sopsFileFormatOptional 
public readonly sopsFileFormat: string;
  • Type: string
  • Default: The fileformat will be derived from the file ending

The format of the sops file.

sopsFilePathOptional 
public readonly sopsFilePath: string;
  • Type: string

The filepath to the sops file.

sopsKmsKeyOptional 
public readonly sopsKmsKey: IKey[];
  • Type: aws-cdk-lib.aws_kms.IKey[]
  • Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

sopsProviderOptional 
public readonly sopsProvider: SopsSyncProvider;

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

sopsS3BucketOptional 
public readonly sopsS3Bucket: string;
  • Type: string

If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

sopsS3KeyOptional 
public readonly sopsS3Key: string;
  • Type: string

If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

uploadTypeOptional 
public readonly uploadType: UploadType;

How should the secret be passed to the CustomResource?

SopsSyncProps

The configuration options extended by the target Secret / Parameter.

Initializer 

import { SopsSyncProps } from 'cdk-sops-secrets'

const sopsSyncProps: SopsSyncProps = { ... }

Properties

Name Type Description
assetEncryptionKey aws-cdk-lib.aws_kms.IKey The encryption key used by the CDK default Asset S3 Bucket.
autoGenerateIamPermissions boolean Should this construct automatically create IAM permissions?
sopsAgeKey aws-cdk-lib.SecretValue The age key that should be used for encryption.
sopsFileFormat string The format of the sops file.
sopsFilePath string The filepath to the sops file.
sopsKmsKey aws-cdk-lib.aws_kms.IKey[] The kmsKey used to encrypt the sops file.
sopsProvider SopsSyncProvider The custom resource provider to use.
sopsS3Bucket string If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
sopsS3Key string If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.
uploadType UploadType How should the secret be passed to the CustomResource?
resourceType ResourceType Will this Sync deploy a Secret or Parameter(s).
target string The target to populate with the sops file content.
encryptionKey aws-cdk-lib.aws_kms.IKey The encryption key used for encrypting the ssm parameter if parameterName is set.
flattenSeparator string If the structure should be flattened use the provided separator between keys.
parameterNames string[] No description.
secret aws-cdk-lib.aws_secretsmanager.ISecret No description.
assetEncryptionKeyOptional 
public readonly assetEncryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey
  • Default: Trying to get the key using the CDK Bootstrap context.

The encryption key used by the CDK default Asset S3 Bucket.

autoGenerateIamPermissionsOptional 
public readonly autoGenerateIamPermissions: boolean;
  • Type: boolean
  • Default: true

Should this construct automatically create IAM permissions?

sopsAgeKeyOptional 
public readonly sopsAgeKey: SecretValue;
  • Type: aws-cdk-lib.SecretValue

The age key that should be used for encryption.

sopsFileFormatOptional 
public readonly sopsFileFormat: string;
  • Type: string
  • Default: The fileformat will be derived from the file ending

The format of the sops file.

sopsFilePathOptional 
public readonly sopsFilePath: string;
  • Type: string

The filepath to the sops file.

sopsKmsKeyOptional 
public readonly sopsKmsKey: IKey[];
  • Type: aws-cdk-lib.aws_kms.IKey[]
  • Default: The key will be derived from the sops file

The kmsKey used to encrypt the sops file.

Encrypt permissions will be granted to the custom resource provider.

sopsProviderOptional 
public readonly sopsProvider: SopsSyncProvider;

The custom resource provider to use.

If you don't specify any, a new provider will be created - or if already exists within this stack - reused.

sopsS3BucketOptional 
public readonly sopsS3Bucket: string;
  • Type: string

If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

sopsS3KeyOptional 
public readonly sopsS3Key: string;
  • Type: string

If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified.

uploadTypeOptional 
public readonly uploadType: UploadType;

How should the secret be passed to the CustomResource?

resourceTypeRequired 
public readonly resourceType: ResourceType;

Will this Sync deploy a Secret or Parameter(s).

targetRequired 
public readonly target: string;
  • Type: string

The target to populate with the sops file content.

for secret, it's the name or arn of the secret

  • for parameter, it's the name of the parameter
  • for parameter multi, it's the prefix of the parameters
encryptionKeyOptional 
public readonly encryptionKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey

The encryption key used for encrypting the ssm parameter if parameterName is set.

flattenSeparatorOptional 
public readonly flattenSeparator: string;
  • Type: string
  • Default: undefined

If the structure should be flattened use the provided separator between keys.

parameterNamesOptional 
public readonly parameterNames: string[];
  • Type: string[]
secretOptional 
public readonly secret: ISecret;
  • Type: aws-cdk-lib.aws_secretsmanager.ISecret

SopsSyncProviderProps

Configuration options for a custom SopsSyncProvider.

Initializer 

import { SopsSyncProviderProps } from 'cdk-sops-secrets'

const sopsSyncProviderProps: SopsSyncProviderProps = { ... }

Properties

Name Type Description
logGroup aws-cdk-lib.aws_logs.ILogGroup The log group the function sends logs to.
logRetention aws-cdk-lib.aws_logs.RetentionDays The number of days log events are kept in CloudWatch Logs.
role aws-cdk-lib.aws_iam.IRole The role that should be used for the custom resource provider.
securityGroups aws-cdk-lib.aws_ec2.ISecurityGroup[] Only if vpc is supplied: The list of security groups to associate with the Lambda's network interfaces.
uuid string A unique identifier to identify this provider.
vpc aws-cdk-lib.aws_ec2.IVpc VPC network to place Lambda network interfaces.
vpcSubnets aws-cdk-lib.aws_ec2.SubnetSelection Where to place the network interfaces within the VPC.
logGroupOptional 
public readonly logGroup: ILogGroup;
  • Type: aws-cdk-lib.aws_logs.ILogGroup
  • Default: /aws/lambda/${this.functionName} - default log group created by Lambda

The log group the function sends logs to.

By default, Lambda functions send logs to an automatically created default log group named /aws/lambda/{function-name}. However you cannot change the properties of this auto-created log group using the AWS CDK, e.g. you cannot set a different log retention.

Use the logGroup property to create a fully customizable LogGroup ahead of time, and instruct the Lambda function to send logs to it.

Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16. If you are deploying to another type of region, please check regional availability first.

logRetentionOptional 
public readonly logRetention: RetentionDays;
  • Type: aws-cdk-lib.aws_logs.RetentionDays
  • Default: logs.RetentionDays.INFINITE

The number of days log events are kept in CloudWatch Logs.

When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to INFINITE.

This is a legacy API and we strongly recommend you move away from it if you can. Instead create a fully customizable log group with logs.LogGroup and use the logGroup property to instruct the Lambda function to send logs to it. Migrating from logRetention to logGroup will cause the name of the log group to change. Users and code and referencing the name verbatim will have to adjust.

In AWS CDK code, you can access the log group name directly from the LogGroup construct:

import * as logs from 'aws-cdk-lib/aws-logs';

declare const myLogGroup: logs.LogGroup;
myLogGroup.logGroupName;
roleOptional 
public readonly role: IRole;
  • Type: aws-cdk-lib.aws_iam.IRole
  • Default: a new role will be created

The role that should be used for the custom resource provider.

If you don't specify any, a new role will be created with all required permissions

securityGroupsOptional 
public readonly securityGroups: ISecurityGroup[];
  • Type: aws-cdk-lib.aws_ec2.ISecurityGroup[]
  • Default: A dedicated security group will be created for the lambda function.

Only if vpc is supplied: The list of security groups to associate with the Lambda's network interfaces.

uuidOptional 
public readonly uuid: string;
  • Type: string
  • Default: SopsSyncProvider

A unique identifier to identify this provider.

Overwrite the default, if you need a dedicated provider.

vpcOptional 
public readonly vpc: IVpc;
  • Type: aws-cdk-lib.aws_ec2.IVpc
  • Default: Lambda function is not placed within a VPC.

VPC network to place Lambda network interfaces.

vpcSubnetsOptional 
public readonly vpcSubnets: SubnetSelection;
  • Type: aws-cdk-lib.aws_ec2.SubnetSelection
  • Default: Subnets will be chosen automatically.

Where to place the network interfaces within the VPC.

Enums

RawOutput

Members

Name Description
STRING Parse the secret as a string.
BINARY Parse the secret as a binary.
STRING

Parse the secret as a string.

BINARY

Parse the secret as a binary.

ResourceType

Members

Name Description
SECRET No description.
SECRET_RAW No description.
SECRET_BINARY No description.
PARAMETER No description.
PARAMETER_MULTI No description.
SECRET
SECRET_RAW
SECRET_BINARY
PARAMETER
PARAMETER_MULTI

UploadType

Members

Name Description
INLINE Pass the secret data inline (base64 encoded and compressed).
ASSET Uplaod the secret data as asset.
INLINE

Pass the secret data inline (base64 encoded and compressed).

ASSET

Uplaod the secret data as asset.