| 1 | import { CfnDynamicReference } from './cfn-dynamic-reference';
|
| 2 | import { CfnParameter } from './cfn-parameter';
|
| 3 | import { Intrinsic, IntrinsicProps } from './private/intrinsic';
|
| 4 | import { IResolveContext } from './resolvable';
|
| 5 | /**
|
| 6 | * Work with secret values in the CDK
|
| 7 | *
|
| 8 | * Constructs that need secrets will declare parameters of type `SecretValue`.
|
| 9 | *
|
| 10 | * The actual values of these secrets should not be committed to your
|
| 11 | * repository, or even end up in the synthesized CloudFormation template. Instead, you should
|
| 12 | * store them in an external system like AWS Secrets Manager or SSM Parameter
|
| 13 | * Store, and you can reference them by calling `SecretValue.secretsManager()` or
|
| 14 | * `SecretValue.ssmSecure()`.
|
| 15 | *
|
| 16 | * You can use `SecretValue.unsafePlainText()` to construct a `SecretValue` from a
|
| 17 | * literal string, but doing so is highly discouraged.
|
| 18 | *
|
| 19 | * To make sure secret values don't accidentally end up in readable parts
|
| 20 | * of your infrastructure definition (such as the environment variables
|
| 21 | * of an AWS Lambda Function, where everyone who can read the function
|
| 22 | * definition has access to the secret), using secret values directly is not
|
| 23 | * allowed. You must pass them to constructs that accept `SecretValue`
|
| 24 | * properties, which are guaranteed to use the value only in CloudFormation
|
| 25 | * properties that are write-only.
|
| 26 | *
|
| 27 | * If you are sure that what you are doing is safe, you can call
|
| 28 | * `secretValue.unsafeUnwrap()` to access the protected string of the secret
|
| 29 | * value.
|
| 30 | *
|
| 31 | * (If you are writing something like an AWS Lambda Function and need to access
|
| 32 | * a secret inside it, make the API call to `GetSecretValue` directly inside
|
| 33 | * your Lamba's code, instead of using environment variables.)
|
| 34 | */
|
| 35 | export declare class SecretValue extends Intrinsic {
|
| 36 | /**
|
| 37 | * Test whether an object is a SecretValue
|
| 38 | */
|
| 39 | static isSecretValue(x: any): x is SecretValue;
|
| 40 | /**
|
| 41 | * Construct a literal secret value for use with secret-aware constructs
|
| 42 | *
|
| 43 | * Do not use this method for any secrets that you care about! The value
|
| 44 | * will be visible to anyone who has access to the CloudFormation template
|
| 45 | * (via the AWS Console, SDKs, or CLI).
|
| 46 | *
|
| 47 | * The only reasonable use case for using this method is when you are testing.
|
| 48 | *
|
| 49 | * @deprecated Use `unsafePlainText()` instead.
|
| 50 | */
|
| 51 | static plainText(secret: string): SecretValue;
|
| 52 | /**
|
| 53 | * Construct a literal secret value for use with secret-aware constructs
|
| 54 | *
|
| 55 | * Do not use this method for any secrets that you care about! The value
|
| 56 | * will be visible to anyone who has access to the CloudFormation template
|
| 57 | * (via the AWS Console, SDKs, or CLI).
|
| 58 | *
|
| 59 | * The only reasonable use case for using this method is when you are testing.
|
| 60 | */
|
| 61 | static unsafePlainText(secret: string): SecretValue;
|
| 62 | /**
|
| 63 | * Creates a `SecretValue` with a value which is dynamically loaded from AWS Secrets Manager.
|
| 64 | * @param secretId The ID or ARN of the secret
|
| 65 | * @param options Options
|
| 66 | */
|
| 67 | static secretsManager(secretId: string, options?: SecretsManagerSecretOptions): SecretValue;
|
| 68 | /**
|
| 69 | * Use a secret value stored from a Systems Manager (SSM) parameter.
|
| 70 | *
|
| 71 | * @param parameterName The name of the parameter in the Systems Manager
|
| 72 | * Parameter Store. The parameter name is case-sensitive.
|
| 73 | *
|
| 74 | * @param version An integer that specifies the version of the parameter to
|
| 75 | * use. If you don't specify the exact version, AWS CloudFormation uses the
|
| 76 | * latest version of the parameter.
|
| 77 | */
|
| 78 | static ssmSecure(parameterName: string, version?: string): SecretValue;
|
| 79 | /**
|
| 80 | * Obtain the secret value through a CloudFormation dynamic reference.
|
| 81 | *
|
| 82 | * If possible, use `SecretValue.ssmSecure` or `SecretValue.secretsManager` directly.
|
| 83 | *
|
| 84 | * @param ref The dynamic reference to use.
|
| 85 | */
|
| 86 | static cfnDynamicReference(ref: CfnDynamicReference): SecretValue;
|
| 87 | /**
|
| 88 | * Obtain the secret value through a CloudFormation parameter.
|
| 89 | *
|
| 90 | * Generally, this is not a recommended approach. AWS Secrets Manager is the
|
| 91 | * recommended way to reference secrets.
|
| 92 | *
|
| 93 | * @param param The CloudFormation parameter to use.
|
| 94 | */
|
| 95 | static cfnParameter(param: CfnParameter): SecretValue;
|
| 96 | /**
|
| 97 | * Use a resource's output as secret value
|
| 98 | */
|
| 99 | static resourceAttribute(attr: string): SecretValue;
|
| 100 | private readonly rawValue;
|
| 101 | /**
|
| 102 | * Construct a SecretValue (do not use!)
|
| 103 | *
|
| 104 | * Do not use the constructor directly: use one of the factory functions on the class
|
| 105 | * instead.
|
| 106 | */
|
| 107 | constructor(protectedValue: any, options?: IntrinsicProps);
|
| 108 | /**
|
| 109 | * Disable usage protection on this secret
|
| 110 | *
|
| 111 | * Call this to indicate that you want to use the secret value held by this
|
| 112 | * object in an unchecked way. If you don't call this method, using the secret
|
| 113 | * value directly in a string context or as a property value somewhere will
|
| 114 | * produce an error.
|
| 115 | *
|
| 116 | * This method has 'unsafe' in the name on purpose! Make sure that the
|
| 117 | * construct property you are using the returned value in is does not end up
|
| 118 | * in a place in your AWS infrastructure where it could be read by anyone
|
| 119 | * unexpected.
|
| 120 | *
|
| 121 | * When in doubt, don't call this method and only pass the object to constructs that
|
| 122 | * accept `SecretValue` parameters.
|
| 123 | */
|
| 124 | unsafeUnwrap(): string;
|
| 125 | /**
|
| 126 | * Resolve the secret
|
| 127 | *
|
| 128 | * If the feature flag is not set, resolve as normal. Otherwise, throw a descriptive
|
| 129 | * error that the usage guard is missing.
|
| 130 | */
|
| 131 | resolve(context: IResolveContext): any;
|
| 132 | }
|
| 133 | /**
|
| 134 | * Options for referencing a secret value from Secrets Manager.
|
| 135 | */
|
| 136 | export interface SecretsManagerSecretOptions {
|
| 137 | /**
|
| 138 | * Specifies the secret version that you want to retrieve by the staging label attached to the version.
|
| 139 | *
|
| 140 | * Can specify at most one of `versionId` and `versionStage`.
|
| 141 | *
|
| 142 | * @default AWSCURRENT
|
| 143 | */
|
| 144 | readonly versionStage?: string;
|
| 145 | /**
|
| 146 | * Specifies the unique identifier of the version of the secret you want to use.
|
| 147 | *
|
| 148 | * Can specify at most one of `versionId` and `versionStage`.
|
| 149 | *
|
| 150 | * @default AWSCURRENT
|
| 151 | */
|
| 152 | readonly versionId?: string;
|
| 153 | /**
|
| 154 | * The key of a JSON field to retrieve. This can only be used if the secret
|
| 155 | * stores a JSON object.
|
| 156 | *
|
| 157 | * @default - returns all the content stored in the Secrets Manager secret.
|
| 158 | */
|
| 159 | readonly jsonField?: string;
|
| 160 | }
|