import { AddToResourcePolicyResult, Grant, IGrantable, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { IKey } from 'aws-cdk-lib/aws-kms';
import { ISecret, ISecretAttachmentTarget, ReplicaRegion, RotationSchedule, RotationScheduleOptions } from 'aws-cdk-lib/aws-secretsmanager';
import { RemovalPolicy, ResourceEnvironment, SecretValue, Stack } from 'aws-cdk-lib/core';
import { Construct } from 'constructs';
import { SopsSync, SopsSyncOptions } from './SopsSync';
export declare enum RawOutput {
    /**
     * Parse the secret as a string
     */
    STRING = "STRING",
    /**
     * Parse the secret as a binary
     */
    BINARY = "BINARY"
}
/**
 * The configuration options of the SopsSecret
 */
export interface SopsSecretProps extends SopsSyncOptions {
    /**
     * Should the secret parsed and transformed to json?
     * @default - undefined - STRING for binary secrets, else no raw output
     */
    readonly rawOutput?: RawOutput;
    /**
     * An optional, human-friendly description of the secret.
     *
     * @default - No description.
     */
    readonly description?: string;
    /**
     * The customer-managed encryption key to use for encrypting the secret value.
     *
     * @default - A default KMS key for the account and region is used.
     */
    readonly encryptionKey?: IKey;
    /**
     * A name for the secret. Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to
     * 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.
     *
     * @default - A name is generated by CloudFormation.
     */
    readonly secretName?: string;
    /**
     * Policy to apply when the secret is removed from this stack.
     *
     * @default - Not set.
     */
    readonly removalPolicy?: RemovalPolicy;
    /**
     * A list of regions where to replicate this secret.
     *
     * @default - Secret is not replicated
     */
    readonly replicaRegions?: ReplicaRegion[];
}
/**
 * A drop in replacement for the normal Secret, that is populated with the encrypted
 * content of the given sops file.
 */
export declare class SopsSecret extends Construct implements ISecret {
    private readonly secret;
    readonly encryptionKey?: IKey | undefined;
    readonly secretArn: string;
    readonly secretFullArn?: string | undefined;
    readonly secretName: string;
    readonly stack: Stack;
    readonly env: ResourceEnvironment;
    readonly sync: SopsSync;
    constructor(scope: Construct, id: string, props: SopsSecretProps);
    currentVersionId(): string;
    grantRead(grantee: IGrantable, versionStages?: string[]): Grant;
    grantWrite(_grantee: IGrantable): Grant;
    addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule;
    addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult;
    denyAccountRootDelete(): void;
    attach(target: ISecretAttachmentTarget): ISecret;
    applyRemovalPolicy(policy: RemovalPolicy): void;
    secretValueFromJson(jsonField: string): SecretValue;
    get secretValue(): SecretValue;
}