# API Reference ## Constructs ### MultiStringParameter #### Initializers ```typescript import { MultiStringParameter } from 'cdk-sops-secrets' new MultiStringParameter(scope: Construct, id: string, props: MultiStringParameterProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | scope | constructs.Construct | *No description.* | | id | string | *No description.* | | props | MultiStringParameterProps | *No description.* | --- ##### `scope`^Required - *Type:* constructs.Construct --- ##### `id`^Required - *Type:* string --- ##### `props`^Required - *Type:* MultiStringParameterProps --- #### Methods | **Name** | **Description** | | --- | --- | | toString | Returns a string representation of this construct. | | with | Applies one or more mixins to this construct. | --- ##### `toString` ```typescript public toString(): string ``` Returns a string representation of this construct. ##### `with` ```typescript public with(mixins: ...IMixin[]): IConstruct ``` Applies one or more mixins to this construct. Mixins are applied in order. The list of constructs is captured at the start of the call, so constructs added by a mixin will not be visited. Use multiple `with()` calls if subsequent mixins should apply to added constructs. ###### `mixins`^Required - *Type:* ...constructs.IMixin[] The mixins to apply. --- #### Static Functions | **Name** | **Description** | | --- | --- | | isConstruct | Checks if `x` is a construct. | --- ##### `isConstruct` ```typescript import { MultiStringParameter } from 'cdk-sops-secrets' MultiStringParameter.isConstruct(x: any) ``` Checks if `x` is a construct. Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked. Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead. ###### `x`^Required - *Type:* any Any object. --- #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | node | constructs.Node | The tree node. | | encryptionKey | aws-cdk-lib.aws_kms.IKey | *No description.* | | env | aws-cdk-lib.interfaces.ResourceEnvironment | *No description.* | | keyPrefix | string | *No description.* | | keySeparator | string | *No description.* | | stack | aws-cdk-lib.Stack | *No description.* | | sync | SopsSync | *No description.* | --- ##### `node`^Required ```typescript public readonly node: Node; ``` - *Type:* constructs.Node The tree node. --- ##### `encryptionKey`^Required ```typescript public readonly encryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey --- ##### `env`^Required ```typescript public readonly env: ResourceEnvironment; ``` - *Type:* aws-cdk-lib.interfaces.ResourceEnvironment --- ##### `keyPrefix`^Required ```typescript public readonly keyPrefix: string; ``` - *Type:* string --- ##### `keySeparator`^Required ```typescript public readonly keySeparator: string; ``` - *Type:* string --- ##### `stack`^Required ```typescript public readonly stack: Stack; ``` - *Type:* aws-cdk-lib.Stack --- ##### `sync`^Required ```typescript public readonly sync: SopsSync; ``` - *Type:* SopsSync --- ### SopsSecret - *Implements:* aws-cdk-lib.aws_secretsmanager.ISecret A drop in replacement for the normal Secret, that is populated with the encrypted content of the given sops file. #### Initializers ```typescript import { SopsSecret } from 'cdk-sops-secrets' new SopsSecret(scope: Construct, id: string, props: SopsSecretProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | scope | constructs.Construct | *No description.* | | id | string | *No description.* | | props | SopsSecretProps | *No description.* | --- ##### `scope`^Required - *Type:* constructs.Construct --- ##### `id`^Required - *Type:* string --- ##### `props`^Required - *Type:* SopsSecretProps --- #### Methods | **Name** | **Description** | | --- | --- | | toString | Returns a string representation of this construct. | | with | Applies one or more mixins to this construct. | | addRotationSchedule | Adds a rotation schedule to the secret. | | addToResourcePolicy | Adds a statement to the IAM resource policy associated with this secret. | | applyRemovalPolicy | Apply the given removal policy to this resource. | | attach | Attach a target to this secret. | | cfnDynamicReferenceKey | Returns a key which can be used within an AWS CloudFormation dynamic reference to dynamically load this secret from AWS Secrets Manager. | | currentVersionId | *No description.* | | denyAccountRootDelete | Denies the `DeleteSecret` action to all principals within the current account. | | grantRead | Grants reading the secret value to some role. | | grantWrite | Grants writing and updating the secret value to some role. | | secretValueFromJson | Interpret the secret as a JSON object and return a field's value from it as a `SecretValue`. | --- ##### `toString` ```typescript public toString(): string ``` Returns a string representation of this construct. ##### `with` ```typescript public with(mixins: ...IMixin[]): IConstruct ``` Applies one or more mixins to this construct. Mixins are applied in order. The list of constructs is captured at the start of the call, so constructs added by a mixin will not be visited. Use multiple `with()` calls if subsequent mixins should apply to added constructs. ###### `mixins`^Required - *Type:* ...constructs.IMixin[] The mixins to apply. --- ##### `addRotationSchedule` ```typescript public addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule ``` Adds a rotation schedule to the secret. ###### `id`^Required - *Type:* string --- ###### `options`^Required - *Type:* aws-cdk-lib.aws_secretsmanager.RotationScheduleOptions --- ##### `addToResourcePolicy` ```typescript public addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult ``` Adds a statement to the IAM resource policy associated with this secret. If this secret was created in this stack, a resource policy will be automatically created upon the first call to `addToResourcePolicy`. If the secret is imported, then this is a no-op. ###### `statement`^Required - *Type:* aws-cdk-lib.aws_iam.PolicyStatement --- ##### `applyRemovalPolicy` ```typescript public applyRemovalPolicy(policy: RemovalPolicy): void ``` Apply the given removal policy to this resource. The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced. The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). ###### `policy`^Required - *Type:* aws-cdk-lib.RemovalPolicy --- ##### `attach` ```typescript public attach(target: ISecretAttachmentTarget): ISecret ``` Attach a target to this secret. ###### `target`^Required - *Type:* aws-cdk-lib.aws_secretsmanager.ISecretAttachmentTarget --- ##### `cfnDynamicReferenceKey` ```typescript public cfnDynamicReferenceKey(options?: SecretsManagerSecretOptions): string ``` Returns a key which can be used within an AWS CloudFormation dynamic reference to dynamically load this secret from AWS Secrets Manager. ###### `options`^Optional - *Type:* aws-cdk-lib.SecretsManagerSecretOptions --- ##### `currentVersionId` ```typescript public currentVersionId(): string ``` ##### `denyAccountRootDelete` ```typescript public denyAccountRootDelete(): void ``` Denies the `DeleteSecret` action to all principals within the current account. ##### `grantRead` ```typescript public grantRead(grantee: IGrantable, versionStages?: string[]): Grant ``` Grants reading the secret value to some role. ###### `grantee`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable --- ###### `versionStages`^Optional - *Type:* string[] --- ##### `grantWrite` ```typescript public grantWrite(_grantee: IGrantable): Grant ``` Grants writing and updating the secret value to some role. ###### `_grantee`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable --- ##### `secretValueFromJson` ```typescript public secretValueFromJson(jsonField: string): SecretValue ``` Interpret the secret as a JSON object and return a field's value from it as a `SecretValue`. ###### `jsonField`^Required - *Type:* string --- #### Static Functions | **Name** | **Description** | | --- | --- | | isConstruct | Checks if `x` is a construct. | --- ##### `isConstruct` ```typescript import { SopsSecret } from 'cdk-sops-secrets' SopsSecret.isConstruct(x: any) ``` Checks if `x` is a construct. Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked. Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead. ###### `x`^Required - *Type:* any Any object. --- #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | node | constructs.Node | The tree node. | | env | aws-cdk-lib.interfaces.ResourceEnvironment | The environment this resource belongs to. | | secretArn | string | The ARN of the secret in AWS Secrets Manager. | | secretName | string | The name of the secret. | | secretRef | aws-cdk-lib.interfaces.aws_secretsmanager.SecretReference | A reference to a Secret resource. | | secretValue | aws-cdk-lib.SecretValue | Retrieve the value of the stored secret as a `SecretValue`. | | stack | aws-cdk-lib.Stack | The stack in which this resource is defined. | | sync | SopsSync | *No description.* | | encryptionKey | aws-cdk-lib.aws_kms.IKey | The customer-managed encryption key that is used to encrypt this secret, if any. | | expirationNotificationTopic | aws-cdk-lib.aws_sns.ITopic | The SNS topic that receives expiration notifications. | | secretFullArn | string | The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix. | --- ##### `node`^Required ```typescript public readonly node: Node; ``` - *Type:* constructs.Node The tree node. --- ##### `env`^Required ```typescript public readonly env: ResourceEnvironment; ``` - *Type:* aws-cdk-lib.interfaces.ResourceEnvironment The environment this resource belongs to. For resources that are created and managed in a Stack (those created by creating new class instances like `new Role()`, `new Bucket()`, etc.), this is always the same as the environment of the stack they belong to. For referenced resources (those obtained from referencing methods like `Role.fromRoleArn()`, `Bucket.fromBucketName()`, etc.), they might be different than the stack they were imported into. --- ##### `secretArn`^Required ```typescript public readonly secretArn: string; ``` - *Type:* string The ARN of the secret in AWS Secrets Manager. Will return the full ARN if available, otherwise a partial arn. For secrets imported by the deprecated `fromSecretName`, it will return the `secretName`. --- ##### `secretName`^Required ```typescript public readonly secretName: string; ``` - *Type:* string The name of the secret. For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set. --- ##### `secretRef`^Required ```typescript public readonly secretRef: SecretReference; ``` - *Type:* aws-cdk-lib.interfaces.aws_secretsmanager.SecretReference A reference to a Secret resource. --- ##### `secretValue`^Required ```typescript public readonly secretValue: SecretValue; ``` - *Type:* aws-cdk-lib.SecretValue Retrieve the value of the stored secret as a `SecretValue`. --- ##### `stack`^Required ```typescript public readonly stack: Stack; ``` - *Type:* aws-cdk-lib.Stack The stack in which this resource is defined. --- ##### `sync`^Required ```typescript public readonly sync: SopsSync; ``` - *Type:* SopsSync --- ##### `encryptionKey`^Optional ```typescript public readonly encryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey The customer-managed encryption key that is used to encrypt this secret, if any. When not specified, the default KMS key for the account and region is being used. --- ##### `expirationNotificationTopic`^Optional ```typescript public readonly expirationNotificationTopic: ITopic; ``` - *Type:* aws-cdk-lib.aws_sns.ITopic The SNS topic that receives expiration notifications. Only set when expiration notifications are enabled. --- ##### `secretFullArn`^Optional ```typescript public readonly secretFullArn: string; ``` - *Type:* string The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix. This is equal to `secretArn` in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name). --- ### SopsStringParameter - *Implements:* aws-cdk-lib.aws_ssm.IStringParameter A drop in replacement for the normal String Parameter, that is populated with the encrypted content of the given sops file. #### Initializers ```typescript import { SopsStringParameter } from 'cdk-sops-secrets' new SopsStringParameter(scope: Construct, id: string, props: SopsStringParameterProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | scope | constructs.Construct | *No description.* | | id | string | *No description.* | | props | SopsStringParameterProps | *No description.* | --- ##### `scope`^Required - *Type:* constructs.Construct --- ##### `id`^Required - *Type:* string --- ##### `props`^Required - *Type:* SopsStringParameterProps --- #### Methods | **Name** | **Description** | | --- | --- | | toString | Returns a string representation of this construct. | | with | Applies one or more mixins to this construct. | | applyRemovalPolicy | Apply the given removal policy to this resource. | | grantRead | Grants read (DescribeParameter, GetParameters, GetParameter, GetParameterHistory) permissions on the SSM Parameter. | | grantWrite | Grants write (PutParameter) permissions on the SSM Parameter. | --- ##### `toString` ```typescript public toString(): string ``` Returns a string representation of this construct. ##### `with` ```typescript public with(mixins: ...IMixin[]): IConstruct ``` Applies one or more mixins to this construct. Mixins are applied in order. The list of constructs is captured at the start of the call, so constructs added by a mixin will not be visited. Use multiple `with()` calls if subsequent mixins should apply to added constructs. ###### `mixins`^Required - *Type:* ...constructs.IMixin[] The mixins to apply. --- ##### `applyRemovalPolicy` ```typescript public applyRemovalPolicy(policy: RemovalPolicy): void ``` Apply the given removal policy to this resource. The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced. The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). ###### `policy`^Required - *Type:* aws-cdk-lib.RemovalPolicy --- ##### `grantRead` ```typescript public grantRead(grantee: IGrantable): Grant ``` Grants read (DescribeParameter, GetParameters, GetParameter, GetParameterHistory) permissions on the SSM Parameter. ###### `grantee`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable --- ##### `grantWrite` ```typescript public grantWrite(grantee: IGrantable): Grant ``` Grants write (PutParameter) permissions on the SSM Parameter. ###### `grantee`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable --- #### Static Functions | **Name** | **Description** | | --- | --- | | isConstruct | Checks if `x` is a construct. | --- ##### `isConstruct` ```typescript import { SopsStringParameter } from 'cdk-sops-secrets' SopsStringParameter.isConstruct(x: any) ``` Checks if `x` is a construct. Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked. Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead. ###### `x`^Required - *Type:* any Any object. --- #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | node | constructs.Node | The tree node. | | encryptionKey | aws-cdk-lib.aws_kms.IKey | *No description.* | | env | aws-cdk-lib.interfaces.ResourceEnvironment | The environment this resource belongs to. | | parameterArn | string | The ARN of the SSM Parameter resource. | | parameterName | string | The name of the SSM Parameter resource. | | parameterRef | aws-cdk-lib.interfaces.aws_ssm.ParameterReference | A reference to a Parameter resource. | | parameterType | string | The type of the SSM Parameter resource. | | stack | aws-cdk-lib.Stack | The stack in which this resource is defined. | | stringValue | string | The parameter value. | | sync | SopsSync | *No description.* | --- ##### `node`^Required ```typescript public readonly node: Node; ``` - *Type:* constructs.Node The tree node. --- ##### `encryptionKey`^Required ```typescript public readonly encryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey --- ##### `env`^Required ```typescript public readonly env: ResourceEnvironment; ``` - *Type:* aws-cdk-lib.interfaces.ResourceEnvironment The environment this resource belongs to. For resources that are created and managed in a Stack (those created by creating new class instances like `new Role()`, `new Bucket()`, etc.), this is always the same as the environment of the stack they belong to. For referenced resources (those obtained from referencing methods like `Role.fromRoleArn()`, `Bucket.fromBucketName()`, etc.), they might be different than the stack they were imported into. --- ##### `parameterArn`^Required ```typescript public readonly parameterArn: string; ``` - *Type:* string The ARN of the SSM Parameter resource. --- ##### `parameterName`^Required ```typescript public readonly parameterName: string; ``` - *Type:* string The name of the SSM Parameter resource. --- ##### `parameterRef`^Required ```typescript public readonly parameterRef: ParameterReference; ``` - *Type:* aws-cdk-lib.interfaces.aws_ssm.ParameterReference A reference to a Parameter resource. --- ##### `parameterType`^Required ```typescript public readonly parameterType: string; ``` - *Type:* string The type of the SSM Parameter resource. --- ##### `stack`^Required ```typescript public readonly stack: Stack; ``` - *Type:* aws-cdk-lib.Stack The stack in which this resource is defined. --- ##### `stringValue`^Required ```typescript public readonly stringValue: string; ``` - *Type:* string The parameter value. Value must not nest another parameter. Do not use {{}} in the value. --- ##### `sync`^Required ```typescript public readonly sync: SopsSync; ``` - *Type:* SopsSync --- ### SopsSync The custom resource, that is syncing the content from a sops file to a secret. #### Initializers ```typescript import { SopsSync } from 'cdk-sops-secrets' new SopsSync(scope: Construct, id: string, props: SopsSyncProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | scope | constructs.Construct | *No description.* | | id | string | *No description.* | | props | SopsSyncProps | *No description.* | --- ##### `scope`^Required - *Type:* constructs.Construct --- ##### `id`^Required - *Type:* string --- ##### `props`^Required - *Type:* SopsSyncProps --- #### Methods | **Name** | **Description** | | --- | --- | | toString | Returns a string representation of this construct. | | with | Applies one or more mixins to this construct. | --- ##### `toString` ```typescript public toString(): string ``` Returns a string representation of this construct. ##### `with` ```typescript public with(mixins: ...IMixin[]): IConstruct ``` Applies one or more mixins to this construct. Mixins are applied in order. The list of constructs is captured at the start of the call, so constructs added by a mixin will not be visited. Use multiple `with()` calls if subsequent mixins should apply to added constructs. ###### `mixins`^Required - *Type:* ...constructs.IMixin[] The mixins to apply. --- #### Static Functions | **Name** | **Description** | | --- | --- | | isConstruct | Checks if `x` is a construct. | --- ##### `isConstruct` ```typescript import { SopsSync } from 'cdk-sops-secrets' SopsSync.isConstruct(x: any) ``` Checks if `x` is a construct. Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked. Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead. ###### `x`^Required - *Type:* any Any object. --- #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | node | constructs.Node | The tree node. | | versionId | string | The current versionId of the secret populated via this resource. | --- ##### `node`^Required ```typescript public readonly node: Node; ``` - *Type:* constructs.Node The tree node. --- ##### `versionId`^Required ```typescript public readonly versionId: string; ``` - *Type:* string The current versionId of the secret populated via this resource. --- ### SopsSyncProvider - *Implements:* aws-cdk-lib.aws_iam.IGrantable #### Initializers ```typescript import { SopsSyncProvider } from 'cdk-sops-secrets' new SopsSyncProvider(scope: Construct, id?: string, props?: SopsSyncProviderProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | scope | constructs.Construct | *No description.* | | id | string | *No description.* | | props | SopsSyncProviderProps | *No description.* | --- ##### `scope`^Required - *Type:* constructs.Construct --- ##### `id`^Optional - *Type:* string --- ##### `props`^Optional - *Type:* SopsSyncProviderProps --- #### Methods | **Name** | **Description** | | --- | --- | | toString | Returns a string representation of this construct. | | with | Applies one or more mixins to this construct. | | applyRemovalPolicy | Apply the given removal policy to this resource. | | addEventSource | Adds an event source to this function. | | addEventSourceMapping | Adds an event source that maps to this AWS Lambda function. | | addFunctionUrl | Adds a url to this lambda function. | | addPermission | Adds a permission to the Lambda resource policy. | | addToRolePolicy | Adds a statement to the IAM role assumed by the instance. | | configureAsyncInvoke | Configures options for asynchronous invocation. | | considerWarningOnInvokeFunctionPermissions | A warning will be added to functions under the following conditions: - permissions that include `lambda:InvokeFunction` are added to the unqualified function. | | grantInvoke | Grant the given identity permissions to invoke this Lambda. | | grantInvokeCompositePrincipal | Grant multiple principals the ability to invoke this Lambda via CompositePrincipal. | | grantInvokeLatestVersion | Grant the given identity permissions to invoke the $LATEST version or unqualified version of this Lambda. | | grantInvokeUrl | Grant the given identity permissions to invoke this Lambda Function URL. | | grantInvokeVersion | Grant the given identity permissions to invoke the given version of this Lambda. | | metric | Return the given named metric for this Function. | | metricDuration | How long execution of this Lambda takes. | | metricErrors | How many invocations of this Lambda fail. | | metricInvocations | How often this Lambda is invoked. | | metricThrottles | How often this Lambda is throttled. | | addDependency | Using node.addDependency() does not work on this method as the underlying lambda function is modeled as a singleton across the stack. Use this method instead to declare dependencies. | | addEnvironment | Adds an environment variable to this Lambda function. | | addLayers | Adds one or more Lambda Layers to this Lambda function. | | addMetadata | Use this method to write to the construct tree. | | dependOn | The SingletonFunction construct cannot be added as a dependency of another construct using node.addDependency(). Use this method instead to declare this as a dependency of another construct. | | addAgeKey | *No description.* | | addAgeKeyFromSsmParameter | Configure the Lambda to fetch an age private key from an SSM Parameter Store SecureString at runtime, rather than injecting it as a plaintext environment variable at synthesis time. | --- ##### `toString` ```typescript public toString(): string ``` Returns a string representation of this construct. ##### `with` ```typescript public with(mixins: ...IMixin[]): IConstruct ``` Applies one or more mixins to this construct. Mixins are applied in order. The list of constructs is captured at the start of the call, so constructs added by a mixin will not be visited. Use multiple `with()` calls if subsequent mixins should apply to added constructs. ###### `mixins`^Required - *Type:* ...constructs.IMixin[] --- ##### `applyRemovalPolicy` ```typescript public applyRemovalPolicy(policy: RemovalPolicy): void ``` Apply the given removal policy to this resource. The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced. The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). ###### `policy`^Required - *Type:* aws-cdk-lib.RemovalPolicy --- ##### `addEventSource` ```typescript public addEventSource(source: IEventSource): void ``` Adds an event source to this function. Event sources are implemented in the aws-cdk-lib/aws-lambda-event-sources module. The following example adds an SQS Queue as an event source: ``` import { SqsEventSource } from 'aws-cdk-lib/aws-lambda-event-sources'; myFunction.addEventSource(new SqsEventSource(myQueue)); ``` ###### `source`^Required - *Type:* aws-cdk-lib.aws_lambda.IEventSource --- ##### `addEventSourceMapping` ```typescript public addEventSourceMapping(id: string, options: EventSourceMappingOptions): EventSourceMapping ``` Adds an event source that maps to this AWS Lambda function. ###### `id`^Required - *Type:* string --- ###### `options`^Required - *Type:* aws-cdk-lib.aws_lambda.EventSourceMappingOptions --- ##### `addFunctionUrl` ```typescript public addFunctionUrl(options?: FunctionUrlOptions): FunctionUrl ``` Adds a url to this lambda function. ###### `options`^Optional - *Type:* aws-cdk-lib.aws_lambda.FunctionUrlOptions --- ##### `addPermission` ```typescript public addPermission(name: string, permission: Permission): void ``` Adds a permission to the Lambda resource policy. ###### `name`^Required - *Type:* string --- ###### `permission`^Required - *Type:* aws-cdk-lib.aws_lambda.Permission --- ##### `addToRolePolicy` ```typescript public addToRolePolicy(statement: PolicyStatement): void ``` Adds a statement to the IAM role assumed by the instance. ###### `statement`^Required - *Type:* aws-cdk-lib.aws_iam.PolicyStatement --- ##### `configureAsyncInvoke` ```typescript public configureAsyncInvoke(options: EventInvokeConfigOptions): void ``` Configures options for asynchronous invocation. ###### `options`^Required - *Type:* aws-cdk-lib.aws_lambda.EventInvokeConfigOptions --- ##### `considerWarningOnInvokeFunctionPermissions` ```typescript public considerWarningOnInvokeFunctionPermissions(scope: Construct, action: string): void ``` A warning will be added to functions under the following conditions: - permissions that include `lambda:InvokeFunction` are added to the unqualified function. function.currentVersion is invoked before or after the permission is created. This applies only to permissions on Lambda functions, not versions or aliases. This function is overridden as a noOp for QualifiedFunctionBase. ###### `scope`^Required - *Type:* constructs.Construct --- ###### `action`^Required - *Type:* string --- ##### `grantInvoke` ```typescript public grantInvoke(grantee: IGrantable): Grant ``` Grant the given identity permissions to invoke this Lambda. [disable-awslint:no-grants] ###### `grantee`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable --- ##### `grantInvokeCompositePrincipal` ```typescript public grantInvokeCompositePrincipal(compositePrincipal: CompositePrincipal): Grant[] ``` Grant multiple principals the ability to invoke this Lambda via CompositePrincipal. [disable-awslint:no-grants] ###### `compositePrincipal`^Required - *Type:* aws-cdk-lib.aws_iam.CompositePrincipal --- ##### `grantInvokeLatestVersion` ```typescript public grantInvokeLatestVersion(grantee: IGrantable): Grant ``` Grant the given identity permissions to invoke the $LATEST version or unqualified version of this Lambda. [disable-awslint:no-grants] ###### `grantee`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable --- ##### `grantInvokeUrl` ```typescript public grantInvokeUrl(grantee: IGrantable): Grant ``` Grant the given identity permissions to invoke this Lambda Function URL. [disable-awslint:no-grants] ###### `grantee`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable --- ##### `grantInvokeVersion` ```typescript public grantInvokeVersion(grantee: IGrantable, version: IVersion): Grant ``` Grant the given identity permissions to invoke the given version of this Lambda. [disable-awslint:no-grants] ###### `grantee`^Required - *Type:* aws-cdk-lib.aws_iam.IGrantable --- ###### `version`^Required - *Type:* aws-cdk-lib.aws_lambda.IVersion --- ##### `metric` ```typescript public metric(metricName: string, props?: MetricOptions): Metric ``` Return the given named metric for this Function. ###### `metricName`^Required - *Type:* string --- ###### `props`^Optional - *Type:* aws-cdk-lib.aws_cloudwatch.MetricOptions --- ##### `metricDuration` ```typescript public metricDuration(props?: MetricOptions): Metric ``` How long execution of this Lambda takes. Average over 5 minutes ###### `props`^Optional - *Type:* aws-cdk-lib.aws_cloudwatch.MetricOptions --- ##### `metricErrors` ```typescript public metricErrors(props?: MetricOptions): Metric ``` How many invocations of this Lambda fail. Sum over 5 minutes ###### `props`^Optional - *Type:* aws-cdk-lib.aws_cloudwatch.MetricOptions --- ##### `metricInvocations` ```typescript public metricInvocations(props?: MetricOptions): Metric ``` How often this Lambda is invoked. Sum over 5 minutes ###### `props`^Optional - *Type:* aws-cdk-lib.aws_cloudwatch.MetricOptions --- ##### `metricThrottles` ```typescript public metricThrottles(props?: MetricOptions): Metric ``` How often this Lambda is throttled. Sum over 5 minutes ###### `props`^Optional - *Type:* aws-cdk-lib.aws_cloudwatch.MetricOptions --- ##### `addDependency` ```typescript public addDependency(up: ...IDependable[]): void ``` Using node.addDependency() does not work on this method as the underlying lambda function is modeled as a singleton across the stack. Use this method instead to declare dependencies. ###### `up`^Required - *Type:* ...constructs.IDependable[] --- ##### `addEnvironment` ```typescript public addEnvironment(key: string, value: string, options?: EnvironmentOptions): Function ``` Adds an environment variable to this Lambda function. If this is a ref to a Lambda function, this operation results in a no-op. ###### `key`^Required - *Type:* string The environment variable key. --- ###### `value`^Required - *Type:* string The environment variable's value. --- ###### `options`^Optional - *Type:* aws-cdk-lib.aws_lambda.EnvironmentOptions Environment variable options. --- ##### `addLayers` ```typescript public addLayers(layers: ...ILayerVersion[]): void ``` Adds one or more Lambda Layers to this Lambda function. ###### `layers`^Required - *Type:* ...aws-cdk-lib.aws_lambda.ILayerVersion[] the layers to be added. --- ##### `addMetadata` ```typescript public addMetadata(type: string, data: any, options?: MetadataOptions): void ``` Use this method to write to the construct tree. The metadata entries are written to the Cloud Assembly Manifest if the `treeMetadata` property is specified in the props of the App that contains this Construct. ###### `type`^Required - *Type:* string --- ###### `data`^Required - *Type:* any --- ###### `options`^Optional - *Type:* constructs.MetadataOptions --- ##### `dependOn` ```typescript public dependOn(down: IConstruct): void ``` The SingletonFunction construct cannot be added as a dependency of another construct using node.addDependency(). Use this method instead to declare this as a dependency of another construct. ###### `down`^Required - *Type:* constructs.IConstruct --- ##### `addAgeKey` ```typescript public addAgeKey(key: SecretValue): void ``` ###### `key`^Required - *Type:* aws-cdk-lib.SecretValue --- ##### `addAgeKeyFromSsmParameter` ```typescript public addAgeKeyFromSsmParameter(param: string | IStringParameter, encryptionKey: IKey): void ``` Configure the Lambda to fetch an age private key from an SSM Parameter Store SecureString at runtime, rather than injecting it as a plaintext environment variable at synthesis time. The KMS key used to encrypt the SecureString is required: storing an age private key without envelope encryption is considered insecure. The Lambda is automatically granted `ssm:GetParameter` on the parameter and `kms:Decrypt` on the encryption key. ###### `param`^Required - *Type:* string | aws-cdk-lib.aws_ssm.IStringParameter Parameter name string (e.g. '/sops/age/key') or an `IStringParameter` reference from `aws-cdk-lib/aws-ssm`. --- ###### `encryptionKey`^Required - *Type:* aws-cdk-lib.aws_kms.IKey KMS key used to encrypt the SecureString parameter. --- #### Static Functions | **Name** | **Description** | | --- | --- | | isConstruct | Checks if `x` is a construct. | | isOwnedResource | Returns true if the construct was created by CDK, and false otherwise. | | isResource | Check whether the given construct is a Resource. | --- ##### `isConstruct` ```typescript import { SopsSyncProvider } from 'cdk-sops-secrets' SopsSyncProvider.isConstruct(x: any) ``` Checks if `x` is a construct. Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked. Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead. ###### `x`^Required - *Type:* any Any object. --- ##### `isOwnedResource` ```typescript import { SopsSyncProvider } from 'cdk-sops-secrets' SopsSyncProvider.isOwnedResource(construct: IConstruct) ``` Returns true if the construct was created by CDK, and false otherwise. ###### `construct`^Required - *Type:* constructs.IConstruct --- ##### `isResource` ```typescript import { SopsSyncProvider } from 'cdk-sops-secrets' SopsSyncProvider.isResource(construct: IConstruct) ``` Check whether the given construct is a Resource. ###### `construct`^Required - *Type:* constructs.IConstruct --- #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | node | constructs.Node | The tree node. | | env | aws-cdk-lib.interfaces.ResourceEnvironment | The environment this resource belongs to. | | stack | aws-cdk-lib.Stack | The stack in which this resource is defined. | | architecture | aws-cdk-lib.aws_lambda.Architecture | The architecture of this Lambda Function. | | connections | aws-cdk-lib.aws_ec2.Connections | Access the Connections object. | | functionArn | string | The ARN fo the function. | | functionName | string | The name of the function. | | functionRef | aws-cdk-lib.interfaces.aws_lambda.FunctionReference | A reference to a Function resource. | | grantPrincipal | aws-cdk-lib.aws_iam.IPrincipal | The principal this Lambda Function is running as. | | isBoundToVpc | boolean | Whether or not this Lambda function was bound to a VPC. | | latestVersion | aws-cdk-lib.aws_lambda.IVersion | The `$LATEST` version of this function. | | permissionsNode | constructs.Node | The construct node where permissions are attached. | | resourceArnsForGrantInvoke | string[] | The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke(). | | role | aws-cdk-lib.aws_iam.IRole | The IAM role associated with this function. | | tenancyConfig | aws-cdk-lib.aws_lambda.TenancyConfig | The tenancy configuration for this function. | | constructName | string | The name of the singleton function. | | currentVersion | aws-cdk-lib.aws_lambda.Version | Returns a `lambda.Version` which represents the current version of this singleton Lambda function. A new version will be created every time the function's configuration changes. | | logGroup | aws-cdk-lib.aws_logs.ILogGroup | The LogGroup where the Lambda function's logs are made available. | | runtime | aws-cdk-lib.aws_lambda.Runtime | The runtime environment for the Lambda function. | --- ##### `node`^Required ```typescript public readonly node: Node; ``` - *Type:* constructs.Node The tree node. --- ##### `env`^Required ```typescript public readonly env: ResourceEnvironment; ``` - *Type:* aws-cdk-lib.interfaces.ResourceEnvironment The environment this resource belongs to. For resources that are created and managed in a Stack (those created by creating new class instances like `new Role()`, `new Bucket()`, etc.), this is always the same as the environment of the stack they belong to. For referenced resources (those obtained from referencing methods like `Role.fromRoleArn()`, `Bucket.fromBucketName()`, etc.), they might be different than the stack they were imported into. --- ##### `stack`^Required ```typescript public readonly stack: Stack; ``` - *Type:* aws-cdk-lib.Stack The stack in which this resource is defined. --- ##### `architecture`^Required ```typescript public readonly architecture: Architecture; ``` - *Type:* aws-cdk-lib.aws_lambda.Architecture The architecture of this Lambda Function. --- ##### `connections`^Required ```typescript public readonly connections: Connections; ``` - *Type:* aws-cdk-lib.aws_ec2.Connections Access the Connections object. Will fail if not a VPC-enabled Lambda Function --- ##### `functionArn`^Required ```typescript public readonly functionArn: string; ``` - *Type:* string The ARN fo the function. --- ##### `functionName`^Required ```typescript public readonly functionName: string; ``` - *Type:* string The name of the function. --- ##### `functionRef`^Required ```typescript public readonly functionRef: FunctionReference; ``` - *Type:* aws-cdk-lib.interfaces.aws_lambda.FunctionReference A reference to a Function resource. --- ##### `grantPrincipal`^Required ```typescript public readonly grantPrincipal: IPrincipal; ``` - *Type:* aws-cdk-lib.aws_iam.IPrincipal The principal this Lambda Function is running as. --- ##### `isBoundToVpc`^Required ```typescript public readonly isBoundToVpc: boolean; ``` - *Type:* boolean Whether or not this Lambda function was bound to a VPC. If this is is `false`, trying to access the `connections` object will fail. --- ##### `latestVersion`^Required ```typescript public readonly latestVersion: IVersion; ``` - *Type:* aws-cdk-lib.aws_lambda.IVersion The `$LATEST` version of this function. Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations. To obtain a reference to an explicit version which references the current function configuration, use `lambdaFunction.currentVersion` instead. --- ##### `permissionsNode`^Required ```typescript public readonly permissionsNode: Node; ``` - *Type:* constructs.Node The construct node where permissions are attached. --- ##### `resourceArnsForGrantInvoke`^Required ```typescript public readonly resourceArnsForGrantInvoke: string[]; ``` - *Type:* string[] The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke(). --- ##### `role`^Optional ```typescript public readonly role: IRole; ``` - *Type:* aws-cdk-lib.aws_iam.IRole The IAM role associated with this function. Undefined if the function was imported without a role. --- ##### `tenancyConfig`^Optional ```typescript public readonly tenancyConfig: TenancyConfig; ``` - *Type:* aws-cdk-lib.aws_lambda.TenancyConfig The tenancy configuration for this function. --- ##### `constructName`^Required ```typescript public readonly constructName: string; ``` - *Type:* string The name of the singleton function. It acts as a unique ID within its CDK stack. --- ##### `currentVersion`^Required ```typescript public readonly currentVersion: Version; ``` - *Type:* aws-cdk-lib.aws_lambda.Version Returns a `lambda.Version` which represents the current version of this singleton Lambda function. A new version will be created every time the function's configuration changes. You can specify options for this version using the `currentVersionOptions` prop when initializing the `lambda.SingletonFunction`. --- ##### `logGroup`^Required ```typescript public readonly logGroup: ILogGroup; ``` - *Type:* aws-cdk-lib.aws_logs.ILogGroup The LogGroup where the Lambda function's logs are made available. If either `logRetention` is set or this property is called, a CloudFormation custom resource is added to the stack that pre-creates the log group as part of the stack deployment, if it already doesn't exist, and sets the correct log retention period (never expire, by default). Further, if the log group already exists and the `logRetention` is not set, the custom resource will reset the log retention to never expire even if it was configured with a different value. --- ##### `runtime`^Required ```typescript public readonly runtime: Runtime; ``` - *Type:* aws-cdk-lib.aws_lambda.Runtime The runtime environment for the Lambda function. --- #### Constants | **Name** | **Type** | **Description** | | --- | --- | --- | | PROPERTY_INJECTION_ID | string | Uniquely identifies this class. | --- ##### `PROPERTY_INJECTION_ID`^Required ```typescript public readonly PROPERTY_INJECTION_ID: string; ``` - *Type:* string Uniquely identifies this class. --- ## Structs ### ExpirationOptions Options for expiration notifications on secret keys. When enabled, CDK reads unencrypted keys ending with the configured suffix (e.g. `gitlab_token_expiration`) from the local `sopsFilePath` and synthesizes one-time EventBridge Scheduler schedules that publish to SNS before each expiration date. #### Initializer ```typescript import { ExpirationOptions } from 'cdk-sops-secrets' const expirationOptions: ExpirationOptions = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | daysBeforeExpiration | number \| number[] | Number of days before the expiration date to send the SNS notification, or multiple reminder offsets to synthesize one schedule per value. | | enabled | boolean | Enable expiration notifications. | | expirationSuffix | string | The suffix used to identify expiration date keys in the secret. | | notificationTopic | aws-cdk-lib.aws_sns.ITopic | An existing SNS topic to publish expiration notifications to. | | subscriber | aws-cdk-lib.aws_sns.ITopicSubscription | A subscriber to attach to the expiration notification topic. | --- ##### `daysBeforeExpiration`^Optional ```typescript public readonly daysBeforeExpiration: number | number[]; ``` - *Type:* number | number[] - *Default:* 14 Number of days before the expiration date to send the SNS notification, or multiple reminder offsets to synthesize one schedule per value. --- ##### `enabled`^Optional ```typescript public readonly enabled: boolean; ``` - *Type:* boolean - *Default:* false Enable expiration notifications. --- ##### `expirationSuffix`^Optional ```typescript public readonly expirationSuffix: string; ``` - *Type:* string - *Default:* '_expiration' The suffix used to identify expiration date keys in the secret. For example, a suffix of `_expiration` will match any key like `gitlab_token_expiration` and treat its value as the expiration date for `gitlab_token`. --- ##### `notificationTopic`^Optional ```typescript public readonly notificationTopic: ITopic; ``` - *Type:* aws-cdk-lib.aws_sns.ITopic - *Default:* A new SNS topic is created An existing SNS topic to publish expiration notifications to. If not provided, a new SNS topic will be created automatically. --- ##### `subscriber`^Optional ```typescript public readonly subscriber: ITopicSubscription; ``` - *Type:* aws-cdk-lib.aws_sns.ITopicSubscription - *Default:* No subscriber is added A subscriber to attach to the expiration notification topic. Works for both an auto-created topic and a provided `notificationTopic`. --- ### MultiStringParameterProps #### Initializer ```typescript import { MultiStringParameterProps } from 'cdk-sops-secrets' const multiStringParameterProps: MultiStringParameterProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | assetEncryptionKey | aws-cdk-lib.aws_kms.IKey | The encryption key used by the CDK default Asset S3 Bucket. | | autoGenerateIamPermissions | boolean | Should this construct automatically create IAM permissions? | | sopsAgeKey | aws-cdk-lib.SecretValue | The age key that should be used for encryption. | | sopsFileFormat | string | The format of the sops file. | | sopsFilePath | string | The filepath to the sops file. | | sopsKmsKey | aws-cdk-lib.aws_kms.IKey[] | The kmsKey used to encrypt the sops file. | | sopsProvider | SopsSyncProvider | The custom resource provider to use. | | sopsS3Bucket | string | If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. | | sopsS3Key | string | If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. | | uploadType | UploadType | How should the secret be passed to the CustomResource? | | encryptionKey | aws-cdk-lib.aws_kms.IKey | The customer-managed encryption key to use for encrypting the secret value. | | description | string | Information about the parameter that you want to add to the system. | | tier | aws-cdk-lib.aws_ssm.ParameterTier | The tier of the string parameter. | | keyPrefix | string | The prefix used for all parameters. | | keySeparator | string | The seperator used to seperate keys. | --- ##### `assetEncryptionKey`^Optional ```typescript public readonly assetEncryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey - *Default:* Trying to get the key using the CDK Bootstrap context. The encryption key used by the CDK default Asset S3 Bucket. --- ##### `autoGenerateIamPermissions`^Optional ```typescript public readonly autoGenerateIamPermissions: boolean; ``` - *Type:* boolean - *Default:* true Should this construct automatically create IAM permissions? --- ##### `sopsAgeKey`^Optional ```typescript public readonly sopsAgeKey: SecretValue; ``` - *Type:* aws-cdk-lib.SecretValue The age key that should be used for encryption. --- ##### `sopsFileFormat`^Optional ```typescript public readonly sopsFileFormat: string; ``` - *Type:* string - *Default:* The fileformat will be derived from the file ending The format of the sops file. --- ##### `sopsFilePath`^Optional ```typescript public readonly sopsFilePath: string; ``` - *Type:* string The filepath to the sops file. --- ##### `sopsKmsKey`^Optional ```typescript public readonly sopsKmsKey: IKey[]; ``` - *Type:* aws-cdk-lib.aws_kms.IKey[] - *Default:* The key will be derived from the sops file The kmsKey used to encrypt the sops file. Encrypt permissions will be granted to the custom resource provider. --- ##### `sopsProvider`^Optional ```typescript public readonly sopsProvider: SopsSyncProvider; ``` - *Type:* SopsSyncProvider - *Default:* A new singleton provider will be created The custom resource provider to use. If you don't specify any, a new provider will be created - or if already exists within this stack - reused. --- ##### `sopsS3Bucket`^Optional ```typescript public readonly sopsS3Bucket: string; ``` - *Type:* string If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. --- ##### `sopsS3Key`^Optional ```typescript public readonly sopsS3Key: string; ``` - *Type:* string If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. --- ##### `uploadType`^Optional ```typescript public readonly uploadType: UploadType; ``` - *Type:* UploadType - *Default:* INLINE How should the secret be passed to the CustomResource? --- ##### `encryptionKey`^Required ```typescript public readonly encryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey - *Default:* A default KMS key for the account and region is used. The customer-managed encryption key to use for encrypting the secret value. --- ##### `description`^Optional ```typescript public readonly description: string; ``` - *Type:* string - *Default:* none Information about the parameter that you want to add to the system. --- ##### `tier`^Optional ```typescript public readonly tier: ParameterTier; ``` - *Type:* aws-cdk-lib.aws_ssm.ParameterTier - *Default:* undefined The tier of the string parameter. --- ##### `keyPrefix`^Optional ```typescript public readonly keyPrefix: string; ``` - *Type:* string - *Default:* '/' The prefix used for all parameters. --- ##### `keySeparator`^Optional ```typescript public readonly keySeparator: string; ``` - *Type:* string - *Default:* '/' The seperator used to seperate keys. --- ### SopsCommonParameterProps The configuration options of the StringParameter. #### Initializer ```typescript import { SopsCommonParameterProps } from 'cdk-sops-secrets' const sopsCommonParameterProps: SopsCommonParameterProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | assetEncryptionKey | aws-cdk-lib.aws_kms.IKey | The encryption key used by the CDK default Asset S3 Bucket. | | autoGenerateIamPermissions | boolean | Should this construct automatically create IAM permissions? | | sopsAgeKey | aws-cdk-lib.SecretValue | The age key that should be used for encryption. | | sopsFileFormat | string | The format of the sops file. | | sopsFilePath | string | The filepath to the sops file. | | sopsKmsKey | aws-cdk-lib.aws_kms.IKey[] | The kmsKey used to encrypt the sops file. | | sopsProvider | SopsSyncProvider | The custom resource provider to use. | | sopsS3Bucket | string | If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. | | sopsS3Key | string | If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. | | uploadType | UploadType | How should the secret be passed to the CustomResource? | | encryptionKey | aws-cdk-lib.aws_kms.IKey | The customer-managed encryption key to use for encrypting the secret value. | | description | string | Information about the parameter that you want to add to the system. | | tier | aws-cdk-lib.aws_ssm.ParameterTier | The tier of the string parameter. | --- ##### `assetEncryptionKey`^Optional ```typescript public readonly assetEncryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey - *Default:* Trying to get the key using the CDK Bootstrap context. The encryption key used by the CDK default Asset S3 Bucket. --- ##### `autoGenerateIamPermissions`^Optional ```typescript public readonly autoGenerateIamPermissions: boolean; ``` - *Type:* boolean - *Default:* true Should this construct automatically create IAM permissions? --- ##### `sopsAgeKey`^Optional ```typescript public readonly sopsAgeKey: SecretValue; ``` - *Type:* aws-cdk-lib.SecretValue The age key that should be used for encryption. --- ##### `sopsFileFormat`^Optional ```typescript public readonly sopsFileFormat: string; ``` - *Type:* string - *Default:* The fileformat will be derived from the file ending The format of the sops file. --- ##### `sopsFilePath`^Optional ```typescript public readonly sopsFilePath: string; ``` - *Type:* string The filepath to the sops file. --- ##### `sopsKmsKey`^Optional ```typescript public readonly sopsKmsKey: IKey[]; ``` - *Type:* aws-cdk-lib.aws_kms.IKey[] - *Default:* The key will be derived from the sops file The kmsKey used to encrypt the sops file. Encrypt permissions will be granted to the custom resource provider. --- ##### `sopsProvider`^Optional ```typescript public readonly sopsProvider: SopsSyncProvider; ``` - *Type:* SopsSyncProvider - *Default:* A new singleton provider will be created The custom resource provider to use. If you don't specify any, a new provider will be created - or if already exists within this stack - reused. --- ##### `sopsS3Bucket`^Optional ```typescript public readonly sopsS3Bucket: string; ``` - *Type:* string If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. --- ##### `sopsS3Key`^Optional ```typescript public readonly sopsS3Key: string; ``` - *Type:* string If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. --- ##### `uploadType`^Optional ```typescript public readonly uploadType: UploadType; ``` - *Type:* UploadType - *Default:* INLINE How should the secret be passed to the CustomResource? --- ##### `encryptionKey`^Required ```typescript public readonly encryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey - *Default:* A default KMS key for the account and region is used. The customer-managed encryption key to use for encrypting the secret value. --- ##### `description`^Optional ```typescript public readonly description: string; ``` - *Type:* string - *Default:* none Information about the parameter that you want to add to the system. --- ##### `tier`^Optional ```typescript public readonly tier: ParameterTier; ``` - *Type:* aws-cdk-lib.aws_ssm.ParameterTier - *Default:* undefined The tier of the string parameter. --- ### SopsSecretProps The configuration options of the SopsSecret. #### Initializer ```typescript import { SopsSecretProps } from 'cdk-sops-secrets' const sopsSecretProps: SopsSecretProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | assetEncryptionKey | aws-cdk-lib.aws_kms.IKey | The encryption key used by the CDK default Asset S3 Bucket. | | autoGenerateIamPermissions | boolean | Should this construct automatically create IAM permissions? | | sopsAgeKey | aws-cdk-lib.SecretValue | The age key that should be used for encryption. | | sopsFileFormat | string | The format of the sops file. | | sopsFilePath | string | The filepath to the sops file. | | sopsKmsKey | aws-cdk-lib.aws_kms.IKey[] | The kmsKey used to encrypt the sops file. | | sopsProvider | SopsSyncProvider | The custom resource provider to use. | | sopsS3Bucket | string | If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. | | sopsS3Key | string | If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. | | uploadType | UploadType | How should the secret be passed to the CustomResource? | | description | string | An optional, human-friendly description of the secret. | | encryptionKey | aws-cdk-lib.aws_kms.IKey | The customer-managed encryption key to use for encrypting the secret value. | | expirationNotification | ExpirationOptions | Configure expiration notifications for secret keys. | | rawOutput | RawOutput | Should the secret parsed and transformed to json? | | removalPolicy | aws-cdk-lib.RemovalPolicy | Policy to apply when the secret is removed from this stack. | | replicaRegions | aws-cdk-lib.aws_secretsmanager.ReplicaRegion[] | A list of regions where to replicate this secret. | | secretName | string | A name for the secret. | --- ##### `assetEncryptionKey`^Optional ```typescript public readonly assetEncryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey - *Default:* Trying to get the key using the CDK Bootstrap context. The encryption key used by the CDK default Asset S3 Bucket. --- ##### `autoGenerateIamPermissions`^Optional ```typescript public readonly autoGenerateIamPermissions: boolean; ``` - *Type:* boolean - *Default:* true Should this construct automatically create IAM permissions? --- ##### `sopsAgeKey`^Optional ```typescript public readonly sopsAgeKey: SecretValue; ``` - *Type:* aws-cdk-lib.SecretValue The age key that should be used for encryption. --- ##### `sopsFileFormat`^Optional ```typescript public readonly sopsFileFormat: string; ``` - *Type:* string - *Default:* The fileformat will be derived from the file ending The format of the sops file. --- ##### `sopsFilePath`^Optional ```typescript public readonly sopsFilePath: string; ``` - *Type:* string The filepath to the sops file. --- ##### `sopsKmsKey`^Optional ```typescript public readonly sopsKmsKey: IKey[]; ``` - *Type:* aws-cdk-lib.aws_kms.IKey[] - *Default:* The key will be derived from the sops file The kmsKey used to encrypt the sops file. Encrypt permissions will be granted to the custom resource provider. --- ##### `sopsProvider`^Optional ```typescript public readonly sopsProvider: SopsSyncProvider; ``` - *Type:* SopsSyncProvider - *Default:* A new singleton provider will be created The custom resource provider to use. If you don't specify any, a new provider will be created - or if already exists within this stack - reused. --- ##### `sopsS3Bucket`^Optional ```typescript public readonly sopsS3Bucket: string; ``` - *Type:* string If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. --- ##### `sopsS3Key`^Optional ```typescript public readonly sopsS3Key: string; ``` - *Type:* string If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. --- ##### `uploadType`^Optional ```typescript public readonly uploadType: UploadType; ``` - *Type:* UploadType - *Default:* INLINE How should the secret be passed to the CustomResource? --- ##### `description`^Optional ```typescript public readonly description: string; ``` - *Type:* string - *Default:* No description. An optional, human-friendly description of the secret. --- ##### `encryptionKey`^Optional ```typescript public readonly encryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey - *Default:* A default KMS key for the account and region is used. The customer-managed encryption key to use for encrypting the secret value. --- ##### `expirationNotification`^Optional ```typescript public readonly expirationNotification: ExpirationOptions; ``` - *Type:* ExpirationOptions - *Default:* Expiration notifications are disabled Configure expiration notifications for secret keys. When `enabled: true`, CDK reads unencrypted expiration keys from the local `sopsFilePath` and synthesizes one-time EventBridge Scheduler schedules that publish to SNS before each expiration. --- ##### `rawOutput`^Optional ```typescript public readonly rawOutput: RawOutput; ``` - *Type:* RawOutput - *Default:* undefined - STRING for binary secrets, else no raw output Should the secret parsed and transformed to json? --- ##### `removalPolicy`^Optional ```typescript public readonly removalPolicy: RemovalPolicy; ``` - *Type:* aws-cdk-lib.RemovalPolicy - *Default:* Not set. Policy to apply when the secret is removed from this stack. --- ##### `replicaRegions`^Optional ```typescript public readonly replicaRegions: ReplicaRegion[]; ``` - *Type:* aws-cdk-lib.aws_secretsmanager.ReplicaRegion[] - *Default:* Secret is not replicated A list of regions where to replicate this secret. --- ##### `secretName`^Optional ```typescript public readonly secretName: string; ``` - *Type:* string - *Default:* A name is generated by CloudFormation. A name for the secret. Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to 30 days blackout period. During that period, it is not possible to create another secret that shares the same name. --- ### SopsStringParameterProps #### Initializer ```typescript import { SopsStringParameterProps } from 'cdk-sops-secrets' const sopsStringParameterProps: SopsStringParameterProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | assetEncryptionKey | aws-cdk-lib.aws_kms.IKey | The encryption key used by the CDK default Asset S3 Bucket. | | autoGenerateIamPermissions | boolean | Should this construct automatically create IAM permissions? | | sopsAgeKey | aws-cdk-lib.SecretValue | The age key that should be used for encryption. | | sopsFileFormat | string | The format of the sops file. | | sopsFilePath | string | The filepath to the sops file. | | sopsKmsKey | aws-cdk-lib.aws_kms.IKey[] | The kmsKey used to encrypt the sops file. | | sopsProvider | SopsSyncProvider | The custom resource provider to use. | | sopsS3Bucket | string | If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. | | sopsS3Key | string | If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. | | uploadType | UploadType | How should the secret be passed to the CustomResource? | | encryptionKey | aws-cdk-lib.aws_kms.IKey | The customer-managed encryption key to use for encrypting the secret value. | | description | string | Information about the parameter that you want to add to the system. | | tier | aws-cdk-lib.aws_ssm.ParameterTier | The tier of the string parameter. | | parameterName | string | The name of the parameter. | --- ##### `assetEncryptionKey`^Optional ```typescript public readonly assetEncryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey - *Default:* Trying to get the key using the CDK Bootstrap context. The encryption key used by the CDK default Asset S3 Bucket. --- ##### `autoGenerateIamPermissions`^Optional ```typescript public readonly autoGenerateIamPermissions: boolean; ``` - *Type:* boolean - *Default:* true Should this construct automatically create IAM permissions? --- ##### `sopsAgeKey`^Optional ```typescript public readonly sopsAgeKey: SecretValue; ``` - *Type:* aws-cdk-lib.SecretValue The age key that should be used for encryption. --- ##### `sopsFileFormat`^Optional ```typescript public readonly sopsFileFormat: string; ``` - *Type:* string - *Default:* The fileformat will be derived from the file ending The format of the sops file. --- ##### `sopsFilePath`^Optional ```typescript public readonly sopsFilePath: string; ``` - *Type:* string The filepath to the sops file. --- ##### `sopsKmsKey`^Optional ```typescript public readonly sopsKmsKey: IKey[]; ``` - *Type:* aws-cdk-lib.aws_kms.IKey[] - *Default:* The key will be derived from the sops file The kmsKey used to encrypt the sops file. Encrypt permissions will be granted to the custom resource provider. --- ##### `sopsProvider`^Optional ```typescript public readonly sopsProvider: SopsSyncProvider; ``` - *Type:* SopsSyncProvider - *Default:* A new singleton provider will be created The custom resource provider to use. If you don't specify any, a new provider will be created - or if already exists within this stack - reused. --- ##### `sopsS3Bucket`^Optional ```typescript public readonly sopsS3Bucket: string; ``` - *Type:* string If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. --- ##### `sopsS3Key`^Optional ```typescript public readonly sopsS3Key: string; ``` - *Type:* string If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. --- ##### `uploadType`^Optional ```typescript public readonly uploadType: UploadType; ``` - *Type:* UploadType - *Default:* INLINE How should the secret be passed to the CustomResource? --- ##### `encryptionKey`^Required ```typescript public readonly encryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey - *Default:* A default KMS key for the account and region is used. The customer-managed encryption key to use for encrypting the secret value. --- ##### `description`^Optional ```typescript public readonly description: string; ``` - *Type:* string - *Default:* none Information about the parameter that you want to add to the system. --- ##### `tier`^Optional ```typescript public readonly tier: ParameterTier; ``` - *Type:* aws-cdk-lib.aws_ssm.ParameterTier - *Default:* undefined The tier of the string parameter. --- ##### `parameterName`^Optional ```typescript public readonly parameterName: string; ``` - *Type:* string - *Default:* a name will be generated by CloudFormation The name of the parameter. --- ### SopsSyncOptions Configuration options for the SopsSync. #### Initializer ```typescript import { SopsSyncOptions } from 'cdk-sops-secrets' const sopsSyncOptions: SopsSyncOptions = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | assetEncryptionKey | aws-cdk-lib.aws_kms.IKey | The encryption key used by the CDK default Asset S3 Bucket. | | autoGenerateIamPermissions | boolean | Should this construct automatically create IAM permissions? | | sopsAgeKey | aws-cdk-lib.SecretValue | The age key that should be used for encryption. | | sopsFileFormat | string | The format of the sops file. | | sopsFilePath | string | The filepath to the sops file. | | sopsKmsKey | aws-cdk-lib.aws_kms.IKey[] | The kmsKey used to encrypt the sops file. | | sopsProvider | SopsSyncProvider | The custom resource provider to use. | | sopsS3Bucket | string | If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. | | sopsS3Key | string | If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. | | uploadType | UploadType | How should the secret be passed to the CustomResource? | --- ##### `assetEncryptionKey`^Optional ```typescript public readonly assetEncryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey - *Default:* Trying to get the key using the CDK Bootstrap context. The encryption key used by the CDK default Asset S3 Bucket. --- ##### `autoGenerateIamPermissions`^Optional ```typescript public readonly autoGenerateIamPermissions: boolean; ``` - *Type:* boolean - *Default:* true Should this construct automatically create IAM permissions? --- ##### `sopsAgeKey`^Optional ```typescript public readonly sopsAgeKey: SecretValue; ``` - *Type:* aws-cdk-lib.SecretValue The age key that should be used for encryption. --- ##### `sopsFileFormat`^Optional ```typescript public readonly sopsFileFormat: string; ``` - *Type:* string - *Default:* The fileformat will be derived from the file ending The format of the sops file. --- ##### `sopsFilePath`^Optional ```typescript public readonly sopsFilePath: string; ``` - *Type:* string The filepath to the sops file. --- ##### `sopsKmsKey`^Optional ```typescript public readonly sopsKmsKey: IKey[]; ``` - *Type:* aws-cdk-lib.aws_kms.IKey[] - *Default:* The key will be derived from the sops file The kmsKey used to encrypt the sops file. Encrypt permissions will be granted to the custom resource provider. --- ##### `sopsProvider`^Optional ```typescript public readonly sopsProvider: SopsSyncProvider; ``` - *Type:* SopsSyncProvider - *Default:* A new singleton provider will be created The custom resource provider to use. If you don't specify any, a new provider will be created - or if already exists within this stack - reused. --- ##### `sopsS3Bucket`^Optional ```typescript public readonly sopsS3Bucket: string; ``` - *Type:* string If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. --- ##### `sopsS3Key`^Optional ```typescript public readonly sopsS3Key: string; ``` - *Type:* string If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. --- ##### `uploadType`^Optional ```typescript public readonly uploadType: UploadType; ``` - *Type:* UploadType - *Default:* INLINE How should the secret be passed to the CustomResource? --- ### SopsSyncProps The configuration options extended by the target Secret / Parameter. #### Initializer ```typescript import { SopsSyncProps } from 'cdk-sops-secrets' const sopsSyncProps: SopsSyncProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | assetEncryptionKey | aws-cdk-lib.aws_kms.IKey | The encryption key used by the CDK default Asset S3 Bucket. | | autoGenerateIamPermissions | boolean | Should this construct automatically create IAM permissions? | | sopsAgeKey | aws-cdk-lib.SecretValue | The age key that should be used for encryption. | | sopsFileFormat | string | The format of the sops file. | | sopsFilePath | string | The filepath to the sops file. | | sopsKmsKey | aws-cdk-lib.aws_kms.IKey[] | The kmsKey used to encrypt the sops file. | | sopsProvider | SopsSyncProvider | The custom resource provider to use. | | sopsS3Bucket | string | If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. | | sopsS3Key | string | If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. | | uploadType | UploadType | How should the secret be passed to the CustomResource? | | resourceType | ResourceType | Will this Sync deploy a Secret or Parameter(s). | | target | string | The target to populate with the sops file content. | | encryptionKey | aws-cdk-lib.aws_kms.IKey | The encryption key used for encrypting the ssm parameter if `parameterName` is set. | | flattenSeparator | string | If the structure should be flattened use the provided separator between keys. | | parameterNames | string[] | *No description.* | | secret | aws-cdk-lib.aws_secretsmanager.ISecret | *No description.* | --- ##### `assetEncryptionKey`^Optional ```typescript public readonly assetEncryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey - *Default:* Trying to get the key using the CDK Bootstrap context. The encryption key used by the CDK default Asset S3 Bucket. --- ##### `autoGenerateIamPermissions`^Optional ```typescript public readonly autoGenerateIamPermissions: boolean; ``` - *Type:* boolean - *Default:* true Should this construct automatically create IAM permissions? --- ##### `sopsAgeKey`^Optional ```typescript public readonly sopsAgeKey: SecretValue; ``` - *Type:* aws-cdk-lib.SecretValue The age key that should be used for encryption. --- ##### `sopsFileFormat`^Optional ```typescript public readonly sopsFileFormat: string; ``` - *Type:* string - *Default:* The fileformat will be derived from the file ending The format of the sops file. --- ##### `sopsFilePath`^Optional ```typescript public readonly sopsFilePath: string; ``` - *Type:* string The filepath to the sops file. --- ##### `sopsKmsKey`^Optional ```typescript public readonly sopsKmsKey: IKey[]; ``` - *Type:* aws-cdk-lib.aws_kms.IKey[] - *Default:* The key will be derived from the sops file The kmsKey used to encrypt the sops file. Encrypt permissions will be granted to the custom resource provider. --- ##### `sopsProvider`^Optional ```typescript public readonly sopsProvider: SopsSyncProvider; ``` - *Type:* SopsSyncProvider - *Default:* A new singleton provider will be created The custom resource provider to use. If you don't specify any, a new provider will be created - or if already exists within this stack - reused. --- ##### `sopsS3Bucket`^Optional ```typescript public readonly sopsS3Bucket: string; ``` - *Type:* string If you want to pass the sops file via s3, you can specify the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. --- ##### `sopsS3Key`^Optional ```typescript public readonly sopsS3Key: string; ``` - *Type:* string If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. --- ##### `uploadType`^Optional ```typescript public readonly uploadType: UploadType; ``` - *Type:* UploadType - *Default:* INLINE How should the secret be passed to the CustomResource? --- ##### `resourceType`^Required ```typescript public readonly resourceType: ResourceType; ``` - *Type:* ResourceType Will this Sync deploy a Secret or Parameter(s). --- ##### `target`^Required ```typescript public readonly target: string; ``` - *Type:* string The target to populate with the sops file content. for secret, it's the name or arn of the secret - for parameter, it's the name of the parameter - for parameter multi, it's the prefix of the parameters --- ##### `encryptionKey`^Optional ```typescript public readonly encryptionKey: IKey; ``` - *Type:* aws-cdk-lib.aws_kms.IKey The encryption key used for encrypting the ssm parameter if `parameterName` is set. --- ##### `flattenSeparator`^Optional ```typescript public readonly flattenSeparator: string; ``` - *Type:* string - *Default:* undefined If the structure should be flattened use the provided separator between keys. --- ##### `parameterNames`^Optional ```typescript public readonly parameterNames: string[]; ``` - *Type:* string[] --- ##### `secret`^Optional ```typescript public readonly secret: ISecret; ``` - *Type:* aws-cdk-lib.aws_secretsmanager.ISecret --- ### SopsSyncProviderProps Configuration options for a custom SopsSyncProvider. #### Initializer ```typescript import { SopsSyncProviderProps } from 'cdk-sops-secrets' const sopsSyncProviderProps: SopsSyncProviderProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | logGroup | aws-cdk-lib.aws_logs.ILogGroup | The log group the function sends logs to. | | logRetention | aws-cdk-lib.aws_logs.RetentionDays | The number of days log events are kept in CloudWatch Logs. | | role | aws-cdk-lib.aws_iam.IRole | The role that should be used for the custom resource provider. | | securityGroups | aws-cdk-lib.aws_ec2.ISecurityGroup[] | Only if `vpc` is supplied: The list of security groups to associate with the Lambda's network interfaces. | | uuid | string | A unique identifier to identify this provider. | | vpc | aws-cdk-lib.aws_ec2.IVpc | VPC network to place Lambda network interfaces. | | vpcSubnets | aws-cdk-lib.aws_ec2.SubnetSelection | Where to place the network interfaces within the VPC. | --- ##### `logGroup`^Optional ```typescript public readonly logGroup: ILogGroup; ``` - *Type:* aws-cdk-lib.aws_logs.ILogGroup - *Default:* `/aws/lambda/${this.functionName}` - default log group created by Lambda The log group the function sends logs to. By default, Lambda functions send logs to an automatically created default log group named /aws/lambda/{function-name}. However you cannot change the properties of this auto-created log group using the AWS CDK, e.g. you cannot set a different log retention. Use the `logGroup` property to create a fully customizable LogGroup ahead of time, and instruct the Lambda function to send logs to it. Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16. If you are deploying to another type of region, please check regional availability first. --- ##### `logRetention`^Optional ```typescript public readonly logRetention: RetentionDays; ``` - *Type:* aws-cdk-lib.aws_logs.RetentionDays - *Default:* logs.RetentionDays.INFINITE The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to `INFINITE`. This is a legacy API and we strongly recommend you move away from it if you can. Instead create a fully customizable log group with `logs.LogGroup` and use the `logGroup` property to instruct the Lambda function to send logs to it. Migrating from `logRetention` to `logGroup` will cause the name of the log group to change. Users and code and referencing the name verbatim will have to adjust. In AWS CDK code, you can access the log group name directly from the LogGroup construct: ```ts import * as logs from 'aws-cdk-lib/aws-logs'; declare const myLogGroup: logs.LogGroup; myLogGroup.logGroupName; ``` --- ##### `role`^Optional ```typescript public readonly role: IRole; ``` - *Type:* aws-cdk-lib.aws_iam.IRole - *Default:* a new role will be created The role that should be used for the custom resource provider. If you don't specify any, a new role will be created with all required permissions --- ##### `securityGroups`^Optional ```typescript public readonly securityGroups: ISecurityGroup[]; ``` - *Type:* aws-cdk-lib.aws_ec2.ISecurityGroup[] - *Default:* A dedicated security group will be created for the lambda function. Only if `vpc` is supplied: The list of security groups to associate with the Lambda's network interfaces. --- ##### `uuid`^Optional ```typescript public readonly uuid: string; ``` - *Type:* string - *Default:* SopsSyncProvider A unique identifier to identify this provider. Overwrite the default, if you need a dedicated provider. --- ##### `vpc`^Optional ```typescript public readonly vpc: IVpc; ``` - *Type:* aws-cdk-lib.aws_ec2.IVpc - *Default:* Lambda function is not placed within a VPC. VPC network to place Lambda network interfaces. --- ##### `vpcSubnets`^Optional ```typescript public readonly vpcSubnets: SubnetSelection; ``` - *Type:* aws-cdk-lib.aws_ec2.SubnetSelection - *Default:* Subnets will be chosen automatically. Where to place the network interfaces within the VPC. --- ## Enums ### RawOutput #### Members | **Name** | **Description** | | --- | --- | | STRING | Parse the secret as a string. | | BINARY | Parse the secret as a binary. | --- ##### `STRING` Parse the secret as a string. --- ##### `BINARY` Parse the secret as a binary. --- ### ResourceType #### Members | **Name** | **Description** | | --- | --- | | SECRET | *No description.* | | SECRET_RAW | *No description.* | | SECRET_BINARY | *No description.* | | PARAMETER | *No description.* | | PARAMETER_MULTI | *No description.* | --- ##### `SECRET` --- ##### `SECRET_RAW` --- ##### `SECRET_BINARY` --- ##### `PARAMETER` --- ##### `PARAMETER_MULTI` --- ### UploadType #### Members | **Name** | **Description** | | --- | --- | | INLINE | Pass the secret data inline (base64 encoded and compressed). | | ASSET | Uplaod the secret data as asset. | --- ##### `INLINE` Pass the secret data inline (base64 encoded and compressed). --- ##### `ASSET` Uplaod the secret data as asset. ---