Metadata-Version: 2.1
Name: aws-secret-cdk
Version: 5.3.0
Summary: Package to create a SecretsManager's secret with auto rotation.
Home-page: https://github.com/idenfy/AwsSecretCdk
Author: Laimonas Sutkus
Author-email: laimonas@idenfy.com,laimonas.sutkus@gmail.com
License: GNU GENERAL PUBLIC LICENSE Version 3
Description: ## AWS Secret Cdk
        
        A library to create and provision secrets by 
        [AWS SecretsManager](https://aws.amazon.com/secrets-manager/). 
        This library makes it easy to create secrets with 
        [secret rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html).
        
        #### Remarks
        
        The project is written by [Laimonas Sutkus](https://github.com/laimonassutkus) 
        and is owned by [iDenfy](https://github.com/idenfy). This is an open source
        library intended to be used by anyone. [iDenfy](https://github.com/idenfy) aims
        to share its knowledge and educate market for better and more secure IT infrastructure.
        
        #### Related technology
        
        This project utilizes the following technology:
        
        - *AWS* (Amazon Web Services).
        - *AWS CDK* (Amazon Web Services Cloud Development Kit).
        - *AWS CloudFormation*.
        - *AWS SecretsManager*.
        
        #### Assumptions
        
        This library project assumes the following:
        
        - You have knowledge in AWS (Amazon Web Services).
        - You have knowledge in AWS CloudFormation and AWS SecretsManager.
        - You are managing your infrastructure with AWS CDK.
        - You are writing AWS CDK templates with a python language.
        
        #### Install
        
        The project is built and uploaded to PyPi. Install it by using pip.
        
        ```bash
        pip install aws-secret-cdk
        ```
        
        Or directly install it through source.
        
        ```bash
        ./build.sh -ic
        ```
        
        #### Description
        
        SecretsManager is a great AWS service to manage your secrets e.g. database
        password. It is really easy to create and configure a secret through AWS
        console (UI). However it is notoriously difficult to create and manage 
        secrets through CloudFormation. You need to create a lambda function, which 
        executes secret rotation, ensure correct lambda function permissions and
        security groups, correctly configure secrets themselves with correct templates, etc.
        This library tackles this problem. In a 
        nutshell, you just provide a database, for which the secret should be applied,
        and some other params. And that's it! You're good to go.
        
        One big note - this library can be used on *existing* databases.
        
        #### Examples
        
        Here are the examples on how to use this library with various scenarios.
        
        ##### RDS (MySql and Aurora MySql compatible) Single user rotation
        
        To create a SecretsManager Secret for an RDS database with 30 days rotation, create a
        `Secret` instance.
        
        ```python
        from aws_cdk.core import Stack
        from aws_cdk.aws_ec2 import Vpc
        from aws_cdk import aws_rds
        from aws_secret_cdk.vpc_parameters import VPCParameters
        from aws_secret_cdk.aurora_mysql_single_user.secret import Secret
        
        class MyStack(Stack):
            def __init__(self, **kwargs):
                super().__init__(**kwargs)
                
                # Suppose you have defined a VPC.
                self.vpc = Vpc(**kwargs)
        
                # Suppose you have a database (or a cluster).
                self.database = aws_rds.CfnDBCluster(**kwargs)
                
                # Now simply create a secret with 30 day rotation.
                self.rds_secret = Secret(
                    stack=self,
                    prefix='MyResourcesPrefix',
                    vpc_parameters=VPCParameters(
                        rotation_lambda_vpc=self.vpc,
                        rotation_lambda_security_groups=[
                            # Your SG's.
                        ],
                        # NOTE! Ensure that your private subnets have a NAT gateway
                        # or have a VPC endpoint in order to reach SecretsManager
                        # API which is outside your own VPC.
                        rotation_lambda_subnets=self.vpc.private_subnets
                    ),
                    database=self.database
                )
        ```
        
        And that's pretty much it. From now own your database password will be stored
        in a SecretsManager and will be roted every 30 days.
        
        ##### Using the new secret
        
        In order to retrieve the secret, use this sample code below.
        
        ```python
        # Use this code snippet in your app.
        # If you need more information about configurations or implementing the sample code, visit the AWS docs:   
        # https://aws.amazon.com/developers/getting-started/python/
        
        import boto3
        import base64
        from botocore.exceptions import ClientError
        
        
        def get_secret():
        
            secret_name = "test"
            region_name = "eu-west-1"
        
            # Create a Secrets Manager client
            session = boto3.session.Session()
            client = session.client(
                service_name='secretsmanager',
                region_name=region_name
            )
        
            try:
                get_secret_value_response = client.get_secret_value(
                    SecretId=secret_name
                )
            except ClientError as e:
                # Some error happened here. Log it / handle it / raise it.
                raise e
            else:
                if 'SecretString' in get_secret_value_response:
                    secret = get_secret_value_response['SecretString']
                else:
                    secret = base64.b64decode(get_secret_value_response['SecretBinary'])
                    
                return secret
        ```
        
        # Release history
        
        #### 5.3.0
        Include MD files.
        
        #### 5.2.0
        Update to 1.60.0 and add upper dependency bound of 2.0.0.
        
        #### 5.1.0
        Force update to CDK 1.44.0.
        
        #### 5.0.0
        Restructure project having in mind that different types of rotations are 
        possible e.g. DynamoDB secret rotation, or RDS multi user secret rotation.
        Narrowed down the permissions required for rotation. With this version 
        an aws-secret-cdk package is fully functional and available to be used.
        
        #### 4.0.0
        Do not enforce KMS CMKs. Use assets to deploy lambda function source code
        instead of S3 buckets. Use better prefixes. Refactor lambda function source code
        to support initial passwords on existing databases. Warning: loosened permissions.
        Next commit should fix them.
        
        #### 3.0.1
        Update README.
        
        #### 3.0.0
        Shorten lambda bucket name.
        
        #### 2.0.3
        Consistent naming.
        
        #### 2.0.2
        Add docstrings.
        
        #### 2.0.1
        Fix target types and target arns.
        
        #### 2.0.0
        General bug fixes. Add permission for KMS key resource. Add secret template.
        
        #### 1.0.9
        Add secrets manager as a valid principal to invoke rotation lambda.
        
        #### 1.0.8
        Add S3 removal policy.
        
        #### 1.0.7
        Don't use managed policies.
        
        #### 1.0.6
        Aws Lambda dependency update.
        
        #### 1.0.5
        Aws Lambda dependency update.
        
        #### 1.0.4
        Dont create Code class instance.
        
        #### 1.0.3
        Move packages into main package.
        
        #### 1.0.2
        Fix manifest file.
        
        #### 1.0.1
        Ensure bucket and bucket deployment has different names.
        
        #### 1.0.0
        Initial commit. Add ability to create RDS secret and rotate it every 30 days.
        
Keywords: AWS CDK CloudFormation SecretsManager Infrastructure Cloud DevOps
Platform: UNKNOWN
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Operating System :: OS Independent
Description-Content-Type: text/markdown
