SecretsManagerMetricsPublisher lambda LastRotationDate should default to the AWSCURRENT createdDate

[jacklin213]

Feature scope

SecretsManager

Describe your suggested feature

At present day, if the secret is not enabled for rotation, the lambda defaults the lastRotationDate metric to the secret creation date. This can be confusing as manual updates to a secret value can also be considered as the secret being "rotated"

cdk-monitoring-constructs/assets/SecretsManagerMetricsPublisher/index.js

Line 39 in 53a5c03

const lastRotatedDate = secret.LastRotatedDate ?? secret.CreatedDate;

lastChangedDate is not a good representation for a manual update to the secret value as updating the description will also update this value.

Proposing to change the default lastRotatedDate to the createdDate for the AWSCURRENT version of the secret as manually updating the secret value is considered rotating the secret.
NOTE: This would now require secretsmanager:GetSecretValue permissions, meaning the below would need to be updated too.

cdk-monitoring-constructs/lib/monitoring/aws-secretsmanager/SecretsManagerMetricsPublisher.ts

Lines 42 to 48 in 53a5c03

	this.lambda.addToRolePolicy(
	new PolicyStatement({
	effect: Effect.ALLOW,
	actions: ["secretsmanager:DescribeSecret"],
	resources: ["*"],
	}),
	);

Sample code:

let lastRotatedDate = secret.LastRotatedDate;
if (!lastRotatedDate) {
    const secretValue = await secretsManagerClient.send(
        new GetSecretValue({
            SecretId: event.secretId,
            VersionStage: 'AWSCURRENT'
        })
    );

    if (!secretValue.CreatedDate) {
        throw new Error("Invalid secret value response");
    }

    // Set last rotation to AWSCURRENT secret created date or fallback to existing behavior of secret's created date
    lastRotatedDate = secretValue.CreatedDate ?? secret.CreatedDate
}

[jacklin213]

If the team agrees to the approach, I would be more than happy to make a PR

[echeung-amzn]

I'm a bit iffy of actually having permissions to get the values, what about ListSecretVersionIds, which also gives you the CreatedDates? Downside would potentially be dealing with pagination.