Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecretsManagerMetricsPublisher lambda LastRotationDate should default to the AWSCURRENT createdDate #624

Open
jacklin213 opened this issue Mar 15, 2025 · 2 comments
Open

SecretsManagerMetricsPublisher lambda LastRotationDate should default to the AWSCURRENT createdDate #624

jacklin213 opened this issue Mar 15, 2025 · 2 comments
Labels
feature-request New feature

Comments

@jacklin213
Copy link

jacklin213 commented Mar 15, 2025
edited
Loading

Feature scope

SecretsManager

Describe your suggested feature

At present day, if the secret is not enabled for rotation, the lambda defaults the lastRotationDate metric to the secret creation date. This can be confusing as manual updates to a secret value can also be considered as the secret being "rotated"

cdk-monitoring-constructs/assets/SecretsManagerMetricsPublisher/index.js

Line 39 in 53a5c03

const lastRotatedDate = secret.LastRotatedDate ?? secret.CreatedDate;

lastChangedDate is not a good representation for a manual update to the secret value as updating the description will also update this value.

Proposing to change the default lastRotatedDate to the createdDate for the AWSCURRENT version of the secret as manually updating the secret value is considered rotating the secret.
NOTE: This would now require secretsmanager:GetSecretValue permissions, meaning the below would need to be updated too.

cdk-monitoring-constructs/lib/monitoring/aws-secretsmanager/SecretsManagerMetricsPublisher.ts

Lines 42 to 48 in 53a5c03

this.lambda.addToRolePolicy(
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["secretsmanager:DescribeSecret"],
resources: ["*"],
}),
);

Sample code:

let lastRotatedDate = secret.LastRotatedDate;
if (!lastRotatedDate) {
    const secretValue = await secretsManagerClient.send(
        new GetSecretValue({
            SecretId: event.secretId,
            VersionStage: 'AWSCURRENT'
        })
    );

    if (!secretValue.CreatedDate) {
        throw new Error("Invalid secret value response");
    }

    // Set last rotation to AWSCURRENT secret created date or fallback to existing behavior of secret's created date
    lastRotatedDate = secretValue.CreatedDate ?? secret.CreatedDate
}
@jacklin213 jacklin213 added the feature-request New feature label Mar 15, 2025
@jacklin213
Copy link
Author

If the team agrees to the approach, I would be more than happy to make a PR

@echeung-amzn
Copy link
Member

I'm a bit iffy of actually having permissions to get the values, what about ListSecretVersionIds, which also gives you the CreatedDates? Downside would potentially be dealing with pagination.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request New feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jacklin213 @echeung-amzn