bug: spurious AwsSolutions-SMG4 with aws-cdk-lib >= 2.116.0

[anentropic]

What is the problem?

we updated our version of aws-cdk-lib today from 2.115 to 2.120 latest

started getting this nag:

AwsSolutions-SMG4: The secret does not have automatic rotation scheduled. AWS Secrets Manager can be configured to automatically rotate the secret for a secured service or database.

but in our cdk code there is clearly a rotation set up

Reproduction Steps

        rds_instance = rds.DatabaseInstance(
            ...
        )
        rds_instance.add_rotation_single_user(
            automatically_after=Duration.days(30),
            rotate_immediately_on_update=True,
        )

then use aws-cdk-lib >= 2.116.0

What did you expect to happen?

no nag, because we have a rotation

What actually happened?

when upgrading aws-cdk-lib to 2.116.0 or later we start getting the nag

cdk-nag version

2.28.7

Language

Python

Other information

Looking at the changes released in aws-cdk-lib 2.116.0 there were two possibly relevant PRs:

• fix(secretsmanager): hosted rotation with fromSecretNameV2() does not create correct iam policy aws/aws-cdk#28379
• fix(secretsmanager): cannot set hourly rotation aws/aws-cdk#28303

I think it may be the latter, because here it changes the rotationRules in the generated schedule to use a scheduleExpression rather than automaticallyAfterDays

and the relevant check in cdk-nag:

cdk-nag/src/rules/secretsmanager/SecretsManagerRotationEnabled.ts

Line 120 in 7e9aa43

const automaticallyAfterDays = Stack.of(node).resolve(

only looks for automaticallyAfterDays rather than any valid scheduling rule

[ruvimrd]

Related to #1565 and #1566

[clueleaf]

@anentropic Please try cdk-nag v2.28.13