feat(secretsmanager): deletionPolicy for secretsmanager (aws#8188)

We often store important values on secretsmanager.Secret. But, without DeletionPolicy(Retain), it can be deleted by human error. So, add DeletionPolicy to secretsmanager.Secret's initialization Props. closes: aws#6527 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
orekav · Jun 8, 2020 · f6fe36a · f6fe36a
1 parent 02ddab8
commit f6fe36a
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 2 deletions.
diff --git a/packages/@aws-cdk/aws-secretsmanager/README.md b/packages/@aws-cdk/aws-secretsmanager/README.md
@@ -39,6 +39,8 @@ const secret = secretsmanager.Secret.fromSecretAttributes(scope, 'ImportedSecret
 SecretsManager secret values can only be used in select set of properties. For the
 list of properties, see [the CloudFormation Dynamic References documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html).
 
+A secret can set `RemovalPolicy`. If it set to `RETAIN`, that removing a secret will fail.
+
 ### Grant permission to use the secret to a role
 
 You must grant permission to a resource for that resource to be allowed to 

diff --git a/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts b/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts
@@ -1,6 +1,6 @@
 import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
-import { Construct, IResource, Resource, SecretValue, Stack } from '@aws-cdk/core';
+import { Construct, IResource, RemovalPolicy, Resource, SecretValue, Stack } from '@aws-cdk/core';
 import { ResourcePolicy } from './policy';
 import { RotationSchedule, RotationScheduleOptions } from './rotation-schedule';
 import * as secretsmanager from './secretsmanager.generated';
@@ -102,6 +102,13 @@ export interface SecretProps {
    * @default - A name is generated by CloudFormation.
    */
   readonly secretName?: string;
+
+  /**
+   * Policy to apply when the secret is removed from this stack.
+   *
+   * @default - Not set.
+   */
+  readonly removalPolicy?: RemovalPolicy;
 }
 
 /**
@@ -260,6 +267,10 @@ export class Secret extends SecretBase {
       name: this.physicalName,
     });
 
+    if (props.removalPolicy) {
+      resource.applyRemovalPolicy(props.removalPolicy);
+    }
+
     this.secretArn = this.getResourceArnAttribute(resource.ref, {
       service: 'secretsmanager',
       resource: 'secret',

diff --git a/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts b/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts
@@ -1,4 +1,4 @@
-import { expect, haveResource, haveResourceLike } from '@aws-cdk/assert';
+import { expect, haveResource, haveResourceLike, ResourcePart } from '@aws-cdk/assert';
 import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
 import * as lambda from '@aws-cdk/aws-lambda';
@@ -22,6 +22,25 @@ export = {
     test.done();
   },
 
+  'set removalPolicy to secret'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    // WHEN
+    new secretsmanager.Secret(stack, 'Secret', {
+      removalPolicy: cdk.RemovalPolicy.RETAIN,
+    });
+
+    // THEN
+    expect(stack).to(haveResourceLike('AWS::SecretsManager::Secret',
+      {
+        DeletionPolicy: 'Retain',
+      }, ResourcePart.CompleteDefinition,
+    ));
+
+    test.done();
+  },
+
   'secret with kms'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();