fix(core): SecretValue.secretsManager fails for tokenized secret-id (#…

…16230) `SecretValue.secretsManager` fails if a token is used for `secret-id`. This is caused by a validation which should be skipped for tokenized values. Solved by skipping the validation if token is unresolved. Fixes #16166. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Oct 27, 2021 · 5831456 · 5831456
1 parent dbb3f25
commit 5831456
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 2 deletions.
diff --git a/packages/@aws-cdk/core/lib/secret-value.ts b/packages/@aws-cdk/core/lib/secret-value.ts
@@ -1,6 +1,7 @@
 import { CfnDynamicReference, CfnDynamicReferenceService } from './cfn-dynamic-reference';
 import { CfnParameter } from './cfn-parameter';
 import { Intrinsic } from './private/intrinsic';
+import { Token } from './token';
 
 /**
  * Work with secret values in the CDK
@@ -39,7 +40,7 @@ export class SecretValue extends Intrinsic {
       throw new Error('secretId cannot be empty');
     }
 
-    if (!secretId.startsWith('arn:') && secretId.includes(':')) {
+    if (!Token.isUnresolved(secretId) && !secretId.startsWith('arn:') && secretId.includes(':')) {
       throw new Error(`secret id "${secretId}" is not an ARN but contains ":"`);
     }
 

diff --git a/packages/@aws-cdk/core/test/secret-value.test.ts b/packages/@aws-cdk/core/test/secret-value.test.ts
@@ -1,4 +1,4 @@
-import { CfnDynamicReference, CfnDynamicReferenceService, CfnParameter, SecretValue, Stack } from '../lib';
+import { CfnDynamicReference, CfnDynamicReferenceService, CfnParameter, SecretValue, Stack, Token } from '../lib';
 
 describe('secret value', () => {
   test('plainText', () => {
@@ -28,6 +28,30 @@ describe('secret value', () => {
 
   });
 
+  test('secretsManager with secret-id from token', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    const v = SecretValue.secretsManager(Token.asString({ Ref: 'secret-id' }), {
+      jsonField: 'json-key',
+      versionStage: 'version-stage',
+    });
+
+    // THEN
+    expect(stack.resolve(v)).toEqual({
+      'Fn::Join': [
+        '',
+        [
+          '{{resolve:secretsmanager:',
+          { Ref: 'secret-id' },
+          ':SecretString:json-key:version-stage:}}',
+        ],
+      ],
+    });
+
+  });
+
   test('secretsManager with defaults', () => {
     // GIVEN
     const stack = new Stack();
@@ -40,6 +64,27 @@ describe('secret value', () => {
 
   });
 
+  test('secretsManager with defaults, secret-id from token', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    const v = SecretValue.secretsManager(Token.asString({ Ref: 'secret-id' }));
+
+    // THEN
+    expect(stack.resolve(v)).toEqual({
+      'Fn::Join': [
+        '',
+        [
+          '{{resolve:secretsmanager:',
+          { Ref: 'secret-id' },
+          ':SecretString:::}}',
+        ],
+      ],
+    });
+
+  });
+
   test('secretsManager with an empty ID', () => {
     expect(() => SecretValue.secretsManager('')).toThrow(/secretId cannot be empty/);