From 03a5d7b27c8f5d0386381c99010e538bc23644b5 Mon Sep 17 00:00:00 2001 From: awstools Date: Thu, 22 Dec 2022 19:14:34 +0000 Subject: [PATCH] feat(client-rds): Add support for managing master user password in AWS Secrets Manager for the DBInstance and DBCluster. --- .../DescribeDBProxyEndpointsCommand.ts | 3 +- clients/client-rds/src/models/models_0.ts | 194 +++++++++--- clients/client-rds/src/models/models_1.ts | 284 +++++++++++++++++- clients/client-rds/src/protocols/Aws_query.ts | 71 ++++- codegen/sdk-codegen/aws-models/rds.json | 137 ++++++++- 5 files changed, 628 insertions(+), 61 deletions(-) diff --git a/clients/client-rds/src/commands/DescribeDBProxyEndpointsCommand.ts b/clients/client-rds/src/commands/DescribeDBProxyEndpointsCommand.ts index b938b113a1e6..e22e7de2f0d6 100644 --- a/clients/client-rds/src/commands/DescribeDBProxyEndpointsCommand.ts +++ b/clients/client-rds/src/commands/DescribeDBProxyEndpointsCommand.ts @@ -13,8 +13,9 @@ import { SerdeContext as __SerdeContext, } from "@aws-sdk/types"; -import { DescribeDBProxyEndpointsRequest, DescribeDBProxyEndpointsRequestFilterSensitiveLog } from "../models/models_0"; import { + DescribeDBProxyEndpointsRequest, + DescribeDBProxyEndpointsRequestFilterSensitiveLog, DescribeDBProxyEndpointsResponse, DescribeDBProxyEndpointsResponseFilterSensitiveLog, } from "../models/models_1"; diff --git a/clients/client-rds/src/models/models_0.ts b/clients/client-rds/src/models/models_0.ts index eee2ce13d45b..a5a6550c2c08 100644 --- a/clients/client-rds/src/models/models_0.ts +++ b/clients/client-rds/src/models/models_0.ts @@ -3719,7 +3719,15 @@ export interface CreateDBClusterMessage { /** *

The password for the master database user. This password can contain any printable ASCII character except "/", """, or "@".

- *

Constraints: Must contain from 8 to 41 characters.

+ *

Constraints:

+ * *

Valid for: Aurora DB clusters and Multi-AZ DB clusters

*/ MasterUserPassword?: string; @@ -4220,6 +4228,40 @@ export interface CreateDBClusterMessage { *

Reserved for future use.

*/ DBSystemId?: string; + + /** + *

A value that indicates whether to manage the master user password with Amazon Web Services Secrets Manager.

+ *

For more information, see Password management with Amazon Web Services Secrets Manager + * in the Amazon RDS User Guide and Password management with Amazon Web Services Secrets Manager + * in the Amazon Aurora User Guide. + *

+ *

Constraints:

+ * + *

Valid for: Aurora DB clusters and Multi-AZ DB clusters

+ */ + ManageMasterUserPassword?: boolean; + + /** + *

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and + * managed in Amazon Web Services Secrets Manager.

+ *

This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets + * Manager for the DB cluster.

+ *

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. + * To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

+ *

If you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager + * KMS key is used to encrypt the secret. If the secret is in a different Amazon Web Services account, then you can't + * use the aws/secretsmanager KMS key to encrypt the secret, and you must use a customer + * managed KMS key.

+ *

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account + * has a different default KMS key for each Amazon Web Services Region.

+ *

Valid for: Aurora DB clusters and Multi-AZ DB clusters

+ */ + MasterUserSecretKmsKeyId?: string; } /** @@ -4336,6 +4378,56 @@ export enum WriteForwardingStatus { UNKNOWN = "unknown", } +/** + *

Contains the secret managed by RDS in Amazon Web Services Secrets Manager for the master user password.

+ *

For more information, see Password management with Amazon Web Services Secrets Manager + * in the Amazon RDS User Guide and Password management with Amazon Web Services Secrets Manager + * in the Amazon Aurora User Guide. + *

+ */ +export interface MasterUserSecret { + /** + *

The Amazon Resource Name (ARN) of the secret.

+ */ + SecretArn?: string; + + /** + *

The status of the secret.

+ *

The possible status values include the following:

+ * + */ + SecretStatus?: string; + + /** + *

The Amazon Web Services KMS key identifier that is used to encrypt the secret.

+ */ + KmsKeyId?: string; +} + /** *

A list of the log types whose configuration is still pending. In other words, these log types are in the process of being activated or deactivated.

*/ @@ -4952,6 +5044,15 @@ export interface DBCluster { *

Reserved for future use.

*/ DBSystemId?: string; + + /** + *

Contains the secret managed by RDS in Amazon Web Services Secrets Manager for the master user password.

+ *

For more information, see Password management with Amazon Web Services Secrets Manager + * in the Amazon RDS User Guide and Password management with Amazon Web Services Secrets Manager + * in the Amazon Aurora User Guide. + *

+ */ + MasterUserSecret?: MasterUserSecret; } export interface CreateDBClusterResult { @@ -5960,6 +6061,7 @@ export interface CreateDBInstanceMessage { *

*

Not applicable. The password for the master user is managed by the DB * cluster.

+ *

Constraints: Can't be specified if ManageMasterUserPassword is turned on.

*

* MariaDB *

@@ -6686,6 +6788,37 @@ export interface CreateDBInstanceMessage { *

This setting doesn't apply to RDS Custom or Amazon Aurora.

*/ StorageThroughput?: number; + + /** + *

A value that indicates whether to manage the master user password with Amazon Web Services Secrets Manager.

+ *

For more information, see Password management with Amazon Web Services Secrets Manager + * in the Amazon RDS User Guide. + *

+ *

Constraints:

+ * + */ + ManageMasterUserPassword?: boolean; + + /** + *

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and + * managed in Amazon Web Services Secrets Manager.

+ *

This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets + * Manager for the DB instance.

+ *

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. + * To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

+ *

If you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager + * KMS key is used to encrypt the secret. If the secret is in a different Amazon Web Services account, then you can't + * use the aws/secretsmanager KMS key to encrypt the secret, and you must use a customer + * managed KMS key.

+ *

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account + * has a different default KMS key for each Amazon Web Services Region.

+ */ + MasterUserSecretKmsKeyId?: string; } /** @@ -7670,6 +7803,14 @@ export interface DBInstance { * the name of the CDB. This setting is valid for RDS Custom only.

*/ DBSystemId?: string; + + /** + *

Contains the secret managed by RDS in Amazon Web Services Secrets Manager for the master user password.

+ *

For more information, see Password management with Amazon Web Services Secrets Manager + * in the Amazon RDS User Guide. + *

+ */ + MasterUserSecret?: MasterUserSecret; } export interface CreateDBInstanceResult { @@ -12324,43 +12465,6 @@ export interface DescribeDBProxiesResponse { Marker?: string; } -export interface DescribeDBProxyEndpointsRequest { - /** - *

The name of the DB proxy whose endpoints you want to describe. If you omit - * this parameter, the output includes information about all DB proxy endpoints - * associated with all your DB proxies.

- */ - DBProxyName?: string; - - /** - *

The name of a DB proxy endpoint to describe. If you omit this parameter, - * the output includes information about all DB proxy endpoints associated with - * the specified proxy.

- */ - DBProxyEndpointName?: string; - - /** - *

This parameter is not currently supported.

- */ - Filters?: Filter[]; - - /** - *

An optional pagination token provided by a previous request. - * If this parameter is specified, the response includes only records beyond the marker, - * up to the value specified by MaxRecords.

- */ - Marker?: string; - - /** - *

The maximum number of records to include in the response. If more records exist - * than the specified MaxRecords value, a pagination token called a marker is - * included in the response so that the remaining results can be retrieved.

- *

Default: 100

- *

Constraints: Minimum 20, maximum 100.

- */ - MaxRecords?: number; -} - /** * @internal */ @@ -12786,6 +12890,13 @@ export const DomainMembershipFilterSensitiveLog = (obj: DomainMembership): any = ...obj, }); +/** + * @internal + */ +export const MasterUserSecretFilterSensitiveLog = (obj: MasterUserSecret): any => ({ + ...obj, +}); + /** * @internal */ @@ -13672,10 +13783,3 @@ export const DescribeDBProxiesRequestFilterSensitiveLog = (obj: DescribeDBProxie export const DescribeDBProxiesResponseFilterSensitiveLog = (obj: DescribeDBProxiesResponse): any => ({ ...obj, }); - -/** - * @internal - */ -export const DescribeDBProxyEndpointsRequestFilterSensitiveLog = (obj: DescribeDBProxyEndpointsRequest): any => ({ - ...obj, -}); diff --git a/clients/client-rds/src/models/models_1.ts b/clients/client-rds/src/models/models_1.ts index d81b2c1bd3ba..c032ac17f523 100644 --- a/clients/client-rds/src/models/models_1.ts +++ b/clients/client-rds/src/models/models_1.ts @@ -36,6 +36,43 @@ import { } from "./models_0"; import { RDSServiceException as __BaseException } from "./RDSServiceException"; +export interface DescribeDBProxyEndpointsRequest { + /** + *

The name of the DB proxy whose endpoints you want to describe. If you omit + * this parameter, the output includes information about all DB proxy endpoints + * associated with all your DB proxies.

+ */ + DBProxyName?: string; + + /** + *

The name of a DB proxy endpoint to describe. If you omit this parameter, + * the output includes information about all DB proxy endpoints associated with + * the specified proxy.

+ */ + DBProxyEndpointName?: string; + + /** + *

This parameter is not currently supported.

+ */ + Filters?: Filter[]; + + /** + *

An optional pagination token provided by a previous request. + * If this parameter is specified, the response includes only records beyond the marker, + * up to the value specified by MaxRecords.

+ */ + Marker?: string; + + /** + *

The maximum number of records to include in the response. If more records exist + * than the specified MaxRecords value, a pagination token called a marker is + * included in the response so that the remaining results can be retrieved.

+ *

Default: 100

+ *

Constraints: Minimum 20, maximum 100.

+ */ + MaxRecords?: number; +} + export interface DescribeDBProxyEndpointsResponse { /** *

The list of ProxyEndpoint objects returned by the API operation.

@@ -3384,7 +3421,15 @@ export interface ModifyDBClusterMessage { /** *

The new password for the master database user. This password can contain any printable ASCII character except "/", """, or "@".

- *

Constraints: Must contain from 8 to 41 characters.

+ *

Constraints:

+ * *

Valid for: Aurora DB clusters and Multi-AZ DB clusters

*/ MasterUserPassword?: string; @@ -3760,6 +3805,69 @@ export interface ModifyDBClusterMessage { *

Valid for: Aurora DB clusters only

*/ NetworkType?: string; + + /** + *

A value that indicates whether to manage the master user password with Amazon Web Services Secrets Manager.

+ *

If the DB cluster doesn't manage the master user password with Amazon Web Services Secrets Manager, you can turn + * on this management. In this case, you can't specify MasterUserPassword.

+ *

If the DB cluster already manages the master user password with Amazon Web Services Secrets Manager, and you specify that the + * master user password is not managed with Amazon Web Services Secrets Manager, then you must specify MasterUserPassword. + * In this case, RDS deletes the secret and uses the new password for the master user specified by + * MasterUserPassword.

+ *

For more information, see Password management with Amazon Web Services Secrets Manager + * in the Amazon RDS User Guide and Password management with Amazon Web Services Secrets Manager + * in the Amazon Aurora User Guide. + *

+ *

Valid for: Aurora DB clusters and Multi-AZ DB clusters

+ */ + ManageMasterUserPassword?: boolean; + + /** + *

A value that indicates whether to rotate the secret managed by Amazon Web Services Secrets Manager for the + * master user password.

+ *

This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets + * Manager for the DB cluster. The secret value contains the updated password.

+ *

For more information, see Password management with Amazon Web Services Secrets Manager + * in the Amazon RDS User Guide and Password management with Amazon Web Services Secrets Manager + * in the Amazon Aurora User Guide. + *

+ *

Constraints:

+ * + *

Valid for: Aurora DB clusters and Multi-AZ DB clusters

+ */ + RotateMasterUserPassword?: boolean; + + /** + *

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and + * managed in Amazon Web Services Secrets Manager.

+ *

This setting is valid only if both of the following conditions are met:

+ * + *

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. + * To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

+ *

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account + * has a different default KMS key for each Amazon Web Services Region.

+ *

Valid for: Aurora DB clusters and Multi-AZ DB clusters

+ */ + MasterUserSecretKmsKeyId?: string; } export interface ModifyDBClusterResult { @@ -3981,13 +4089,13 @@ export interface ModifyDBInstanceMessage { /** *

The new compute and memory capacity of the DB instance, for example db.m4.large. Not all DB instance classes are available in all * Amazon Web Services Regions, or for all database engines. For the full list of DB instance classes, and availability for your engine, see DB Instance Class in the - * Amazon RDS User Guide or + * Amazon RDS User Guide or * Aurora * DB instance classes in the Amazon Aurora User Guide. For RDS Custom, see DB instance class support for RDS Custom for Oracle and - * DB instance class support for RDS Custom for SQL Server.

+ * DB instance class support for RDS Custom for SQL Server.

*

If you modify the DB instance class, an outage occurs during the change. The change is * applied during the next maintenance window, unless you specify - * ApplyImmediately in your request.

+ * ApplyImmediately in your request.

*

Default: Uses existing setting

*/ DBInstanceClass?: string; @@ -4067,6 +4175,7 @@ export interface ModifyDBInstanceMessage { *

Not applicable. The password for the master user is managed by the DB cluster. For * more information, see ModifyDBCluster.

*

Default: Uses existing setting

+ *

Constraints: Can't be specified if ManageMasterUserPassword is turned on.

*

* MariaDB *

@@ -4701,6 +4810,71 @@ export interface ModifyDBInstanceMessage { *

This setting doesn't apply to RDS Custom or Amazon Aurora.

*/ StorageThroughput?: number; + + /** + *

A value that indicates whether to manage the master user password with Amazon Web Services Secrets Manager.

+ *

If the DB cluster doesn't manage the master user password with Amazon Web Services Secrets Manager, you can turn + * on this management. In this case, you can't specify MasterUserPassword.

+ *

If the DB cluster already manages the master user password with Amazon Web Services Secrets Manager, and you specify that the + * master user password is not managed with Amazon Web Services Secrets Manager, then you must specify MasterUserPassword. + * In this case, RDS deletes the secret and uses the new password for the master user specified by + * MasterUserPassword.

+ *

For more information, see Password management with Amazon Web Services Secrets Manager + * in the Amazon RDS User Guide. + *

+ *

Constraints:

+ * + */ + ManageMasterUserPassword?: boolean; + + /** + *

A value that indicates whether to rotate the secret managed by Amazon Web Services Secrets Manager for the + * master user password.

+ *

This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets + * Manager for the DB cluster. The secret value contains the updated password.

+ *

For more information, see Password management with Amazon Web Services Secrets Manager + * in the Amazon RDS User Guide. + *

+ *

Constraints:

+ * + */ + RotateMasterUserPassword?: boolean; + + /** + *

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and + * managed in Amazon Web Services Secrets Manager.

+ *

This setting is valid only if both of the following conditions are met:

+ * + *

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. + * To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

+ *

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account + * has a different default KMS key for each Amazon Web Services Region.

+ */ + MasterUserSecretKmsKeyId?: string; } export interface ModifyDBInstanceResult { @@ -5973,9 +6147,17 @@ export interface RestoreDBClusterFromS3Message { /** *

The password for the master database user. This password can contain any printable ASCII character except "/", """, or "@".

- *

Constraints: Must contain from 8 to 41 characters.

+ *

Constraints:

+ * */ - MasterUserPassword: string | undefined; + MasterUserPassword?: string; /** *

A value that indicates that the restored DB cluster should be associated with the specified option group.

@@ -6181,6 +6363,38 @@ export interface RestoreDBClusterFromS3Message { *

*/ NetworkType?: string; + + /** + *

A value that indicates whether to manage the master user password with Amazon Web Services Secrets Manager.

+ *

For more information, see Password management with Amazon Web Services Secrets Manager + * in the Amazon RDS User Guide and Password management with Amazon Web Services Secrets Manager + * in the Amazon Aurora User Guide. + *

+ *

Constraints:

+ * + */ + ManageMasterUserPassword?: boolean; + + /** + *

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and + * managed in Amazon Web Services Secrets Manager.

+ *

This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets + * Manager for the DB cluster.

+ *

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. + * To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

+ *

If you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager + * KMS key is used to encrypt the secret. If the secret is in a different Amazon Web Services account, then you can't + * use the aws/secretsmanager KMS key to encrypt the secret, and you must use a customer + * managed KMS key.

+ *

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account + * has a different default KMS key for each Amazon Web Services Region.

+ */ + MasterUserSecretKmsKeyId?: string; } export interface RestoreDBClusterFromS3Result { @@ -7570,7 +7784,27 @@ export interface RestoreDBInstanceFromS3Message { /** *

The password for the master user. * The password can include any printable ASCII character except "/", """, or "@".

+ *

Constraints: Can't be specified if ManageMasterUserPassword is turned on.

+ *

+ * MariaDB + *

+ *

Constraints: Must contain from 8 to 41 characters.

+ *

+ * Microsoft SQL Server + *

+ *

Constraints: Must contain from 8 to 128 characters.

+ *

+ * MySQL + *

*

Constraints: Must contain from 8 to 41 characters.

+ *

+ * Oracle + *

+ *

Constraints: Must contain from 8 to 30 characters.

+ *

+ * PostgreSQL + *

+ *

Constraints: Must contain from 8 to 128 characters.

*/ MasterUserPassword?: string; @@ -7956,6 +8190,37 @@ export interface RestoreDBInstanceFromS3Message { *

This setting doesn't apply to RDS Custom or Amazon Aurora.

*/ StorageThroughput?: number; + + /** + *

A value that indicates whether to manage the master user password with Amazon Web Services Secrets Manager.

+ *

For more information, see Password management with Amazon Web Services Secrets Manager + * in the Amazon RDS User Guide. + *

+ *

Constraints:

+ * + */ + ManageMasterUserPassword?: boolean; + + /** + *

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and + * managed in Amazon Web Services Secrets Manager.

+ *

This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets + * Manager for the DB instance.

+ *

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. + * To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

+ *

If you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager + * KMS key is used to encrypt the secret. If the secret is in a different Amazon Web Services account, then you can't + * use the aws/secretsmanager KMS key to encrypt the secret, and you must use a customer + * managed KMS key.

+ *

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account + * has a different default KMS key for each Amazon Web Services Region.

+ */ + MasterUserSecretKmsKeyId?: string; } export interface RestoreDBInstanceFromS3Result { @@ -9013,6 +9278,13 @@ export interface SwitchoverReadReplicaResult { DBInstance?: DBInstance; } +/** + * @internal + */ +export const DescribeDBProxyEndpointsRequestFilterSensitiveLog = (obj: DescribeDBProxyEndpointsRequest): any => ({ + ...obj, +}); + /** * @internal */ diff --git a/clients/client-rds/src/protocols/Aws_query.ts b/clients/client-rds/src/protocols/Aws_query.ts index 607cb1db0e25..72db5149451b 100644 --- a/clients/client-rds/src/protocols/Aws_query.ts +++ b/clients/client-rds/src/protocols/Aws_query.ts @@ -680,7 +680,6 @@ import { DescribeDBParametersMessage, DescribeDBProxiesRequest, DescribeDBProxiesResponse, - DescribeDBProxyEndpointsRequest, DomainMembership, DomainNotFoundFault, EC2SecurityGroup, @@ -722,6 +721,7 @@ import { InvalidVPCNetworkStateFault, IPRange, KMSKeyNotAccessibleFault, + MasterUserSecret, NetworkTypeNotSupported, Option, OptionGroup, @@ -785,6 +785,7 @@ import { DBSnapshotMessage, DBSubnetGroupMessage, DBUpgradeDependencyFailureFault, + DescribeDBProxyEndpointsRequest, DescribeDBProxyEndpointsResponse, DescribeDBProxyTargetGroupsRequest, DescribeDBProxyTargetGroupsResponse, @@ -12531,6 +12532,12 @@ const serializeAws_queryCreateDBClusterMessage = (input: CreateDBClusterMessage, if (input.DBSystemId != null) { entries["DBSystemId"] = input.DBSystemId; } + if (input.ManageMasterUserPassword != null) { + entries["ManageMasterUserPassword"] = input.ManageMasterUserPassword; + } + if (input.MasterUserSecretKmsKeyId != null) { + entries["MasterUserSecretKmsKeyId"] = input.MasterUserSecretKmsKeyId; + } return entries; }; @@ -12778,6 +12785,12 @@ const serializeAws_queryCreateDBInstanceMessage = (input: CreateDBInstanceMessag if (input.StorageThroughput != null) { entries["StorageThroughput"] = input.StorageThroughput; } + if (input.ManageMasterUserPassword != null) { + entries["ManageMasterUserPassword"] = input.ManageMasterUserPassword; + } + if (input.MasterUserSecretKmsKeyId != null) { + entries["MasterUserSecretKmsKeyId"] = input.MasterUserSecretKmsKeyId; + } return entries; }; @@ -15038,6 +15051,15 @@ const serializeAws_queryModifyDBClusterMessage = (input: ModifyDBClusterMessage, if (input.NetworkType != null) { entries["NetworkType"] = input.NetworkType; } + if (input.ManageMasterUserPassword != null) { + entries["ManageMasterUserPassword"] = input.ManageMasterUserPassword; + } + if (input.RotateMasterUserPassword != null) { + entries["RotateMasterUserPassword"] = input.RotateMasterUserPassword; + } + if (input.MasterUserSecretKmsKeyId != null) { + entries["MasterUserSecretKmsKeyId"] = input.MasterUserSecretKmsKeyId; + } return entries; }; @@ -15273,6 +15295,15 @@ const serializeAws_queryModifyDBInstanceMessage = (input: ModifyDBInstanceMessag if (input.StorageThroughput != null) { entries["StorageThroughput"] = input.StorageThroughput; } + if (input.ManageMasterUserPassword != null) { + entries["ManageMasterUserPassword"] = input.ManageMasterUserPassword; + } + if (input.RotateMasterUserPassword != null) { + entries["RotateMasterUserPassword"] = input.RotateMasterUserPassword; + } + if (input.MasterUserSecretKmsKeyId != null) { + entries["MasterUserSecretKmsKeyId"] = input.MasterUserSecretKmsKeyId; + } return entries; }; @@ -16131,6 +16162,12 @@ const serializeAws_queryRestoreDBClusterFromS3Message = ( if (input.NetworkType != null) { entries["NetworkType"] = input.NetworkType; } + if (input.ManageMasterUserPassword != null) { + entries["ManageMasterUserPassword"] = input.ManageMasterUserPassword; + } + if (input.MasterUserSecretKmsKeyId != null) { + entries["MasterUserSecretKmsKeyId"] = input.MasterUserSecretKmsKeyId; + } return entries; }; @@ -16702,6 +16739,12 @@ const serializeAws_queryRestoreDBInstanceFromS3Message = ( if (input.StorageThroughput != null) { entries["StorageThroughput"] = input.StorageThroughput; } + if (input.ManageMasterUserPassword != null) { + entries["ManageMasterUserPassword"] = input.ManageMasterUserPassword; + } + if (input.MasterUserSecretKmsKeyId != null) { + entries["MasterUserSecretKmsKeyId"] = input.MasterUserSecretKmsKeyId; + } return entries; }; @@ -18066,6 +18109,7 @@ const deserializeAws_queryDBCluster = (output: any, context: __SerdeContext): DB ServerlessV2ScalingConfiguration: undefined, NetworkType: undefined, DBSystemId: undefined, + MasterUserSecret: undefined, }; if (output["AllocatedStorage"] !== undefined) { contents.AllocatedStorage = __strictParseInt32(output["AllocatedStorage"]) as number; @@ -18353,6 +18397,9 @@ const deserializeAws_queryDBCluster = (output: any, context: __SerdeContext): DB if (output["DBSystemId"] !== undefined) { contents.DBSystemId = __expectString(output["DBSystemId"]); } + if (output["MasterUserSecret"] !== undefined) { + contents.MasterUserSecret = deserializeAws_queryMasterUserSecret(output["MasterUserSecret"], context); + } return contents; }; @@ -19372,6 +19419,7 @@ const deserializeAws_queryDBInstance = (output: any, context: __SerdeContext): D ActivityStreamPolicyStatus: undefined, StorageThroughput: undefined, DBSystemId: undefined, + MasterUserSecret: undefined, }; if (output["DBInstanceIdentifier"] !== undefined) { contents.DBInstanceIdentifier = __expectString(output["DBInstanceIdentifier"]); @@ -19705,6 +19753,9 @@ const deserializeAws_queryDBInstance = (output: any, context: __SerdeContext): D if (output["DBSystemId"] !== undefined) { contents.DBSystemId = __expectString(output["DBSystemId"]); } + if (output["MasterUserSecret"] !== undefined) { + contents.MasterUserSecret = deserializeAws_queryMasterUserSecret(output["MasterUserSecret"], context); + } return contents; }; @@ -22672,6 +22723,24 @@ const deserializeAws_queryLogTypeList = (output: any, context: __SerdeContext): }); }; +const deserializeAws_queryMasterUserSecret = (output: any, context: __SerdeContext): MasterUserSecret => { + const contents: any = { + SecretArn: undefined, + SecretStatus: undefined, + KmsKeyId: undefined, + }; + if (output["SecretArn"] !== undefined) { + contents.SecretArn = __expectString(output["SecretArn"]); + } + if (output["SecretStatus"] !== undefined) { + contents.SecretStatus = __expectString(output["SecretStatus"]); + } + if (output["KmsKeyId"] !== undefined) { + contents.KmsKeyId = __expectString(output["KmsKeyId"]); + } + return contents; +}; + const deserializeAws_queryMinimumEngineVersionPerAllowedValue = ( output: any, context: __SerdeContext diff --git a/codegen/sdk-codegen/aws-models/rds.json b/codegen/sdk-codegen/aws-models/rds.json index 788ee643b8e8..61f08c1ade35 100644 --- a/codegen/sdk-codegen/aws-models/rds.json +++ b/codegen/sdk-codegen/aws-models/rds.json @@ -4738,7 +4738,7 @@ "MasterUserPassword": { "target": "com.amazonaws.rds#String", "traits": { - "smithy.api#documentation": "

The password for the master database user. This password can contain any printable ASCII character except \"/\", \"\"\", or \"@\".

\n

Constraints: Must contain from 8 to 41 characters.

\n

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" + "smithy.api#documentation": "

The password for the master database user. This password can contain any printable ASCII character except \"/\", \"\"\", or \"@\".

\n

Constraints:

\n \n

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" } }, "OptionGroupName": { @@ -4941,6 +4941,18 @@ "traits": { "smithy.api#documentation": "

Reserved for future use.

" } + }, + "ManageMasterUserPassword": { + "target": "com.amazonaws.rds#BooleanOptional", + "traits": { + "smithy.api#documentation": "

A value that indicates whether to manage the master user password with Amazon Web Services Secrets Manager.

\n

For more information, see Password management with Amazon Web Services Secrets Manager \n in the Amazon RDS User Guide and Password management with Amazon Web Services Secrets Manager \n in the Amazon Aurora User Guide.\n

\n

Constraints:

\n \n

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" + } + }, + "MasterUserSecretKmsKeyId": { + "target": "com.amazonaws.rds#String", + "traits": { + "smithy.api#documentation": "

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and \n managed in Amazon Web Services Secrets Manager.

\n

This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets \n Manager for the DB cluster.

\n

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.\n To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

\n

If you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager \n KMS key is used to encrypt the secret. If the secret is in a different Amazon Web Services account, then you can't \n use the aws/secretsmanager KMS key to encrypt the secret, and you must use a customer \n managed KMS key.

\n

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account\n has a different default KMS key for each Amazon Web Services Region.

\n

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" + } } }, "traits": { @@ -5202,7 +5214,7 @@ "MasterUserPassword": { "target": "com.amazonaws.rds#String", "traits": { - "smithy.api#documentation": "

The password for the master user. The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".

\n

\n Amazon Aurora\n

\n

Not applicable. The password for the master user is managed by the DB\n cluster.

\n

\n MariaDB\n

\n

Constraints: Must contain from 8 to 41 characters.

\n

\n Microsoft SQL Server\n

\n

Constraints: Must contain from 8 to 128 characters.

\n

\n MySQL\n

\n

Constraints: Must contain from 8 to 41 characters.

\n

\n Oracle\n

\n

Constraints: Must contain from 8 to 30 characters.

\n

\n PostgreSQL\n

\n

Constraints: Must contain from 8 to 128 characters.

" + "smithy.api#documentation": "

The password for the master user. The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".

\n

\n Amazon Aurora\n

\n

Not applicable. The password for the master user is managed by the DB\n cluster.

\n

Constraints: Can't be specified if ManageMasterUserPassword is turned on.

\n

\n MariaDB\n

\n

Constraints: Must contain from 8 to 41 characters.

\n

\n Microsoft SQL Server\n

\n

Constraints: Must contain from 8 to 128 characters.

\n

\n MySQL\n

\n

Constraints: Must contain from 8 to 41 characters.

\n

\n Oracle\n

\n

Constraints: Must contain from 8 to 30 characters.

\n

\n PostgreSQL\n

\n

Constraints: Must contain from 8 to 128 characters.

" } }, "DBSecurityGroups": { @@ -5474,6 +5486,18 @@ "traits": { "smithy.api#documentation": "

Specifies the storage throughput value for the DB instance.

\n

This setting applies only to the gp3 storage type.

\n

This setting doesn't apply to RDS Custom or Amazon Aurora.

" } + }, + "ManageMasterUserPassword": { + "target": "com.amazonaws.rds#BooleanOptional", + "traits": { + "smithy.api#documentation": "

A value that indicates whether to manage the master user password with Amazon Web Services Secrets Manager.

\n

For more information, see Password management with Amazon Web Services Secrets Manager \n in the Amazon RDS User Guide.\n

\n

Constraints:

\n " + } + }, + "MasterUserSecretKmsKeyId": { + "target": "com.amazonaws.rds#String", + "traits": { + "smithy.api#documentation": "

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and \n managed in Amazon Web Services Secrets Manager.

\n

This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets \n Manager for the DB instance.

\n

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.\n To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

\n

If you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager \n KMS key is used to encrypt the secret. If the secret is in a different Amazon Web Services account, then you can't \n use the aws/secretsmanager KMS key to encrypt the secret, and you must use a customer \n managed KMS key.

\n

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account\n has a different default KMS key for each Amazon Web Services Region.

" + } } }, "traits": { @@ -7009,6 +7033,12 @@ "traits": { "smithy.api#documentation": "

Reserved for future use.

" } + }, + "MasterUserSecret": { + "target": "com.amazonaws.rds#MasterUserSecret", + "traits": { + "smithy.api#documentation": "

Contains the secret managed by RDS in Amazon Web Services Secrets Manager for the master user password.

\n

For more information, see Password management with Amazon Web Services Secrets Manager \n in the Amazon RDS User Guide and Password management with Amazon Web Services Secrets Manager \n in the Amazon Aurora User Guide.\n

" + } } }, "traits": { @@ -8582,6 +8612,12 @@ "traits": { "smithy.api#documentation": "

The Oracle system ID (Oracle SID) for a container database (CDB). The Oracle SID is also\n the name of the CDB. This setting is valid for RDS Custom only.

" } + }, + "MasterUserSecret": { + "target": "com.amazonaws.rds#MasterUserSecret", + "traits": { + "smithy.api#documentation": "

Contains the secret managed by RDS in Amazon Web Services Secrets Manager for the master user password.

\n

For more information, see Password management with Amazon Web Services Secrets Manager \n in the Amazon RDS User Guide.\n

" + } } }, "traits": { @@ -16226,6 +16262,32 @@ "com.amazonaws.rds#LongOptional": { "type": "long" }, + "com.amazonaws.rds#MasterUserSecret": { + "type": "structure", + "members": { + "SecretArn": { + "target": "com.amazonaws.rds#String", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (ARN) of the secret.

" + } + }, + "SecretStatus": { + "target": "com.amazonaws.rds#String", + "traits": { + "smithy.api#documentation": "

The status of the secret.

\n

The possible status values include the following:

\n " + } + }, + "KmsKeyId": { + "target": "com.amazonaws.rds#String", + "traits": { + "smithy.api#documentation": "

The Amazon Web Services KMS key identifier that is used to encrypt the secret.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Contains the secret managed by RDS in Amazon Web Services Secrets Manager for the master user password.

\n

For more information, see Password management with Amazon Web Services Secrets Manager \n in the Amazon RDS User Guide and Password management with Amazon Web Services Secrets Manager \n in the Amazon Aurora User Guide.\n

" + } + }, "com.amazonaws.rds#MaxRecords": { "type": "integer", "traits": { @@ -16650,7 +16712,7 @@ "MasterUserPassword": { "target": "com.amazonaws.rds#String", "traits": { - "smithy.api#documentation": "

The new password for the master database user. This password can contain any printable ASCII character except \"/\", \"\"\", or \"@\".

\n

Constraints: Must contain from 8 to 41 characters.

\n

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" + "smithy.api#documentation": "

The new password for the master database user. This password can contain any printable ASCII character except \"/\", \"\"\", or \"@\".

\n

Constraints:

\n \n

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" } }, "OptionGroupName": { @@ -16818,6 +16880,24 @@ "traits": { "smithy.api#documentation": "

The network type of the DB cluster.

\n

Valid values:

\n \n

The network type is determined by the DBSubnetGroup specified for the DB cluster. \n A DBSubnetGroup can support only the IPv4 protocol or the IPv4 and the IPv6 \n protocols (DUAL).

\n

For more information, see \n Working with a DB instance in a VPC in the \n Amazon Aurora User Guide.\n

\n

Valid for: Aurora DB clusters only

" } + }, + "ManageMasterUserPassword": { + "target": "com.amazonaws.rds#BooleanOptional", + "traits": { + "smithy.api#documentation": "

A value that indicates whether to manage the master user password with Amazon Web Services Secrets Manager.

\n

If the DB cluster doesn't manage the master user password with Amazon Web Services Secrets Manager, you can turn \n on this management. In this case, you can't specify MasterUserPassword.

\n

If the DB cluster already manages the master user password with Amazon Web Services Secrets Manager, and you specify that the \n master user password is not managed with Amazon Web Services Secrets Manager, then you must specify MasterUserPassword. \n In this case, RDS deletes the secret and uses the new password for the master user specified by \n MasterUserPassword.

\n

For more information, see Password management with Amazon Web Services Secrets Manager \n in the Amazon RDS User Guide and Password management with Amazon Web Services Secrets Manager \n in the Amazon Aurora User Guide.\n

\n

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" + } + }, + "RotateMasterUserPassword": { + "target": "com.amazonaws.rds#BooleanOptional", + "traits": { + "smithy.api#documentation": "

A value that indicates whether to rotate the secret managed by Amazon Web Services Secrets Manager for the \n master user password.

\n

This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets \n Manager for the DB cluster. The secret value contains the updated password.

\n

For more information, see Password management with Amazon Web Services Secrets Manager \n in the Amazon RDS User Guide and Password management with Amazon Web Services Secrets Manager \n in the Amazon Aurora User Guide.\n

\n

Constraints:

\n \n

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" + } + }, + "MasterUserSecretKmsKeyId": { + "target": "com.amazonaws.rds#String", + "traits": { + "smithy.api#documentation": "

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and \n managed in Amazon Web Services Secrets Manager.

\n

This setting is valid only if both of the following conditions are met:

\n \n

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.\n To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

\n

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account\n has a different default KMS key for each Amazon Web Services Region.

\n

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" + } } }, "traits": { @@ -17032,7 +17112,7 @@ "DBInstanceClass": { "target": "com.amazonaws.rds#String", "traits": { - "smithy.api#documentation": "

The new compute and memory capacity of the DB instance, for example db.m4.large. Not all DB instance classes are available in all\n Amazon Web Services Regions, or for all database engines. For the full list of DB instance classes, and availability for your engine, see DB Instance Class in the \n Amazon RDS User Guide or \n Aurora\n DB instance classes in the Amazon Aurora User Guide. For RDS Custom, see DB instance class support for RDS Custom for Oracle and \n DB instance class support for RDS Custom for SQL Server.

\n

If you modify the DB instance class, an outage occurs during the change. The change is\n applied during the next maintenance window, unless you specify\n ApplyImmediately in your request.

\n

Default: Uses existing setting

" + "smithy.api#documentation": "

The new compute and memory capacity of the DB instance, for example db.m4.large. Not all DB instance classes are available in all\n Amazon Web Services Regions, or for all database engines. For the full list of DB instance classes, and availability for your engine, see DB Instance Class in the \n Amazon RDS User Guide or \n Aurora\n DB instance classes in the Amazon Aurora User Guide. For RDS Custom, see DB instance class support for RDS Custom for Oracle and \n DB instance class support for RDS Custom for SQL Server.

\n

If you modify the DB instance class, an outage occurs during the change. The change is\n applied during the next maintenance window, unless you specify\n ApplyImmediately in your request.

\n

Default: Uses existing setting

" } }, "DBSubnetGroupName": { @@ -17063,7 +17143,7 @@ "MasterUserPassword": { "target": "com.amazonaws.rds#String", "traits": { - "smithy.api#documentation": "

The new password for the master user. The password can include any printable ASCII \n character except \"/\", \"\"\", or \"@\".

\n

Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible. \n Between the time of the request and the completion of the request,\n the MasterUserPassword element exists in the\n PendingModifiedValues element of the operation response.

\n

This setting doesn't apply to RDS Custom.

\n

\n Amazon Aurora\n

\n

Not applicable. The password for the master user is managed by the DB cluster. For\n more information, see ModifyDBCluster.

\n

Default: Uses existing setting

\n

\n MariaDB\n

\n

Constraints: Must contain from 8 to 41 characters.

\n

\n Microsoft SQL Server\n

\n

Constraints: Must contain from 8 to 128 characters.

\n

\n MySQL\n

\n

Constraints: Must contain from 8 to 41 characters.

\n

\n Oracle\n

\n

Constraints: Must contain from 8 to 30 characters.

\n

\n PostgreSQL\n

\n

Constraints: Must contain from 8 to 128 characters.

\n \n

Amazon RDS API operations never return the password, \n so this action provides a way to regain access to a primary instance user if the password is lost. \n This includes restoring privileges that might have been accidentally revoked.

\n " + "smithy.api#documentation": "

The new password for the master user. The password can include any printable ASCII \n character except \"/\", \"\"\", or \"@\".

\n

Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible. \n Between the time of the request and the completion of the request,\n the MasterUserPassword element exists in the\n PendingModifiedValues element of the operation response.

\n

This setting doesn't apply to RDS Custom.

\n

\n Amazon Aurora\n

\n

Not applicable. The password for the master user is managed by the DB cluster. For\n more information, see ModifyDBCluster.

\n

Default: Uses existing setting

\n

Constraints: Can't be specified if ManageMasterUserPassword is turned on.

\n

\n MariaDB\n

\n

Constraints: Must contain from 8 to 41 characters.

\n

\n Microsoft SQL Server\n

\n

Constraints: Must contain from 8 to 128 characters.

\n

\n MySQL\n

\n

Constraints: Must contain from 8 to 41 characters.

\n

\n Oracle\n

\n

Constraints: Must contain from 8 to 30 characters.

\n

\n PostgreSQL\n

\n

Constraints: Must contain from 8 to 128 characters.

\n \n

Amazon RDS API operations never return the password, \n so this action provides a way to regain access to a primary instance user if the password is lost. \n This includes restoring privileges that might have been accidentally revoked.

\n " } }, "DBParameterGroupName": { @@ -17312,6 +17392,24 @@ "traits": { "smithy.api#documentation": "

Specifies the storage throughput value for the DB instance.

\n

This setting applies only to the gp3 storage type.

\n

This setting doesn't apply to RDS Custom or Amazon Aurora.

" } + }, + "ManageMasterUserPassword": { + "target": "com.amazonaws.rds#BooleanOptional", + "traits": { + "smithy.api#documentation": "

A value that indicates whether to manage the master user password with Amazon Web Services Secrets Manager.

\n

If the DB cluster doesn't manage the master user password with Amazon Web Services Secrets Manager, you can turn \n on this management. In this case, you can't specify MasterUserPassword.

\n

If the DB cluster already manages the master user password with Amazon Web Services Secrets Manager, and you specify that the \n master user password is not managed with Amazon Web Services Secrets Manager, then you must specify MasterUserPassword. \n In this case, RDS deletes the secret and uses the new password for the master user specified by \n MasterUserPassword.

\n

For more information, see Password management with Amazon Web Services Secrets Manager \n in the Amazon RDS User Guide.\n

\n

Constraints:

\n " + } + }, + "RotateMasterUserPassword": { + "target": "com.amazonaws.rds#BooleanOptional", + "traits": { + "smithy.api#documentation": "

A value that indicates whether to rotate the secret managed by Amazon Web Services Secrets Manager for the \n master user password.

\n

This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets \n Manager for the DB cluster. The secret value contains the updated password.

\n

For more information, see Password management with Amazon Web Services Secrets Manager \n in the Amazon RDS User Guide.\n

\n

Constraints:

\n " + } + }, + "MasterUserSecretKmsKeyId": { + "target": "com.amazonaws.rds#String", + "traits": { + "smithy.api#documentation": "

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and \n managed in Amazon Web Services Secrets Manager.

\n

This setting is valid only if both of the following conditions are met:

\n \n

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.\n To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

\n

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account\n has a different default KMS key for each Amazon Web Services Region.

" + } } }, "traits": { @@ -20563,8 +20661,7 @@ "MasterUserPassword": { "target": "com.amazonaws.rds#String", "traits": { - "smithy.api#documentation": "

The password for the master database user. This password can contain any printable ASCII character except \"/\", \"\"\", or \"@\".

\n

Constraints: Must contain from 8 to 41 characters.

", - "smithy.api#required": {} + "smithy.api#documentation": "

The password for the master database user. This password can contain any printable ASCII character except \"/\", \"\"\", or \"@\".

\n

Constraints:

\n " } }, "OptionGroupName": { @@ -20684,6 +20781,18 @@ "traits": { "smithy.api#documentation": "

The network type of the DB cluster.

\n

Valid values:

\n \n

The network type is determined by the DBSubnetGroup specified for the DB cluster. \n A DBSubnetGroup can support only the IPv4 protocol or the IPv4 and the IPv6 \n protocols (DUAL).

\n

For more information, see \n Working with a DB instance in a VPC in the \n Amazon Aurora User Guide.\n

" } + }, + "ManageMasterUserPassword": { + "target": "com.amazonaws.rds#BooleanOptional", + "traits": { + "smithy.api#documentation": "

A value that indicates whether to manage the master user password with Amazon Web Services Secrets Manager.

\n

For more information, see Password management with Amazon Web Services Secrets Manager \n in the Amazon RDS User Guide and Password management with Amazon Web Services Secrets Manager \n in the Amazon Aurora User Guide.\n

\n

Constraints:

\n " + } + }, + "MasterUserSecretKmsKeyId": { + "target": "com.amazonaws.rds#String", + "traits": { + "smithy.api#documentation": "

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and \n managed in Amazon Web Services Secrets Manager.

\n

This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets \n Manager for the DB cluster.

\n

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.\n To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

\n

If you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager \n KMS key is used to encrypt the secret. If the secret is in a different Amazon Web Services account, then you can't \n use the aws/secretsmanager KMS key to encrypt the secret, and you must use a customer \n managed KMS key.

\n

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account\n has a different default KMS key for each Amazon Web Services Region.

" + } } } }, @@ -21601,7 +21710,7 @@ "MasterUserPassword": { "target": "com.amazonaws.rds#String", "traits": { - "smithy.api#documentation": "

The password for the master user. \n The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".

\n

Constraints: Must contain from 8 to 41 characters.

" + "smithy.api#documentation": "

The password for the master user. \n The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".

\n

Constraints: Can't be specified if ManageMasterUserPassword is turned on.

\n

\n MariaDB\n

\n

Constraints: Must contain from 8 to 41 characters.

\n

\n Microsoft SQL Server\n

\n

Constraints: Must contain from 8 to 128 characters.

\n

\n MySQL\n

\n

Constraints: Must contain from 8 to 41 characters.

\n

\n Oracle\n

\n

Constraints: Must contain from 8 to 30 characters.

\n

\n PostgreSQL\n

\n

Constraints: Must contain from 8 to 128 characters.

" } }, "DBSecurityGroups": { @@ -21841,6 +21950,18 @@ "traits": { "smithy.api#documentation": "

Specifies the storage throughput value for the DB instance.

\n

This setting doesn't apply to RDS Custom or Amazon Aurora.

" } + }, + "ManageMasterUserPassword": { + "target": "com.amazonaws.rds#BooleanOptional", + "traits": { + "smithy.api#documentation": "

A value that indicates whether to manage the master user password with Amazon Web Services Secrets Manager.

\n

For more information, see Password management with Amazon Web Services Secrets Manager \n in the Amazon RDS User Guide.\n

\n

Constraints:

\n " + } + }, + "MasterUserSecretKmsKeyId": { + "target": "com.amazonaws.rds#String", + "traits": { + "smithy.api#documentation": "

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and \n managed in Amazon Web Services Secrets Manager.

\n

This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets \n Manager for the DB instance.

\n

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.\n To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

\n

If you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager \n KMS key is used to encrypt the secret. If the secret is in a different Amazon Web Services account, then you can't \n use the aws/secretsmanager KMS key to encrypt the secret, and you must use a customer \n managed KMS key.

\n

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account\n has a different default KMS key for each Amazon Web Services Region.

" + } } } },