[secret-manager]: Add in support for secret rotation date

packages/secrets-manager/__tests__/index.js

@@ -1,10 +1,12 @@
+import { setTimeout } from 'node:timers/promises'
 import test from 'ava'
 import sinon from 'sinon'
 import { mockClient } from 'aws-sdk-client-mock'
 import middy from '../../core/index.js'
 import { getInternal, clearCache } from '../../util/index.js'
 import {
   SecretsManagerClient,
+  DescribeSecretCommand,
   GetSecretValueCommand
 } from '@aws-sdk/client-secrets-manager'
 import secretsManager from '../index.js'
@@ -242,6 +244,45 @@ test.serial(
   }
 )
 
+test.serial(
+  'It should call aws-sdk if cache enabled but cached param has expired using rotation',
+  async (t) => {
+    const mockService = mockClient(SecretsManagerClient)
+      .on(DescribeSecretCommand, { SecretId: 'api_key' })
+      .resolves({ NextRotationDate: Date.now() + 50 })
+      .on(GetSecretValueCommand, { SecretId: 'api_key' })
+      .resolves({ SecretString: 'token' })
+    const sendStub = mockService.send
+    const handler = middy(() => {})
+
+    const middleware = async (request) => {
+      const values = await getInternal(true, request)
+      t.is(values.token, 'token')
+    }
+
+    handler
+      .use(
+        secretsManager({
+          AwsClient: SecretsManagerClient,
+          cacheExpiry: 0,
+          fetchData: {
+            token: 'api_key'
+          },
+          fetchRotationDate: true,
+          disablePrefetch: true
+        })
+      )
+      .before(middleware)
+
+    await handler(event, context) // fetch x 2
+    await handler(event, context)
+    await setTimeout(100)
+    await handler(event, context) // fetch x 2
+
+    t.is(sendStub.callCount, 2 * 2)
+  }
+)
+
 test.serial('It should catch if an error is returned from fetch', async (t) => {
   const mockService = mockClient(SecretsManagerClient)
     .on(GetSecretValueCommand, { SecretId: 'api_key' })

packages/secrets-manager/index.js

@@ -10,6 +10,7 @@ import {
 } from '@middy/util'
 import {
   SecretsManagerClient,
+  DescribeSecretCommand,
   GetSecretValueCommand
 } from '@aws-sdk/client-secrets-manager'
 
@@ -18,30 +19,56 @@ const defaults = {
   awsClientOptions: {},
   awsClientAssumeRole: undefined,
   awsClientCapture: undefined,
-  fetchData: {}, // If more than 2, consider writing own using ListSecrets
+  fetchData: {},
+  fetchRotationDate: false, // true: apply to all or {key: true} for individual
   disablePrefetch: false,
   cacheKey: 'secrets-manager',
-  cacheExpiry: -1,
+  cacheExpiry: -1, // ignored when fetchRotationRules is true/object
   setToContext: false
 }
 
+const future = Date.now() * 2
 const secretsManagerMiddleware = (opts = {}) => {
   const options = { ...defaults, ...opts }
 
   const fetch = (request, cachedValues = {}) => {
     const values = {}
 
-    // Multiple secrets can be requested in a single requests,
-    // however this is likely uncommon IRL, increases complexity to handle,
-    // and will require recursive promise resolution impacting performance.
-    // See https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SecretsManager.html#listSecrets-property
+    if (options.fetchRotationRules) {
+      options.cacheExpiry = 0
+    }
+
     for (const internalKey of Object.keys(options.fetchData)) {
       if (cachedValues[internalKey]) continue
-      values[internalKey] = client
-        .send(
-          new GetSecretValueCommand({
-            SecretId: options.fetchData[internalKey]
-          })
+
+      values[internalKey] = Promise.resolve()
+        .then(() => {
+          if (
+            options.fetchRotationDate === true ||
+            options.fetchRotationDate?.[internalKey]
+          ) {
+            return client
+              .send(
+                new DescribeSecretCommand({
+                  SecretId: options.fetchData[internalKey]
+                })
+              )
+              .then((resp) => {
+                if (resp.NextRotationDate) {
+                  options.cacheExpiry = Math.min(
+                    options.cacheExpiry || future,
+                    resp.NextRotationDate * 1000
+                  )
+                }
+              })
+          }
+        })
+        .then(() =>
+          client.send(
+            new GetSecretValueCommand({
+              SecretId: options.fetchData[internalKey]
+            })
+          )
         )
         .then((resp) => jsonSafeParse(resp.SecretString))
         .catch((e) => {

packages/util/__tests__/index.js

@@ -268,6 +268,25 @@ test.serial('processCache should cache when not expired', async (t) => {
   t.is(fetch.callCount, 1)
   clearCache()
 })
+test.serial(
+  'processCache should cache when not expired w/ unix timestamp',
+  async (t) => {
+    const fetch = sinon.stub().resolves('value')
+    const options = {
+      cacheKey: 'key',
+      cacheExpiry: Date.now() + 100
+    }
+    processCache(options, fetch, cacheRequest)
+    await setTimeout(50)
+    const cacheValue = getCache('key').value
+    t.is(await cacheValue, 'value')
+    const { value, cache } = processCache(options, fetch, cacheRequest)
+    t.is(await value, 'value')
+    t.is(cache, true)
+    t.is(fetch.callCount, 1)
+    clearCache()
+  }
+)
 
 test.serial(
   'processCache should clear and re-fetch modified cache',
@@ -331,20 +350,41 @@ test.serial(
 test.serial('processCache should cache and expire', async (t) => {
   const fetch = sinon.stub().resolves('value')
   const options = {
-    cacheKey: 'key',
+    cacheKey: 'key-cache-expire',
     cacheExpiry: 150
   }
   processCache(options, fetch, cacheRequest)
   await setTimeout(100)
-  let cache = getCache('key')
+  let cache = getCache('key-cache-expire')
   t.not(cache, undefined)
   await setTimeout(250) // expire twice
-  cache = getCache('key')
+  cache = getCache('key-cache-expire')
   t.true(cache.expiry > Date.now())
   t.is(fetch.callCount, 3)
   clearCache()
 })
 
+test.serial(
+  'processCache should cache and expire w/ unix timestamp',
+  async (t) => {
+    const fetch = sinon.stub().resolves('value')
+    const options = {
+      cacheKey: 'key-cache-unix-expire',
+      cacheExpiry: Date.now() + 155
+    }
+    processCache(options, fetch, cacheRequest)
+    await setTimeout(100)
+    let cache = getCache('key-cache-unix-expire')
+    t.not(cache, undefined)
+    await setTimeout(250) // expire once, then doesn't cache
+    cache = getCache('key-cache-unix-expire')
+
+    t.true(cache.expiry < Date.now())
+    t.is(fetch.callCount, 3)
+    clearCache()
+  }
+)
+
 test.serial('processCache should clear single key cache', async (t) => {
   const fetch = sinon.stub().resolves('value')
   processCache(

packages/util/index.js

@@ -118,12 +118,14 @@ export const processCache = (options, fetch = () => undefined, request) => {
     }
   }
   const value = fetch(request)
-  const expiry = Date.now() + cacheExpiry
-
+  const now = Date.now()
+  // secrets-manager overrides to unix timestamp
+  const expiry = cacheExpiry > 86400000 ? cacheExpiry : now + cacheExpiry
+  const duration = cacheExpiry > 86400000 ? cacheExpiry - now : cacheExpiry
   if (cacheExpiry) {
     const refresh =
-      cacheExpiry > 0
-        ? setInterval(() => processCache(options, fetch, request), cacheExpiry)
+      duration > 0
+        ? setInterval(() => processCache(options, fetch, request), duration)
         : undefined
     cache[cacheKey] = { value, expiry, refresh }
   }

website/docs/middlewares/secrets-manager.md

@@ -28,14 +28,15 @@ npm install --save-dev @aws-sdk/client-secrets-manager
 - `awsClientAssumeRole` (string) (optional): Internal key where secrets are stored. See [@middy/sts](/docs/middlewares/sts) on to set this.
 - `awsClientCapture` (function) (optional): Enable XRay by passing `captureAWSv3Client` from `aws-xray-sdk` in.
 - `fetchData` (object) (required): Mapping of internal key name to API request parameter `SecretId`.
+- `fetchRotationDate` (boolean|object) (default `false`): Boolean to apply to all or mapping of internal key name to boolean indicating what secrets should fetch NextRotationDate before the secret. `cacheExpiry` is ignored when this is not `false`.
 - `disablePrefetch` (boolean) (default `false`): On cold start requests will trigger early if they can. Setting `awsClientAssumeRole` disables prefetch.
 - `cacheKey` (string) (default `secrets-manager`): Cache key for the fetched data responses. Must be unique across all middleware.
 - `cacheExpiry` (number) (default `-1`): How long fetch data responses should be cached for. `-1`: cache forever, `0`: never cache, `n`: cache for n ms.
 - `setToContext` (boolean) (default `false`): Store secrets to `request.context`.
 
 NOTES:
 
-- Lambda is required to have IAM permission for `secretsmanager:GetSecretValue`
+- Lambda is required to have IAM permission for `secretsmanager:GetSecretValue`. If using `fetchRotationDate` add `secretsmanager:DescribeSecret` in as well.
 
 ## Sample usage