docs(secretsmanager): replace IAM example with RDS example (#21426)

Repeat of #20404 which fell off my radar. An internal review found the use of a Secrets Manager secret to create an IAM user to be an anti-pattern. Changed this example to create an RDS instance instead.
aws · Aug 2, 2022 · c33f1ea · c33f1ea
1 parent 5f18995
commit c33f1ea
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 13 deletions.
diff --git a/packages/@aws-cdk/aws-secretsmanager/README.md b/packages/@aws-cdk/aws-secretsmanager/README.md
@@ -18,27 +18,35 @@ import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
 
 ## Create a new Secret in a Stack
 
-In order to have SecretsManager generate a new secret value automatically,
-you can get started with the following:
+To have SecretsManager generate a new secret value automatically,
+follow this example:
 
 ```ts
-// Default secret
+declare const vpc: ec2.Vpc;
+
+// Simple secret
 const secret = new secretsmanager.Secret(this, 'Secret');
-// Using the default secret
-new iam.User(this, 'User', {
-  password: secret.secretValue,
+// Using the secret
+const instance1 = new rds.DatabaseInstance(this, "PostgresInstance1", {
+  engine: rds.DatabaseInstanceEngine.POSTGRES,
+  credentials: rds.Credentials.fromSecret(secret),
+  vpc
 });
-// Templated secret
+// Templated secret with username and password fields
 const templatedSecret = new secretsmanager.Secret(this, 'TemplatedSecret', {
   generateSecretString: {
-    secretStringTemplate: JSON.stringify({ username: 'user' }),
+    secretStringTemplate: JSON.stringify({ username: 'postgres' }),
     generateStringKey: 'password',
   },
 });
-// Using the templated secret
-new iam.User(this, 'OtherUser', {
-  userName: templatedSecret.secretValueFromJson('username').toString(),
-  password: templatedSecret.secretValueFromJson('password'),
+// Using the templated secret as credentials
+const instance2 = new rds.DatabaseInstance(this, "PostgresInstance2", {
+  engine: rds.DatabaseInstanceEngine.POSTGRES,
+  credentials: {
+    username: templatedSecret.secretValueFromJson('username').toString(),
+    password: templatedSecret.secretValueFromJson('password')
+  },
+  vpc
 });
 ```
 
@@ -58,7 +66,7 @@ const secret = secretsmanager.Secret.fromSecretAttributes(this, 'ImportedSecret'
 SecretsManager secret values can only be used in select set of properties. For the
 list of properties, see [the CloudFormation Dynamic References documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html).
 
-A secret can set `RemovalPolicy`. If it set to `RETAIN`, that removing a secret will fail.
+A secret can set `RemovalPolicy`. If it set to `RETAIN`, removing that secret will fail.
 
 ## Grant permission to use the secret to a role
 

diff --git a/packages/@aws-cdk/aws-secretsmanager/rosetta/default.ts-fixture b/packages/@aws-cdk/aws-secretsmanager/rosetta/default.ts-fixture
@@ -5,6 +5,7 @@ import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
 import * as kms from '@aws-cdk/aws-kms';
 import * as iam from '@aws-cdk/aws-iam';
 import * as ec2 from '@aws-cdk/aws-ec2';
+import * as rds from '@aws-cdk/aws-rds';
 
 class Fixture extends Stack {           
   constructor(scope: Construct, id: string) {