feat(secretsmanager): import secrets by name

[njlynch]

Adds the ability to import secrets by name, including without the SecretsManager
assigned suffix. As long as a secret with the same name has been created in each
region with the same name, this allows for the same fromSecretName usage in
stacks across regions.

Oddly enough, most CloudFormation templates that take references to secrets
accept either the full-form ARN, including the suffix or just the base secret
name (not in ARN format). The one place where a full ARN format is needed is in
IAM policy statements, where the wildcard is necessary to account for the
suffix.

Tested this manually against an existing secret with a CodeBuild project; per
the CloudFormation docs, this should work equally well with other
SecretsManager-integrated services.

fixes #7444
fixes #7949
fixes #7994

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[rix0rrr]

Approved provided small reconsiderations

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: 0ac4aa7
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[rrrix]

Uhg. This totally broke my production stack.

I'm importing a secret using from another stack by ARN, like this:

    const dbSecret = secretsmanager.Secret.fromSecretArn(this, 'dbSecret', props.dbSecretArn);

I get this error:

/Users/me/project/cdk/node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:605
  throw new Error('invalid ARN format; no secret name provided');
        ^
Error: invalid ARN format; no secret name provided
    at parseSecretName (/Users/me/project/cdk/node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:605:9)
    at new Import (/Users/me/project/cdk/node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:282:36)
    at Function.fromSecretAttributes (/Users/me/project/cdk/node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:286:12)
    at Function.fromSecretArn (/Users/me/project/cdk/node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:245:19)
    at new APIService (/Users/me/project/cdk/src/services/api.ts:77:44)
    at main (/Users/me/project/cdk/src/index.ts:190:22)

@njlynch What's supposed to happen if the secretArn passed here is a Token (e.g. doesn't exist yet?)

/** Returns the secret name if defined, otherwise attempts to parse it from the ARN. */
export function parseSecretName(construct: IConstruct, secretArn: string, secretName?: string) {
  if (secretName) { return secretName; }
  const resourceName = Stack.of(construct).parseArn(secretArn).resourceName;
  if (resourceName) {
    // Secret resource names are in the format `${secretName}-${SecretsManager suffix}`
    const secretNameFromArn = resourceName.substr(0, resourceName.lastIndexOf('-'));
    if (secretNameFromArn) { return secretNameFromArn; }
  }
  throw new Error('invalid ARN format; no secret name provided');
}

$ cdk --version
1.64.0 (build 9510201)

[Cloudrage]

Same here since update in 1.64.0 :

invalid ARN format; no secret name provided
Subprocess exited with error 1

[snorberhuis]

This also breaks our production stack.

[Cloudrage]

To prevent that you have to set a fix version of CDK.
When a new version came available, update it but test on your dev/stg environments before updating your prd.

I'm using pipelines in most cases and only with a valid/fixed CDK version; in that case you don't have any surprise.
With the actual SM pb, I've seen it in my DEV environment and came back to the previous version (this version did not contain any expected fixed on my side). Or just the SM package version.