aws · rix0rrr · Mar 26, 2019 · Mar 13, 2019 · Mar 20, 2019 · Mar 20, 2019
diff --git a/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts b/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts
@@ -75,7 +75,7 @@ export interface SecretProps {
    * @default 32 characters with upper-case letters, lower-case letters, punctuation and numbers (at least one from each
    *          category), per the default values of ``SecretStringGenerator``.
    */
-  generateSecretString?: SecretStringGenerator;
+  generateSecretString?: SecretStringGenerator | TemplatedSecretStringGenerator;
 
   /**
    * A name for the secret. Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to

diff --git a/packages/@aws-cdk/aws-secretsmanager/test/integ.secret.lit.expected.json b/packages/@aws-cdk/aws-secretsmanager/test/integ.secret.lit.expected.json
@@ -79,6 +79,46 @@
           }
         }
       }
+    },
+    "TemplatedSecret3D98B577": {
+      "Type": "AWS::SecretsManager::Secret",
+      "Properties": {
+        "GenerateSecretString": {
+          "GenerateStringKey": "password",
+          "SecretStringTemplate": "{\"username\":\"user\"}"
+        }
+      }
+    },
+    "OtherUser6093621C": {
+      "Type": "AWS::IAM::User",
+      "Properties": {
+        "LoginProfile": {
+          "Password": {
+            "Fn::Join": [
+              "",
+              [
+                "{{resolve:secretsmanager:",
+                {
+                  "Ref": "TemplatedSecret3D98B577"
+                },
+                ":SecretString:password::}}"
+              ]
+            ]
+          }
+        },
+        "UserName": {
+          "Fn::Join": [
+            "",
+            [
+              "{{resolve:secretsmanager:",
+              {
+                "Ref": "TemplatedSecret3D98B577"
+              },
+              ":SecretString:username::}}"
+            ]
+          ]
+        }
+      }
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-secretsmanager/test/integ.secret.lit.ts b/packages/@aws-cdk/aws-secretsmanager/test/integ.secret.lit.ts
@@ -9,12 +9,26 @@ class SecretsManagerStack extends cdk.Stack {
     const role = new iam.Role(this, 'TestRole', { assumedBy: new iam.AccountRootPrincipal() });
 
     /// !show
+    // Default secret
     const secret = new secretsManager.Secret(this, 'Secret');
     secret.grantRead(role);
 
     new iam.User(this, 'User', {
       password: secret.stringValue
     });
+
+    // Templated secret
+    const templatedSecret = new secretsManager.Secret(this, 'TemplatedSecret', {
+      generateSecretString: {
+        secretStringTemplate: JSON.stringify({ username: 'user' }),
+        generateStringKey: 'password'
+      }
+    });
+
+    new iam.User(this, 'OtherUser', {
+      userName: templatedSecret.jsonFieldValue('username'),
+      password: templatedSecret.jsonFieldValue('password')
+    });
     /// !hide
   }
 }

diff --git a/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts b/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts
@@ -21,6 +21,29 @@ export = {
     test.done();
   },
 
+  'templated secret string'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    // WHEN
+    new secretsmanager.Secret(stack, 'Secret', {
+      generateSecretString: {
+        secretStringTemplate: JSON.stringify({ username: 'username' }),
+        generateStringKey: 'password'
+      }
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::SecretsManager::Secret', {
+      GenerateSecretString: {
+        SecretStringTemplate: '{"username":"username"}',
+        GenerateStringKey: 'password'
+      }
+    }));
+
+    test.done();
+  },
+
   'grantRead'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();