feat: Allow update of PGPSecret and PrivateKey #20

RomainMuller · 2018-12-18T13:42:34Z

Updated the python code that backs the custom resource implementations for the
PGPSecret and PrivateKey constructs so they allow updating the KMS encryption
keys used by AWS SecretsManager without necessarily re-generating new secrets.

Also, added a resourceVersion has to the properties so the resource handler is
called again if the implementation code changed.

BREAKING CHANGE: this also changes the API of the PGPSecret and
CodeSigningCertificate constructs to offer a consistent API for accessing the name
and ARNs of the secret and parameters associated with the secrets, through the
ICredentialPair interface.

Updated the python code that backs the custom resource implementations for the PGPSecret and PrivateKey constructs so they allow updating the KMS encryption keys used by AWS SecretsManager without necessarily re-generating new secrets. Also, added a `resourceVersion` has to the properties so the resource handler is called again if the implementation code changed. BREAKING CHANGE: this also changes the API of the PGPSecret and CodeSigningCertificate constructs to offer a consistent API for accessing the name and ARNs of the secret and parameters associated with the secrets, through the `ICredentialPair` interface.

eladb

I am concerned we don't have unit tests for any of the custom resources. Any chance we can cook something up real quick? Especially due to the fact that those are security-related...

lib/code-signing/code-signing-certificate.ts

lib/code-signing/private-key.ts

lib/credential-pair.ts

lib/pgp-secret.ts

lib/util.ts

build-custom-resource-handlers.sh

custom-resource-handlers/src/_cloud-formation.ts

custom-resource-handlers/src/_exec.ts

custom-resource-handlers/src/_lambda.ts

custom-resource-handlers/src/_rmrf.ts

build-custom-resource-handlers.sh

test/custom-resource-handlers/_rmrf.test.ts

custom-resource-handlers/src/_rmrf.ts

test/custom-resource-handlers/private-key.test.ts

RomainMuller requested a review from a team as a code owner December 18, 2018 13:42

RomainMuller added the enhancement label Dec 18, 2018

eladb reviewed Dec 18, 2018

View reviewed changes

lib/code-signing/code-signing-certificate.ts Show resolved Hide resolved

lib/code-signing/private-key.ts Show resolved Hide resolved

lib/credential-pair.ts Outdated Show resolved Hide resolved

lib/pgp-secret.ts Show resolved Hide resolved

lib/util.ts Show resolved Hide resolved

This was referenced Dec 19, 2018

Assets: Add property to retrieve content hash aws/aws-cdk#1400

Closed

CustomResources: auto-invalidate resource when provider code changes aws/aws-cdk#1401

Closed

RomainMuller added 5 commits December 20, 2018 15:01

Re-implement custom resources in TS/JavaScript

66c239c

Add tests to the custom resource handlers (helper modules only)

9497225

Ad more tests

dc3f7ba

Reflect new situation in integ expectation file

6ef2ca1

Minor fix

0d850ff

eladb reviewed Dec 23, 2018

View reviewed changes

RomainMuller added 3 commits December 27, 2018 13:41

Fix the tests

195558f

Validate presence of required parameters

1244691

Use constant

bcc0ce2

eladb approved these changes Dec 27, 2018

View reviewed changes

RomainMuller merged commit bfc6225 into master Dec 27, 2018

RomainMuller deleted the rmuller/allow-updating-secrets-cmk branch December 27, 2018 13:25

justnance added feature-request A feature should be added or improved. and removed enhancement labels Apr 19, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Allow update of PGPSecret and PrivateKey #20

feat: Allow update of PGPSecret and PrivateKey #20

RomainMuller commented Dec 18, 2018

eladb left a comment

feat: Allow update of PGPSecret and PrivateKey #20

feat: Allow update of PGPSecret and PrivateKey #20

Conversation

RomainMuller commented Dec 18, 2018

eladb left a comment

Choose a reason for hiding this comment