cdk-monitoring-constructs
cdk-monitoring-constructs copied to clipboard
cdklabs
SecretsManagerMetricsPublisher lambda LastRotationDate should default to the AWSCURRENT createdDate
Feature scope
SecretsManager
Describe your suggested feature
At present day, if the secret is not enabled for rotation, the lambda defaults the lastRotationDate metric to the secret creation date. This can be confusing as manual updates to a secret value can also be considered as the secret being "rotated"
https://github.com/cdklabs/cdk-monitoring-constructs/blob/53a5c03122cb36e4e4f3442ab21c5de9a9a2d863/assets/SecretsManagerMetricsPublisher/index.js#L39
lastChangedDate is not a good representation for a manual update to the secret value as updating the description will also update this value.
Proposing to change the default lastRotatedDate to the createdDate for the AWSCURRENT version of the secret as manually updating the secret value is considered rotating the secret.
NOTE: This would now require secretsmanager:GetSecretValue permissions, meaning the below would need to be updated too.
https://github.com/cdklabs/cdk-monitoring-constructs/blob/53a5c03122cb36e4e4f3442ab21c5de9a9a2d863/lib/monitoring/aws-secretsmanager/SecretsManagerMetricsPublisher.ts#L42-L48
Sample code:
let lastRotatedDate = secret.LastRotatedDate;
if (!lastRotatedDate) {
const secretValue = await secretsManagerClient.send(
new GetSecretValue({
SecretId: event.secretId,
VersionStage: 'AWSCURRENT'
})
);
if (!secretValue.CreatedDate) {
throw new Error("Invalid secret value response");
}
// Set last rotation to AWSCURRENT secret created date or fallback to existing behavior of secret's created date
lastRotatedDate = secretValue.CreatedDate ?? secret.CreatedDate
}
