fix(core): remove cdk.Secret

`cdk.Secret` was left over from when we thought we were going to do secrets differently. Today, we model secret values as strings, which can be retrieved from one of these: - `ssm.ParameterStoreSecureString.stringValue` - `secretsmanager.SecretString.stringValue` - `cdk.CfnParameter.stringValue` (but don't do that, because the secret will be readable from CloudFormation logs) Fixes #2064. BREAKING CHANGE: Replace use of `cdk.Secret` with `secretsmanager.SecretString` (preferred) or `ssm.ParameterStoreSecureString`.
aws · Mar 21, 2019 · 223774d · 223774d
1 parent abacc66
commit 223774d
Show file tree

Hide file tree

Showing 12 changed files with 27 additions and 174 deletions.
diff --git a/packages/@aws-cdk/alexa-ask/README.md b/packages/@aws-cdk/alexa-ask/README.md
@@ -10,9 +10,10 @@ You can deploy to Alexa using CodePipeline with the following DeployAction.
 
 ```ts
 // Read the secrets from ParameterStore
-const clientId = new cdk.SecretParameter(this, 'AlexaClientId', { ssmParameter: '/Alexa/ClientId' });
-const clientSecret = new cdk.SecretParameter(this, 'AlexaClientSecret', { ssmParameter: '/Alexa/ClientSecret' });
-const refreshToken = new cdk.SecretParameter(this, 'AlexaRefreshToken', { ssmParameter: '/Alexa/RefreshToken' });
+const secret = new secretsmanager.SecretString(this, 'AlexaToken', { secretId: 'MyAlexaToken' })
+const clientId = secret.jsonFieldValue('ClientId');
+const clientSecret = secret.jsonFieldValue('ClientSecret');
+const refreshToken = secret.jsonFieldValue('RefreshToken');
 
 // Add deploy action
 new alexaAsk.AlexaSkillDeployAction({

diff --git a/packages/@aws-cdk/alexa-ask/lib/pipeline-actions.ts b/packages/@aws-cdk/alexa-ask/lib/pipeline-actions.ts
@@ -8,17 +8,17 @@ export interface AlexaSkillDeployActionProps extends codepipeline.CommonActionPr
   /**
    * The client id of the developer console token
    */
-  clientId: cdk.Secret;
+  clientId: string;
 
   /**
    * The client secret of the developer console token
    */
-  clientSecret: cdk.Secret;
+  clientSecret: string;
 
   /**
    * The refresh token of the developer console token
    */
-  refreshToken: cdk.Secret;
+  refreshToken: string;
 
   /**
    * The Alexa skill id

diff --git a/packages/@aws-cdk/app-delivery/test/integ.cicd.ts b/packages/@aws-cdk/app-delivery/test/integ.cicd.ts
@@ -16,7 +16,7 @@ const source = new code.GitHubSourceAction({
   actionName: 'GitHub',
   owner: 'awslabs',
   repo: 'aws-cdk',
-  oauthToken: new cdk.Secret('DummyToken'),
+  oauthToken: 'DummyToken',
   pollForSourceChanges: true,
   outputArtifactName: 'Artifact_CICDGitHubF8BA7ADD',
 });

diff --git a/packages/@aws-cdk/aws-codebuild/README.md b/packages/@aws-cdk/aws-codebuild/README.md
@@ -90,9 +90,9 @@ Example:
 const gitHubSource = new codebuild.GitHubSource({
   owner: 'awslabs',
   repo: 'aws-cdk',
-  oauthToken: new cdk.SecretParameter(this, 'GitHubOAuthToken', {
-    ssmParameter: 'my-github-token',
-  }).value,
+  oauthToken: new secretsmanager.SecretString(this, 'GitHubOAuthToken', {
+    secretId: 'my-github-token',
+  }).stringValue,
   webhook: true, // optional, default: false
 });
 ```

diff --git a/packages/@aws-cdk/aws-codebuild/lib/source.ts b/packages/@aws-cdk/aws-codebuild/lib/source.ts
@@ -1,7 +1,6 @@
 import codecommit = require('@aws-cdk/aws-codecommit');
 import iam = require('@aws-cdk/aws-iam');
 import s3 = require('@aws-cdk/aws-s3');
-import cdk = require('@aws-cdk/cdk');
 import { CfnProject } from './codebuild.generated';
 import { Project } from './project';
 
@@ -204,7 +203,7 @@ export interface GitHubSourceProps extends GitBuildSourceProps {
    * Note that you need to give CodeBuild permissions to your GitHub account in order for the token to work.
    * That is a one-time operation that can be done through the AWS Console for CodeBuild.
    */
-  oauthToken: cdk.Secret;
+  oauthToken: string;
 
   /**
    * Whether to create a webhook that will trigger a build every time a commit is pushed to the GitHub repository.
@@ -227,7 +226,7 @@ export interface GitHubSourceProps extends GitBuildSourceProps {
 export class GitHubSource extends GitBuildSource {
   public readonly type: SourceType = SourceType.GitHub;
   private readonly httpsCloneUrl: string;
-  private readonly oauthToken: cdk.Secret;
+  private readonly oauthToken: string;
   private readonly reportBuildStatus: boolean;
   private readonly webhook?: boolean;
 
@@ -268,7 +267,7 @@ export interface GitHubEnterpriseSourceProps extends GitBuildSourceProps {
   /**
    * The OAuth token used to authenticate when cloning the git repository.
    */
-  oauthToken: cdk.Secret;
+  oauthToken: string;
 
   /**
    * Whether to ignore SSL errors when connecting to the repository.
@@ -284,7 +283,7 @@ export interface GitHubEnterpriseSourceProps extends GitBuildSourceProps {
 export class GitHubEnterpriseSource extends GitBuildSource {
   public readonly type: SourceType = SourceType.GitHubEnterprise;
   private readonly httpsCloneUrl: string;
-  private readonly oauthToken: cdk.Secret;
+  private readonly oauthToken: string;
   private readonly ignoreSslErrors?: boolean;
 
   constructor(props: GitHubEnterpriseSourceProps) {

diff --git a/packages/@aws-cdk/aws-codebuild/test/test.project.ts b/packages/@aws-cdk/aws-codebuild/test/test.project.ts
@@ -58,7 +58,7 @@ export = {
           owner: 'testowner',
           repo: 'testrepo',
           cloneDepth: 3,
-          oauthToken: new cdk.Secret("test_oauth_token")
+          oauthToken: "test_oauth_token",
         })
       });
 
@@ -88,7 +88,7 @@ export = {
         source: new codebuild.GitHubSource({
           owner: 'testowner',
           repo: 'testrepo',
-          oauthToken: new cdk.Secret('test_oauth_token'),
+          oauthToken: 'test_oauth_token',
           reportBuildStatus: false,
         })
       });
@@ -112,7 +112,7 @@ export = {
         source: new codebuild.GitHubSource({
           owner: 'testowner',
           repo: 'testrepo',
-          oauthToken: new cdk.Secret('test_oauth_token'),
+          oauthToken: 'test_oauth_token',
           webhook: true,
         })
       });
@@ -138,7 +138,7 @@ export = {
         httpsCloneUrl: 'https://github.testcompany.com/testowner/testrepo',
         ignoreSslErrors: true,
         cloneDepth: 4,
-        oauthToken: new cdk.Secret("test_oauth_token")
+        oauthToken: "test_oauth_token"
       })
     });
 

diff --git a/packages/@aws-cdk/aws-codepipeline/lib/github-source-action.ts b/packages/@aws-cdk/aws-codepipeline/lib/github-source-action.ts
@@ -32,13 +32,12 @@ export interface GitHubSourceActionProps extends actions.CommonActionProps {
   /**
    * A GitHub OAuth token to use for authentication.
    *
-   * It is recommended to use a `SecretParameter` to obtain the token from the SSM
-   * Parameter Store:
+   * It is recommended to use a Secrets Manager `SecretString` to obtain the token:
    *
-   *   const oauth = new cdk.SecretParameter(this, 'GitHubOAuthToken', { ssmParameter: 'my-github-token' });
+   *   const oauth = new secretsmanager.SecretString(this, 'GitHubOAuthToken', { secretId: 'my-github-token' });
    *   new GitHubSource(this, 'GitHubAction', { oauthToken: oauth.value, ... });
    */
-  oauthToken: cdk.Secret;
+  oauthToken: string;
 
   /**
    * Whether AWS CodePipeline should poll for source changes.

diff --git a/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-alexa-deploy.ts b/packages/@aws-cdk/aws-codepipeline/test/integ.pipeline-alexa-deploy.ts
@@ -29,9 +29,9 @@ const deployStage = {
       actionName: 'DeploySkill',
       runOrder: 1,
       inputArtifact: sourceAction.outputArtifact,
-      clientId: new cdk.Secret('clientId'),
-      clientSecret: new cdk.Secret('clientSecret'),
-      refreshToken: new cdk.Secret('refreshToken'),
+      clientId: 'clientId',
+      clientSecret: 'clientSecret',
+      refreshToken: 'refreshToken',
       skillId: 'amzn1.ask.skill.12345678-1234-1234-1234-123456789012',
     }),
   ],

diff --git a/packages/@aws-cdk/aws-codepipeline/test/test.pipeline.ts b/packages/@aws-cdk/aws-codepipeline/test/test.pipeline.ts
@@ -69,7 +69,7 @@ export = {
   'github action uses ThirdParty owner'(test: Test) {
     const stack = new cdk.Stack();
 
-    const secret = new cdk.SecretParameter(stack, 'GitHubToken', { ssmParameter: 'my-token' });
+    const secret = new cdk.CfnParameter(stack, 'GitHubToken', { type: 'String', default: 'my-token' });
 
     const p = new codepipeline.Pipeline(stack, 'P');
 
@@ -81,7 +81,7 @@ export = {
           runOrder: 8,
           outputArtifactName: 'A',
           branch: 'branch',
-          oauthToken: secret.value,
+          oauthToken: secret.stringValue,
           owner: 'foo',
           repo: 'bar'
         }),

diff --git a/packages/@aws-cdk/cdk/lib/index.ts b/packages/@aws-cdk/cdk/lib/index.ts
@@ -26,7 +26,6 @@ export * from './dynamic-reference';
 export * from './tag';
 export * from './removal-policy';
 export * from './arn';
-export * from './secret';
 
 export * from './app';
 export * from './context';

diff --git a/packages/@aws-cdk/cdk/lib/secret.ts b/packages/@aws-cdk/cdk/lib/secret.ts
diff --git a/packages/@aws-cdk/cdk/test/test.secret.ts b/packages/@aws-cdk/cdk/test/test.secret.ts