From 5aef3cc7cbee873ec723ddc0c3eabf800651a73f Mon Sep 17 00:00:00 2001 From: rv2673 Date: Fri, 18 Aug 2023 19:08:28 +0000 Subject: [PATCH 1/2] fix(secretsmanager): fix cross-region policyArn for imported secrets --- .../aws-secretsmanager/lib/secret.ts | 2 + .../aws-secretsmanager/test/secret.test.ts | 56 +++++++++++++++++++ 2 files changed, 58 insertions(+) diff --git a/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts b/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts index 6f214e3448cc7..9c73f0fb55545 100644 --- a/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts +++ b/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts @@ -601,6 +601,8 @@ export class Secret extends SecretBase { public readonly secretName = parseSecretName(scope, secretArn); protected readonly autoCreatePolicy = false; public get secretFullArn() { return secretArnIsPartial ? undefined : secretArn; } + protected get arnForPolicies() { return secretArnIsPartial ? `${secretArn}-??????` : secretArn; } + }(scope, id, { environmentFromArn: secretArn }); } diff --git a/packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts b/packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts index 628649d7ee4be..844a54ae98182 100644 --- a/packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts +++ b/packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts @@ -1390,3 +1390,59 @@ test('cross-environment grant with direct object reference', () => { }); }); + +test('cross-environment grant with imported from completeArn', () => { + // GIVEN + const secretCompleteArn = 'arn:aws:secretsmanager:foobar:1111111111:secret:secret-name-suffix'; + const producerStack = new cdk.Stack(app, 'ProducerStack', { env: { region: 'foo', account: '1111111111' } }); + const consumerStack = new cdk.Stack(app, 'ConsumerStack', { env: { region: 'bar', account: '1111111111' } }); + const secret = secretsmanager.Secret.fromSecretCompleteArn(producerStack, 'Secret', secretCompleteArn); + const role = new iam.Role(consumerStack, 'Role', { assumedBy: new iam.AccountRootPrincipal() }); + + // WHEN + secret.grantRead(role); + + // THEN + Template.fromStack(consumerStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Version: '2012-10-17', + Statement: [{ + Action: [ + 'secretsmanager:GetSecretValue', + 'secretsmanager:DescribeSecret', + ], + Effect: 'Allow', + Resource: secretCompleteArn, + }], + }, + }); + +}); + +test('cross-environment grant with imported from partialArn', () => { + // GIVEN + const secretPartialArn = 'arn:aws:secretsmanager:foobar:1111111111:secret:secret-name'; + const producerStack = new cdk.Stack(app, 'ProducerStack', { env: { region: 'foo', account: '1111111111' } }); + const consumerStack = new cdk.Stack(app, 'ConsumerStack', { env: { region: 'bar', account: '1111111111' } }); + const secret = secretsmanager.Secret.fromSecretPartialArn(producerStack, 'Secret', secretPartialArn); + const role = new iam.Role(consumerStack, 'Role', { assumedBy: new iam.AccountRootPrincipal() }); + + // WHEN + secret.grantRead(role); + + // THEN + Template.fromStack(consumerStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Version: '2012-10-17', + Statement: [{ + Action: [ + 'secretsmanager:GetSecretValue', + 'secretsmanager:DescribeSecret', + ], + Effect: 'Allow', + Resource: `${secretPartialArn}-??????`, + }], + }, + }); + +}); \ No newline at end of file From 32c62f7a23ab260099cea02bac85d986b1e1b32b Mon Sep 17 00:00:00 2001 From: Momo Kornher Date: Wed, 23 Aug 2023 10:45:23 +0100 Subject: [PATCH 2/2] Update packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts --- packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts b/packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts index 844a54ae98182..8a935ae86cb0d 100644 --- a/packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts +++ b/packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts @@ -1445,4 +1445,4 @@ test('cross-environment grant with imported from partialArn', () => { }, }); -}); \ No newline at end of file +});