Skip to content

Step by Step Setup (CDK)

Jump to bottom
Chris/0 edited this page Jan 22, 2021 · 14 revisions

Module

AWS provides the nouns of SAM (AWS::Serverless::Function, AWS::Serverless::Application, &c.) as CDK Constructs in the module aws-sam.

Construct

The construct through which to deploy the Platform Client Secret Rotator is CfnApplication, which corresponds to the SAM resource AWS::Serverless::Application. This, in turn, corresponds to the raw CloudFormation resource AWS::CloudFormation::Stack. The multi-language nature of the CDK means that any of various languages could be used, but here is an example of using that construct in TypeScript:

import * as cdk from '@aws-cdk/core';
import * as kms from '@aws-sdk/kms';
import * as sam from '@aws-cdk/aws-sam';

export class AppStack extends cdk.Stack {
    constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
        super(scope, id, props);
    
        const applicationKey = new kms.Key(this, 'appKey', {
          enableKeyRotation: true
        });
        const rotator = new sam.CfnApplication(this, 'appRotator', {
          location: {
            applicationId: 'arn:aws:serverlessrepo:us-east-1:820870426321:applications/platform-client-secret-rotator',
            semanticVersion: '1.1.4'
          },
          parameters: {
            Endpoint: `https://secretsmanager.${this.region}.${this.urlSuffix}`
            FunctionName: `${this.stackName}-client-credentials-secret-rotator
            KmsKeyArn: applicationKey.keyArn
          }
        });
    }
}

Given this setup, the output of the ARN of the created rotation function is available:

samApp.getAtt('Outputs.RotationLambdaARN').toString()

…which can be used to connect the Function to a Secret and a Rotation Schedule.

Bootstrapping

There is an unavoidable bootstrapping step when deploying the Platform Client Secret Rotator into a service for the first time. The deployment process has no way of knowing what a client's current secret is (nor should it!), so the first rotation which occurs after deployment will necessarily fail. To take ownership of the rotation of a client secret, transfer the client secret value into AWS Secrets Manager (into the deployed secret, specifically) and instruct AWS Secrets Manager to rotate the secret immediately. It's hands-off operation from then on out.

Clone this wiki locally