tessl/npm-pulumi--aws

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources with infrastructure-as-code.

—

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview

Eval results

Files

Secrets Manager - Secrets Storage and Rotation

Name: tessl/npm-pulumi--aws
Author: tessl

AWS Secrets Manager helps protect secrets needed to access applications, services, and IT resources.

Common Tasks

Store database credentials as JSON secret

const secret = new aws.secretsmanager.Secret("db-password", {
    description: "Database password",
});
new aws.secretsmanager.SecretVersion("db-password-value", {
    secretId: secret.id,
    secretString: JSON.stringify({
        username: "admin",
        password: "MySecurePassword123!",
    }),
});

Create encrypted secret with KMS key

const secret = new aws.secretsmanager.Secret("encrypted-secret", {
    description: "Encrypted secret",
    kmsKeyId: kmsKey.id,
});

Configure secret with recovery window

const secret = new aws.secretsmanager.Secret("api-key", {
    description: "API key for external service",
    recoveryWindowInDays: 30,
});

Core Resources

Secret

Store secrets with automatic rotation.

class Secret extends pulumi.CustomResource {
    constructor(name: string, args?: SecretArgs, opts?: pulumi.CustomResourceOptions);

    readonly arn: pulumi.Output<string>;
    readonly id: pulumi.Output<string>;
}

interface SecretArgs {
    name?: pulumi.Input<string>;
    description?: pulumi.Input<string>;
    kmsKeyId?: pulumi.Input<string>;
    recoveryWindowInDays?: pulumi.Input<number>;
    tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}

Example: Create secret with KMS encryption

const secret = new aws.secretsmanager.Secret("db-password", {
    description: "Database password",
    kmsKeyId: kmsKey.id,
    recoveryWindowInDays: 7,
    tags: {
        Environment: "production",
        Application: "my-app",
    },
});

SecretVersion

Store secret values.

class SecretVersion extends pulumi.CustomResource {
    constructor(name: string, args: SecretVersionArgs, opts?: pulumi.CustomResourceOptions);
}

interface SecretVersionArgs {
    secretId: pulumi.Input<string>;
    secretString?: pulumi.Input<string>;
    secretBinary?: pulumi.Input<string>;
}

Example: Store secret value

new aws.secretsmanager.SecretVersion("db-password-value", {
    secretId: secret.id,
    secretString: JSON.stringify({
        username: "admin",
        password: dbPassword,
        host: dbInstance.endpoint,
        port: 5432,
    }),
});

Usage Example

const secret = new aws.secretsmanager.Secret("db-password", {
    description: "Database password",
});

new aws.secretsmanager.SecretVersion("db-password-value", {
    secretId: secret.id,
    secretString: JSON.stringify({
        username: "admin",
        password: dbPassword,
    }),
});

export const secretArn = secret.arn;