问题描述
如何使用通过 Secrets Manager 创建的 L2 Secret 解析为 L1 Cfn 属性值?
from aws_cdk import (
core,aws_secretsmanager as secretsmanager,aws_elasticache as elasticache
)
class MyStack(core.Stack):
def __init__(self,scope: core.Construct,id: str,**kwargs) -> None:
super().__init__(scope,id,**kwargs)
redis_password = secretsmanager.Secret(
self,"RedisPassword",description="Redis auth",generate_secret_string=secretsmanager.SecretStringGenerator(
exclude_characters='/"@'
)
)
self.redis = elasticache.CfnReplicationGroup(self,'RedisCluster',auth_token=redis_password.secret_value,# other properties
)
这给出了错误
jsii.errors.JSIIError: Object of type @aws-cdk/aws-secretsmanager.Secret is not convertible to @aws-cdk/core.CfnElement
在 Cloudformation 中解决秘密我会使用类似的东西
AuthToken: !Sub '{{resolve:secretsmanager:${MySecret}::password}}'
但是 L2 Secret 不会像 L1 构造那样输出 Cfn Ref(我知道)
我错过了什么?
解决方法
我只是错过了 to_string() 方法
from aws_cdk import (
core,aws_secretsmanager as secretsmanager,aws_elasticache as elasticache
)
class MyStack(core.Stack):
def __init__(self,scope: core.Construct,id: str,**kwargs) -> None:
super().__init__(scope,id,**kwargs)
redis_password = secretsmanager.Secret(
self,"RedisPassword",description="Redis auth",generate_secret_string=secretsmanager.SecretStringGenerator(
exclude_characters='/"@'
)
)
self.redis = elasticache.CfnReplicationGroup(self,'RedisCluster',auth_token=redis_password.secret_value.to_string(),# other properties
)
这综合为
{
"RedisPasswordED621C10": {
"Type": "AWS::SecretsManager::Secret","Properties": {
"Description": "Redis auth","GenerateSecretString": {
"ExcludeCharacters": "/\"@"
}
},"Metadata": {
"aws:cdk:path": "my-cdk-stack/RedisPassword/Resource"
}
},"RedisCluster": {
"Type": "AWS::ElastiCache::ReplicationGroup","Properties": {
"ReplicationGroupDescription": "RedisGroup","AtRestEncryptionEnabled": true,"AuthToken": {
"Fn::Join": [
"",[
"{{resolve:secretsmanager:",{
"Ref": "RedisPasswordED621C10"
},":SecretString:::}}"
]
]
},"OtherProps": "..."
}
}
}