4

I can create and use an AWS SecretsManager store Key value pair. Let's say you want to raise an error if the key does not exist inside AWS SecretsManager. 

const secretKey = "keyNameInAWS";
//Below is used for any resource that takes SecretValue as an input
SecretValue.secretsManager(secretKey, { jsonField: secretKey })

Should i try to find the secrets at the start of the script and then use typescript to kill the script or create a CfnCondition and have the main stack depend on the Secrets to exist??

scope
  • 61
  • 1
  • 8
  • I don't remember the implementation, but have you tried surround it with try catch? – Pedreiro May 03 '20 at 10:59
  • @Pedreiro Thanks for the reply, I've not no, I will have a look now though. I've tried to set **SecretValue.secretsManager** to a variable. const sV = SecretValue... ... ... Then use if(!sv) { throw new Error("") } – scope May 03 '20 at 11:05
  • If i print out sv i get ${Token.[Token].122} even if it is empty – scope May 03 '20 at 11:07
  • check this doc here => https://docs.aws.amazon.com/cdk/api/latest/docs/aws-secretsmanager-readme.html it says: > If you need to use a pre-existing secret, the recommended way is to manually provision the secret in AWS SecretsManager and use the Secret.fromSecretArn or Secret.fromSecretAttributes method to make it available in your CDK Application – Pedreiro May 03 '20 at 11:14
  • also, check the generated CF Template. If it generates something like `{{resolve:secretsmanager:`, that means that the parameter will be checked during CF deployment time, therefore there's nothing you can do about it in your cdk code directly. You would have to check the parameters in a separate call... maybe using sdk... check this doc => https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html – Pedreiro May 03 '20 at 11:19
  • @Pedreiro Creating the secret is not the problem. Using your method with Secret class and fromSecretArn (https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-secretsmanager.Secret.html#static-from-wbr-secret-wbr-arnscope-id-secretarn) is not a very generic way of doing things. It needs a specific value that is not just the name of the application etc. Checking the CF template is also not something i want to keep doing everytime. – scope May 03 '20 at 13:01
  • It would be easier to do all the checking in the script itself. If you look here https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.SecretValue.html#static-secrets-wbr-managersecretid-options They dynamically create a SecretValue which is what i need and which is also what i have. But an Empty SecretValue and a none Empty SecretValue both return as being true – scope May 03 '20 at 13:01

0 Answers0