feat(secretsmanager): validate maximum value of automaticallyAfter in RotationSchedule (#27592)

go-to-k · web-flow · commit 99740b3211d0 · 2023-10-18T22:33:37.000Z
I added a validation for whether `automaticallyAfter` in `RotationSchedule` is not greater than 1000 days. We discussed in the following threads. #27570 (review) #27570 (review) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts b/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts
@@ -37,6 +37,8 @@ export interface RotationScheduleOptions {
    * Specifies the number of days after the previous rotation before
    * Secrets Manager triggers the next automatic rotation.
    *
+   * The maximum value is 1000 days.
+   *
    * A value of zero (`Duration.days(0)`) will not create RotationRules.
    *
    * @default Duration.days(30)
@@ -125,6 +127,9 @@ export class RotationSchedule extends Resource {
     }
 
     let automaticallyAfterDays: number | undefined = undefined;
+    if (props.automaticallyAfter && props.automaticallyAfter.toDays() > 1000) {
+      throw new Error(`automaticallyAfter must not be greater than 1000 days, got ${props.automaticallyAfter.toDays()} days`);
+    }
     if (props.automaticallyAfter?.toMilliseconds() !== 0) {
       automaticallyAfterDays = props.automaticallyAfter?.toDays() || 30;
     }
diff --git a/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts b/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts
@@ -651,3 +651,21 @@ test('rotation schedule should have a dependency on lambda permissions', () => {
     ],
   });
 });
+
+test('automaticallyAfter must not be greater than 1000 days', () => {
+  // GIVEN
+  const secret = new secretsmanager.Secret(stack, 'Secret');
+  const rotationLambda = new lambda.Function(stack, 'Lambda', {
+    runtime: lambda.Runtime.NODEJS_LATEST,
+    code: lambda.Code.fromInline('export.handler = event => event;'),
+    handler: 'index.handler',
+  });
+
+  // WHEN
+  // THEN
+  expect(() => new secretsmanager.RotationSchedule(stack, 'RotationSchedule', {
+    secret,
+    rotationLambda,
+    automaticallyAfter: Duration.days(1001),
+  })).toThrow(/automaticallyAfter must not be greater than 1000 days, got 1001 days/);
+});

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,8 @@ export interface RotationScheduleOptions {`
`37`	`37`	`* Specifies the number of days after the previous rotation before`
`38`	`38`	`* Secrets Manager triggers the next automatic rotation.`
`39`	`39`	`*`
	`40`	`+ * The maximum value is 1000 days.`
	`41`	`+ *`
`40`	`42`	* A value of zero (`Duration.days(0)`) will not create RotationRules.
`41`	`43`	`*`
`42`	`44`	`* @default Duration.days(30)`
`@@ -125,6 +127,9 @@ export class RotationSchedule extends Resource {`
`125`	`127`	`}`
`126`	`128`
`127`	`129`	`let automaticallyAfterDays: number \| undefined = undefined;`
	`130`	`+ if (props.automaticallyAfter && props.automaticallyAfter.toDays() > 1000) {`
	`131`	+ throw new Error(`automaticallyAfter must not be greater than 1000 days, got ${props.automaticallyAfter.toDays()} days`);
	`132`	`+ }`
`128`	`133`	`if (props.automaticallyAfter?.toMilliseconds() !== 0) {`
`129`	`134`	`automaticallyAfterDays = props.automaticallyAfter?.toDays() \|\| 30;`
`130`	`135`	`}`