feat(secretsmanager): validate maximum value of automaticallyAfter in…

… RotationSchedule (#27592) I added a validation for whether `automaticallyAfter` in `RotationSchedule` is not greater than 1000 days. We discussed in the following threads. #27570 (review) #27570 (review) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Oct 18, 2023 · 99740b3 · 99740b3
1 parent 14fa190
commit 99740b3
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts b/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts
@@ -37,6 +37,8 @@ export interface RotationScheduleOptions {
    * Specifies the number of days after the previous rotation before
    * Secrets Manager triggers the next automatic rotation.
    *
+   * The maximum value is 1000 days.
+   *
    * A value of zero (`Duration.days(0)`) will not create RotationRules.
    *
    * @default Duration.days(30)
@@ -125,6 +127,9 @@ export class RotationSchedule extends Resource {
     }
 
     let automaticallyAfterDays: number | undefined = undefined;
+    if (props.automaticallyAfter && props.automaticallyAfter.toDays() > 1000) {
+      throw new Error(`automaticallyAfter must not be greater than 1000 days, got ${props.automaticallyAfter.toDays()} days`);
+    }
     if (props.automaticallyAfter?.toMilliseconds() !== 0) {
       automaticallyAfterDays = props.automaticallyAfter?.toDays() || 30;
     }

diff --git a/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts b/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts
@@ -651,3 +651,21 @@ test('rotation schedule should have a dependency on lambda permissions', () => {
     ],
   });
 });
+
+test('automaticallyAfter must not be greater than 1000 days', () => {
+  // GIVEN
+  const secret = new secretsmanager.Secret(stack, 'Secret');
+  const rotationLambda = new lambda.Function(stack, 'Lambda', {
+    runtime: lambda.Runtime.NODEJS_LATEST,
+    code: lambda.Code.fromInline('export.handler = event => event;'),
+    handler: 'index.handler',
+  });
+
+  // WHEN
+  // THEN
+  expect(() => new secretsmanager.RotationSchedule(stack, 'RotationSchedule', {
+    secret,
+    rotationLambda,
+    automaticallyAfter: Duration.days(1001),
+  })).toThrow(/automaticallyAfter must not be greater than 1000 days, got 1001 days/);
+});