fix(secretsmanager): cannot import secrets by ARN without suffix

An overly-strict validation on secret ARNs prevented valid use cases where a customer provides a secret ARN without the SecretsManager-suffix. fixes #10604
aws · Sep 30, 2020 · 5ddae7b · 5ddae7b
1 parent 8a04014
commit 5ddae7b
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 5 deletions.
diff --git a/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts b/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts
@@ -327,7 +327,7 @@ export class Secret extends SecretBase {
 
     // @see https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html#asm-authz
     const principal =
-       new kms.ViaServicePrincipal(`secretsmanager.${Stack.of(this).region}.amazonaws.com`, new iam.AccountPrincipal(Stack.of(this).account));
+      new kms.ViaServicePrincipal(`secretsmanager.${Stack.of(this).region}.amazonaws.com`, new iam.AccountPrincipal(Stack.of(this).account));
     this.encryptionKey?.grantEncryptDecrypt(principal);
     this.encryptionKey?.grant(principal, 'kms:CreateGrant', 'kms:DescribeKey');
   }
@@ -605,8 +605,8 @@ function parseSecretName(construct: IConstruct, secretArn: string) {
     }
 
     // Secret resource names are in the format `${secretName}-${SecretsManager suffix}`
-    const secretNameFromArn = resourceName.substr(0, resourceName.lastIndexOf('-'));
-    if (secretNameFromArn) { return secretNameFromArn; }
+    // If there is no hyphen, assume no suffix was provided, and return the whole name.
+    return resourceName.substr(0, resourceName.lastIndexOf('-')) || resourceName;
   }
   throw new Error('invalid ARN format; no secret name provided');
 }
diff --git a/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts b/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts
@@ -474,11 +474,25 @@ export = {
     // GIVEN
     const stack = new cdk.Stack();
     const arnWithoutResourceName = 'arn:aws:secretsmanager:eu-west-1:111111111111:secret';
-    const arnWithoutSecretsManagerSuffix = 'arn:aws:secretsmanager:eu-west-1:111111111111:secret:MySecret';
 
     // WHEN
     test.throws(() => secretsmanager.Secret.fromSecretArn(stack, 'Secret1', arnWithoutResourceName), /invalid ARN format/);
-    test.throws(() => secretsmanager.Secret.fromSecretArn(stack, 'Secret2', arnWithoutSecretsManagerSuffix), /invalid ARN format/);
+
+    test.done();
+  },
+
+  'import by secretArn supports secret ARNs without suffixes'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const arnWithoutSecretsManagerSuffix = 'arn:aws:secretsmanager:eu-west-1:111111111111:secret:MySecret';
+
+    // WHEN
+    const secret = secretsmanager.Secret.fromSecretArn(stack, 'Secret', arnWithoutSecretsManagerSuffix);
+
+    // THEN
+    test.equals(secret.secretArn, arnWithoutSecretsManagerSuffix);
+    test.equals(secret.secretName, 'MySecret');
+
     test.done();
   },