Package software.amazon.awscdk.services.secretsmanager

Interface SecretRotationProps

All Superinterfaces:

software.amazon.jsii.JsiiSerializable

All Known Implementing Classes:

SecretRotationProps.Jsii$Proxy

@Generated(value="jsii-pacmak/1.113.0 (build fc68b25)",
           date="2025-10-14T12:28:20.450Z")
@Stability(Stable)
public interface SecretRotationProps
extends software.amazon.jsii.JsiiSerializable

Construction properties for a SecretRotation.

Example:

 Secret myUserSecret;
 Secret myMasterSecret;
 IConnectable myDatabase;
 Vpc myVpc;
 SecretRotation.Builder.create(this, "SecretRotation")
         .application(SecretRotationApplication.MYSQL_ROTATION_MULTI_USER)
         .secret(myUserSecret) // The secret that will be rotated
         .masterSecret(myMasterSecret) // The secret used for the rotation
         .target(myDatabase)
         .vpc(myVpc)
         .build();
 

Nested Class Summary

Nested Classes

Modifier and Type	Interface	Description
static final class	SecretRotationProps.Builder	A builder for SecretRotationProps
static final class	SecretRotationProps.Jsii$Proxy	An implementation for SecretRotationProps

Method Summary

Modifier and Type	Method	Description
static SecretRotationProps.Builder	builder()
SecretRotationApplication	getApplication()	The serverless application for the rotation.
default Duration	getAutomaticallyAfter()	Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation.
default IInterfaceVpcEndpoint	getEndpoint()	The VPC interface endpoint to use for the Secrets Manager API.
default String	getExcludeCharacters()	Characters which should not appear in the generated password.
default ISecret	getMasterSecret()	The master secret for a multi user rotation scheme.
default Boolean	getRotateImmediatelyOnUpdate()	Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window.
ISecret	getSecret()	The secret to rotate.
default ISecurityGroup	getSecurityGroup()	The security group for the Lambda rotation function.
IConnectable	getTarget()	The target service or database.
IVpc	getVpc()	The VPC where the Lambda rotation function will run.
default SubnetSelection	getVpcSubnets()	The type of subnets in the VPC where the Lambda rotation function will run.

Methods inherited from interface software.amazon.jsii.JsiiSerializable

$jsii$toJson

Method Details

getApplication

@Stability(Stable)
@NotNull
SecretRotationApplication getApplication()

The serverless application for the rotation.

getSecret

@Stability(Stable)
@NotNull
ISecret getSecret()

The secret to rotate. It must be a JSON string with the following format:.

 {
   "engine": <required: database engine>,
   "host": <required: instance host name>,
   "username": <required: username>,
   "password": <required: password>,
   "dbname": <optional: database name>,
   "port": <optional: if not specified, default port will be used>,
   "masterarn": <required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>
 }
 

This is typically the case for a secret referenced from an AWS::SecretsManager::SecretTargetAttachment or an ISecret returned by the attach() method of Secret.

See Also:

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html

getTarget

@Stability(Stable)
@NotNull
IConnectable getTarget()

The target service or database.

getVpc

@Stability(Stable)
@NotNull
IVpc getVpc()

The VPC where the Lambda rotation function will run.

getAutomaticallyAfter

@Stability(Stable)
@Nullable
default Duration getAutomaticallyAfter()

Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation.

Default: Duration.days(30)

getEndpoint

@Stability(Stable)
@Nullable
default IInterfaceVpcEndpoint getEndpoint()

The VPC interface endpoint to use for the Secrets Manager API.

If you enable private DNS hostnames for your VPC private endpoint (the default), you don't need to specify an endpoint. The standard Secrets Manager DNS hostname the Secrets Manager CLI and SDKs use by default (https://secretsmanager..amazonaws.com) automatically resolves to your VPC endpoint.

Default: https://secretsmanager..amazonaws.com

getExcludeCharacters

@Stability(Stable)
@Nullable
default String getExcludeCharacters()

Characters which should not appear in the generated password.

Default: - no additional characters are explicitly excluded

getMasterSecret

@Stability(Stable)
@Nullable
default ISecret getMasterSecret()

The master secret for a multi user rotation scheme.

Default: - single user rotation scheme

getRotateImmediatelyOnUpdate

@Stability(Stable)
@Nullable
default Boolean getRotateImmediatelyOnUpdate()

Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window.

Default: true

getSecurityGroup

@Stability(Stable)
@Nullable
default ISecurityGroup getSecurityGroup()

The security group for the Lambda rotation function.

Default: - a new security group is created

getVpcSubnets

@Stability(Stable)
@Nullable
default SubnetSelection getVpcSubnets()

The type of subnets in the VPC where the Lambda rotation function will run.

Default: - the Vpc default strategy if not specified.

builder

@Stability(Stable)
static SecretRotationProps.Builder builder()

Returns:

a SecretRotationProps.Builder of SecretRotationProps