Python AWS CDK - Unable to set secret rotation in aws cdk

Question

I've been unable to synth my cdk stack. I need to instantiate a Postgres RDS database instance. I've attempted to add a single user and secrete rotation schedule to no avail. Do you have any ideas of what is required to achieve a secret rotation? The error message received when trying to synth the stack:

`[Error at /usecase-1-stack/test-uc1-pgdb/Secret/Resource] AwsSolutions-SMG4: The secret does not have automatic rotation scheduled. AWS Secrets Manager can be configured to automatically rotate the secret for a secured service or database.`

```
        from aws_cdk import aws_rds as rds
        from aws_cdk import aws_secretsmanager as sm
        from aws_cdk import aws_ec2 as ec2

curated_rds = rds.DatabaseInstance(
            self,
            f"{env_id}-uc1-pgdb", 
            database_name=curated_db_name,
            engine=rds.DatabaseInstanceEngine.postgres(
                version=rds.PostgresEngineVersion.VER_14_10
            ),
            port=curated_db_port,
            instance_type=ec2.InstanceType.of(
                ec2.InstanceClass.STANDARD5, ec2.InstanceSize.LARGE
            ),
            credentials=rds.Credentials.from_generated_secret(
                "admin",
                encryption_key=data_key,
                secret_name=f"{env_id}-uc1-pgdb-admin",
            ),
            vpc=data_vpc,
            vpc_subnets=ec2.SubnetSelection(
                subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
            ),
            security_groups=[curated_rds_security_group],
            storage_encrypted=True,
            storage_encryption_key=data_key,
            auto_minor_version_upgrade=True,
            deletion_protection=True,
            multi_az=True,
            publicly_accessible=False,
            enable_performance_insights=True,
        )

# curated_rds.add_rotation_single_user(automatically_after=Duration.days(30))
        curated_rds.secret.add_rotation_schedule("RotationSchedule",   hosted_rotation=sm.HostedRotation.postgre_sql_single_user(), automatically_after=Duration.days(7))
```

giordafrancis · Accepted Answer

The cdk-nag error resulted from a [bug](https://github.com/cdklabs/cdk-nag/issues/1565)

The secrets rotation was set but non-compliant even if rotation is configured. I was working under version v2.116 for aws-cdk-lib, and updating to 2.129.0 resolved the issue SMG4.

Oleksii Bebych · Answer

You will need a Lambda function for Secret rotation

```
        # Define your Secret
        my_secret = secretsmanager.Secret(self, "MySecret",
                                          secret_name="MySecret",
                                          generate_secret_string=secretsmanager.SecretStringGenerator())

# Create a Lambda function for rotation
        rotation_lambda = lambda_.Function(self, "RotationLambda",
                                           runtime=lambda_.Runtime.PYTHON_3_8,
                                           handler="rotation_function.handler",
                                           code=lambda_.Code.from_asset("path_to_your_lambda_code"))

# Grant Lambda permissions to read and update the secret
        my_secret.grant_read(rotation_lambda)
        my_secret.grant_write(rotation_lambda)

# Define rotation schedule
        rotation_schedule = secretsmanager.RotationSchedule(
            self, "RotationSchedule",
            secret=my_secret,
            rotation_lambda=rotation_lambda,
            rotation_schedule=core.Duration.days(30)
        )

# Enable rotation for the secret
        my_secret.add_rotation_schedule("RotationSchedule", rotation_schedule)
```

Lambda examples are here:
https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/tree/master

Python AWS CDK - Unable to set secret rotation in aws cdk

Relevant content