Handle SecretsManager dynamic references

integration/examples_nodejs_test.go

@@ -41,6 +41,15 @@ func TestApiGatewayDomain(t *testing.T) {
 	integration.ProgramTest(t, &test)
 }
 
+func TestSecretsManager(t *testing.T) {
+	test := getJSBaseOptions(t).
+		With(integration.ProgramTestOptions{
+			Dir: filepath.Join(getCwd(t), "secretsmanager"),
+      })
+
+	integration.ProgramTest(t, &test)
+}
+
 func TestEc2(t *testing.T) {
 	test := getJSBaseOptions(t).
 		With(integration.ProgramTestOptions{

integration/secretsmanager/Pulumi.yaml

@@ -0,0 +1,3 @@
+name: pulumi-aws-secretsmanager
+runtime: nodejs
+description: secretsmanager integration test

integration/secretsmanager/index.ts

@@ -0,0 +1,84 @@
+import * as aws from '@pulumi/aws';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as rds from 'aws-cdk-lib/aws-rds';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as secrets from 'aws-cdk-lib/aws-secretsmanager';
+import * as pulumicdk from '@pulumi/cdk';
+import { CfnOutput, SecretValue } from 'aws-cdk-lib';
+
+class SecretsManagerStack extends pulumicdk.Stack {
+    constructor(app: pulumicdk.App, id: string, options?: pulumicdk.StackOptions) {
+        super(app, id, options);
+
+        const vpc = new ec2.Vpc(this, 'Vpc', {
+            maxAzs: 2,
+            ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/16'),
+            natGateways: 0,
+            subnetConfiguration: [
+                {
+                    name: 'Isolated',
+                    subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+                },
+            ],
+        });
+        new rds.DatabaseInstance(this, 'Instance', {
+            vpc,
+            engine: rds.DatabaseInstanceEngine.mysql({
+                version: rds.MysqlEngineVersion.VER_8_0_37,
+            }),
+            vpcSubnets: vpc.selectSubnets({ subnetType: ec2.SubnetType.PRIVATE_ISOLATED }),
+            credentials: rds.Credentials.fromGeneratedSecret('admin'),
+        });
+
+        const role = new iam.Role(this, 'Role', {
+            assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+        });
+        const secret = new secrets.Secret(this, 'Secret', {
+            description: 'A test secret',
+        });
+        secret.grantRead(role);
+
+        const rotationLambda = new lambda.Function(this, 'RotationLambda', {
+            code: lambda.Code.fromInline('exports.handler = async function(event) { return event; }'),
+            handler: 'index.handler',
+            runtime: lambda.Runtime.NODEJS_LATEST,
+        });
+        secret.addRotationSchedule('rotation', {
+            rotationLambda,
+        });
+    }
+}
+
+new pulumicdk.App(
+    'app',
+    (scope: pulumicdk.App) => {
+        new SecretsManagerStack(scope, 'teststack');
+    },
+    {
+        appOptions: {
+            remapCloudControlResource: (logicalId, typeName, props, options) => {
+                if (typeName === 'AWS::SecretsManager::RotationSchedule') {
+                    if (props.HostedRotationLambda) {
+                        throw new Error('Hosted Rotation is not supported');
+                    }
+                    return new aws.secretsmanager.SecretRotation(
+                        logicalId,
+                        {
+                            secretId: props.SecretId,
+                            rotationRules: {
+                                duration: props.RotationRules.Duration,
+                                scheduleExpression: props.RotationRules.ScheduleExpression,
+                                automaticallyAfterDays: props.RotationRules.AutomaticallyAfterDays,
+                            },
+                            rotateImmediately: props.RotateImmediatelyOnUpdate,
+                            rotationLambdaArn: props.RotationLambdaARN,
+                        },
+                        options,
+                    );
+                }
+                return undefined;
+            },
+        },
+    },
+);

integration/secretsmanager/package.json

@@ -0,0 +1,15 @@
+{
+    "name": "pulumi-aws-cdk",
+    "devDependencies": {
+        "@types/node": "^10.0.0"
+    },
+    "dependencies": {
+        "@pulumi/aws": "^6.56.0",
+        "@pulumi/aws-native": "^1.5.0",
+        "@pulumi/cdk": "^0.5.0",
+        "@pulumi/pulumi": "^3.0.0",
+        "aws-cdk-lib": "2.149.0",
+        "constructs": "10.3.0",
+        "esbuild": "^0.24.0"
+    }
+}

integration/secretsmanager/tsconfig.json

@@ -0,0 +1,18 @@
+{
+    "compilerOptions": {
+        "strict": true,
+        "outDir": "bin",
+        "target": "es2019",
+        "module": "commonjs",
+        "moduleResolution": "node",
+        "sourceMap": true,
+        "experimentalDecorators": true,
+        "pretty": true,
+        "noFallthroughCasesInSwitch": true,
+        "noImplicitReturns": true,
+        "forceConsistentCasingInFileNames": true
+    },
+    "include": [
+        "./*.ts"
+    ]
+}

package.json

@@ -21,16 +21,16 @@
     }
   },
   "resolutions": {
-    "@pulumi/pulumi": "3.121.0", 
+    "@pulumi/pulumi": "3.136.0", 
     "wrap-ansi": "7.0.0",
     "string-width": "4.1.0"
   },
   "devDependencies": {
     "@aws-cdk/aws-apprunner-alpha": "2.20.0-alpha.0",
-    "@pulumi/aws": "^6.32.0",
+    "@pulumi/aws": "^6.56.0",
     "@pulumi/aws-native": "^1.6.0",
     "@pulumi/docker": "^4.5.0",
-    "@pulumi/pulumi": "3.121.0",
+    "@pulumi/pulumi": "3.136.0",
     "@types/archiver": "^6.0.2",
     "@types/fs-extra": "^11.0.4",
     "@types/jest": "^29.5.2",
@@ -50,10 +50,10 @@
     "typescript-eslint": "^7.16.1"
   },
   "peerDependencies": {
-    "@pulumi/aws": "^6.32.0",
-    "@pulumi/aws-native": "^1.0.0",
+    "@pulumi/aws": "^6.56.0",
+    "@pulumi/aws-native": "^1.6.0",
     "@pulumi/docker": "^4.5.0",
-    "@pulumi/pulumi": "^3.117.0",
+    "@pulumi/pulumi": "^3.136.0",
     "aws-cdk-lib": "^2.20.0",
     "constructs": "^10.0.111"
   },