Skip to content

feat: support GenerateSecretString and Description for AWS::SecretsManager::Secret in CloudFormation#176

Open
yoyo-real wants to merge 3 commits intohectorvent:mainfrom
yoyo-real:feat/cfn-secretsmanager-generate-secret-string
Open

feat: support GenerateSecretString and Description for AWS::SecretsManager::Secret in CloudFormation#176
yoyo-real wants to merge 3 commits intohectorvent:mainfrom
yoyo-real:feat/cfn-secretsmanager-generate-secret-string

Conversation

@yoyo-real
Copy link
Copy Markdown
Contributor

@yoyo-real yoyo-real commented Apr 2, 2026
edited
Loading

Summary

Add GenerateSecretString and Description support to AWS::SecretsManager::Secret in the CloudFormation provisioner.

Previously, provisionSecret() only read Name and SecretString. This PR enables:

  • GenerateSecretString: random password generation using the same logic as secretsmanager.GetRandomPassword
  • SecretStringTemplate + GenerateStringKey: embed the generated password into a JSON template (e.g. {"username":"admin","password":"<generated>"})
  • Description: pass-through to SecretsManagerService.createSecret()
  • Mutual exclusivity validation: reject templates that specify both SecretString and GenerateSecretString with ValidationError (400), matching real AWS CloudFormation behavior

Also extracts password generation into a reusable RandomPasswordGenerator utility and refactors SecretsManagerJsonHandler.handleGetRandomPassword to delegate to it, eliminating code duplication.

Closes #170

Type of change

  • Bug fix (fix:)
  • New feature (feat:)
  • Breaking change (feat!: or fix!:)
  • Docs / chore

AWS Compatibility

add floci-compatibility-tests

Checklist

  • ./mvnw test passes locally
  • New or updated integration test added
  • Commit messages follow Conventional Commits

yoyo-real added 2 commits April 2, 2026 12:54
@yoyo-real
feat: support GenerateSecretString and Description for AWS::SecretsMa…
3f20396 
…nager::Secret in CloudFormation

- Extract password generation logic into RandomPasswordGenerator utility
- Refactor SecretsManagerJsonHandler to delegate to RandomPasswordGenerator
- Update CloudFormationResourceProvisioner.provisionSecret() to handle:
  - GenerateSecretString (plain password and SecretStringTemplate+GenerateStringKey)
  - Description property
- Add 19 unit tests for RandomPasswordGenerator
- Add 9 CloudFormation integration tests for Secrets Manager scenarios
@yoyo-real
fix: reject both SecretString and GenerateSecretString per AWS spec
aa928fd 
AWS CloudFormation rejects templates that specify both SecretString
and GenerateSecretString on AWS::SecretsManager::Secret. Throw
AwsException(ValidationError, 400) instead of silently preferring
SecretString. Update integration test to verify CREATE_FAILED.
@yoyo-real yoyo-real mentioned this pull request Apr 2, 2026
Merged
@yoyo-real yoyo-real marked this pull request as ready for review April 2, 2026 15:03
@yoyo-real
Merge remote-tracking branch 'origin/main' into feat/cfn-secretsmanag…
da47a7d 
…er-generate-secret-string

# Conflicts:
#	src/test/java/io/github/hectorvent/floci/services/cloudformation/CloudFormationIntegrationTest.java
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cloud-formation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEAT] CloudFormation AWS::SecretsManager::Secret support GenerateSecretString and Description

2 participants

@yoyo-real @hectorvent