解析 Cfn L1 构造中使用 CDK 创建的秘密

Question

如何使用 Secrets Manager 创建的 L2密钥来解析为 L1 Cfn 属性值？

from aws_cdk import (
    core,
    aws_secretsmanager as secretsmanager,
    aws_elasticache as elasticache
)
class MyStack(core.Stack):
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        redis_password = secretsmanager.Secret(
            self, "RedisPassword",
            description="Redis auth",
            generate_secret_string=secretsmanager.SecretStringGenerator(
                exclude_characters='/"@'
            )
        )
        self.redis = elasticache.CfnReplicationGroup(self, 'RedisCluster',
            auth_token=redis_password.secret_value,
            # other properties
        )

这给出了错误

jsii.errors.JSIIError: Object of type @aws-cdk/aws-secretsmanager.Secret is not convertible to @aws-cdk/core.CfnElement

在 Cloudformation 中解决秘密时我会使用类似的东西

jsii.errors.JSIIError: Object of type @aws-cdk/aws-secretsmanager.Secret is not convertible to @aws-cdk/core.CfnElement

但是 L2 Secret不会像 L1 构造那样输出 Cfn Ref（据我所知）

我缺少什么？

Answer 1

I was only missing the to_string() method

from aws_cdk import (
    core,
    aws_secretsmanager as secretsmanager,
    aws_elasticache as elasticache
)
class MyStack(core.Stack):
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        redis_password = secretsmanager.Secret(
            self, "RedisPassword",
            description="Redis auth",
            generate_secret_string=secretsmanager.SecretStringGenerator(
                exclude_characters='/"@'
            )
        )
        self.redis = elasticache.CfnReplicationGroup(self, 'RedisCluster',
            auth_token=redis_password.secret_value.to_string(),
            # other properties
        )

This synthesizes to

{
  "RedisPasswordED621C10": {
    "Type": "AWS::SecretsManager::Secret",
    "Properties": {
      "Description": "Redis auth",
      "GenerateSecretString": {
        "ExcludeCharacters": "/\"@"
      }
    },
    "Metadata": {
      "aws:cdk:path": "my-cdk-stack/RedisPassword/Resource"
    }
  },
  "RedisCluster": {
    "Type": "AWS::ElastiCache::ReplicationGroup",
    "Properties": {
      "ReplicationGroupDescription": "RedisGroup",
      "AtRestEncryptionEnabled": true,
      "AuthToken": {
        "Fn::Join": [
          "",
          [
            "{{resolve:secretsmanager:",
            {
              "Ref": "RedisPasswordED621C10"
            },
            ":SecretString:::}}"
          ]
        ]
      },
      "OtherProps": "..."
    }
  }
}