Skip to content

Commit ad46717

Browse files
committed
(ELI-597) fixing escaping error
1 parent 4058ca7 commit ad46717

1 file changed

Lines changed: 93 additions & 23 deletions

File tree

Lines changed: 93 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
resource "aws_sfn_state_machine" "rotation_machine" {
2+
#checkov:skip=CKV_AWS_284: No x-ray needed for this resource
23
name = "SecretRotationWorkflow"
34
role_arn = aws_iam_role.rotation_sfn_role.arn
45

@@ -11,45 +12,42 @@ resource "aws_sfn_state_machine" "rotation_machine" {
1112
definition = jsonencode({
1213
Comment = "Secret Rotation: Create -> Manual Pause -> Promote -> Manual Pause",
1314
StartAt = "CreatePendingVersion",
14-
States = {
15-
CreatePendingVersion = {
15+
States = {
16+
"CreatePendingVersion" : {
1617
Type = "Task",
1718
Resource = aws_lambda_function.create_secret_lambda.arn,
1819
Catch = [{ ErrorEquals = ["States.ALL"], Next = "NotifyFailure" }],
1920
Next = "WaitFor_AddNewHashes"
2021
},
21-
22-
WaitFor_AddNewHashes = {
22+
"WaitFor_AddNewHashes" : {
2323
Type = "Task",
2424
Resource = "arn:aws:states:::sns:publish.waitForTaskToken",
2525
TimeoutSeconds = 86400,
2626
Parameters = {
27-
Subject = "Action required: AWSPENDING secret created (Environment: ${var.environment})",
28-
TopicArn = aws_sns_topic.secret_rotation.arn,
29-
"Message.$" = "States.Format('======================================================\nAction required: AWSPENDING secret created (Environment: ${var.environment})\n======================================================\n\nA manual action is required to proceed.\n\nCONTEXT:\nSecret Name: ${module.secrets_manager.aws_hashing_secret_name}\n\nINSTRUCTIONS:\n1. Run the \"Add New Hashes (elid_add_new_salt)\" job.\n2. Ensure the new hashes are working as expected.\n3. Run the command below to approve and resume the workflow:\n\naws stepfunctions send-task-success --task-token {} --task-output {}\n\n======================================================\n', $$.Task.Token, '{}')"
27+
Subject = "Action required: AWSPENDING secret created (Environment: ${var.environment})",
28+
TopicArn = aws_sns_topic.secret_rotation.arn,
29+
"Message.$" = local.add_jobs_message
3030
},
3131
Catch = [
3232
{ ErrorEquals = ["States.Timeout"], Next = "NotifyTimeout" },
3333
{ ErrorEquals = ["States.ALL"], Next = "NotifyFailure" }
3434
],
3535
Next = "PromoteToCurrent"
3636
},
37-
38-
PromoteToCurrent = {
37+
"PromoteToCurrent" : {
3938
Type = "Task",
4039
Resource = aws_lambda_function.promote_secret_lambda.arn,
4140
Catch = [{ ErrorEquals = ["States.ALL"], Next = "NotifyFailure" }],
4241
Next = "WaitFor_DelOldHashes"
4342
},
44-
45-
WaitFor_DelOldHashes = {
43+
"WaitFor_DelOldHashes" : {
4644
Type = "Task",
4745
Resource = "arn:aws:states:::sns:publish.waitForTaskToken",
4846
TimeoutSeconds = 86400,
4947
Parameters = {
50-
Subject = "Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})",
51-
TopicArn = aws_sns_topic.secret_rotation.arn,
52-
"Message.$" = "States.Format('======================================================\nAction required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})\n======================================================\n\nA manual action is required to proceed.\n\nCONTEXT:\nSecret Name: ${module.secrets_manager.aws_hashing_secret_name}\n\nINSTRUCTIONS:\n1. Run the \"Delete Old Hashes (elid_delete_old_salt)\" job.\n2. Ensure the old hashes have been removed successfully.\n3. Run the command below to approve and resume the workflow:\n\naws stepfunctions send-task-success --task-token {} --task-output {}\n\n======================================================\n', $$.Task.Token, '{}')"
48+
Subject = "Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})",
49+
TopicArn = aws_sns_topic.secret_rotation.arn,
50+
"Message.$" = local.delete_jobs_message
5351
},
5452
Catch = [
5553
{ ErrorEquals = ["States.Timeout"], Next = "NotifyTimeout" },
@@ -58,24 +56,23 @@ resource "aws_sfn_state_machine" "rotation_machine" {
5856
End = true
5957
},
6058

61-
NotifyTimeout = {
59+
"NotifyTimeout" : {
6260
Type = "Task",
6361
Resource = "arn:aws:states:::sns:publish",
6462
Parameters = {
65-
TopicArn = aws_sns_topic.secret_rotation.arn,
66-
Subject = "Warning: Secret rotation timed out (Environment: ${var.environment})",
67-
Message = local.timeout_message
63+
TopicArn = aws_sns_topic.secret_rotation.arn,
64+
Subject = "Warning: Secret rotation timed out (Environment: ${var.environment})",
65+
"Message.$" = local.timeout_message
6866
},
6967
Next = "Fail_Timeout"
7068
},
7169

72-
Fail_Timeout = {
70+
"Fail_Timeout" : {
7371
Type = "Fail",
7472
Error = "ManualActionTimedOut",
7573
Cause = "User did not respond within 24 hours."
7674
},
77-
78-
NotifyFailure = {
75+
"NotifyFailure" : {
7976
Type = "Task",
8077
Resource = "arn:aws:states:::sns:publish",
8178
Parameters = {
@@ -85,15 +82,58 @@ resource "aws_sfn_state_machine" "rotation_machine" {
8582
},
8683
Next = "Fail_Generic"
8784
},
88-
89-
Fail_Generic = {
85+
"Fail_Generic" : {
9086
Type = "Fail"
9187
}
9288
}
9389
})
9490
}
9591

9692
locals {
93+
add_jobs_message = <<EOT
94+
States.Format('
95+
======================================================
96+
Action required: AWSPENDING secret created (Environment: ${var.environment})
97+
======================================================
98+
99+
A manual action is required to proceed.
100+
101+
CONTEXT:
102+
Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
103+
104+
INSTRUCTIONS:
105+
1. Run the "Add New Hashes (elid_add_new_salt)" job.
106+
2. Ensure the new hashes are working as expected.
107+
3. Run the command below to approve and resume the workflow:
108+
109+
aws stepfunctions send-task-success --task-token {} --task-output {}
110+
111+
======================================================
112+
', $$.Task.Token, '{}')
113+
EOT
114+
115+
delete_jobs_message = <<EOT
116+
States.Format('
117+
======================================================
118+
Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})
119+
======================================================
120+
121+
A manual action is required to proceed.
122+
123+
CONTEXT:
124+
Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
125+
126+
INSTRUCTIONS:
127+
1. Run the "Delete Old Hashes (elid_delete_old_salt)" job.
128+
2. Ensure the old hashes have been removed successfully.
129+
3. Run the command below to approve and resume the workflow:
130+
131+
aws stepfunctions send-task-success --task-token {} --task-output {}
132+
133+
======================================================
134+
', $$.Task.Token, '{}')
135+
EOT
136+
97137
failure_message = <<EOT
98138
States.Format('
99139
======================================================
@@ -108,18 +148,48 @@ Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
108148
ERROR DETAILS:
109149
{}
110150
151+
------------------------------------------------------
152+
HOW TO FIX: "Pending Version Exists" Error
153+
------------------------------------------------------
154+
If the error above indicates a pending version already exists,
155+
you must clean it up manually.
156+
157+
1. Find the Version ID of the pending secret:
158+
aws secretsmanager list-secret-version-ids --secret-id ${module.secrets_manager.aws_hashing_secret_name}
159+
160+
2. Remove the AWSPENDING label:
161+
aws secretsmanager update-secret-version-stage --secret-id ${module.secrets_manager.aws_hashing_secret_name} --version-stage AWSPENDING --remove-from-version-id <OLD_PENDING_VERSION_ID>
162+
111163
======================================================
112164
', $.Cause)
113165
EOT
114166

115167
timeout_message = <<EOT
168+
States.Format('
116169
======================================================
117170
Warning: Rotation timed out (Environment: ${var.environment})
118171
======================================================
119172
120173
The manual verification step was not completed within the 24-hour limit.
174+
The rotation workflow has been stopped.
121175
176+
CONTEXT:
122177
Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
178+
179+
IMPACT:
180+
No immediate impact. Your applications are still using the current secret.
181+
However, a "Pending" version may have been left behind.
182+
183+
ACTION REQUIRED:
184+
Before the next rotation run, you must remove the pending version:
185+
186+
1. Find the Version ID:
187+
aws secretsmanager list-secret-version-ids --secret-id ${module.secrets_manager.aws_hashing_secret_name}
188+
189+
2. Remove the AWSPENDING label:
190+
aws secretsmanager update-secret-version-stage --secret-id ${module.secrets_manager.aws_hashing_secret_name} --version-stage AWSPENDING --remove-from-version-id <OLD_PENDING_VERSION_ID>
191+
123192
======================================================
193+
')
124194
EOT
125195
}

0 commit comments

Comments
 (0)