fix: SecretsManagerRotationEnabled is non compliant after cdk v2.116.0 (

#1566) Fixes #1565 Bumped CDK to v2.116.0 to reproduce the problem. Changed some cloud9 tests as well because a parameter became required. Changed `SecretsManagerRotationEnabled` rule to compliant state when either `AutomaticallyAfterDays` or `ScheduleExpression` exists. see: https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-rotationrules.html#cfn-secretsmanager-rotationschedule-rotationrules-scheduleexpression Existing SecretManager tests are not changed because just updating CDK version is enough to reproduce the error.
cdklabs · Jan 18, 2024 · d557683 · d557683
1 parent f5c8d49
commit d557683
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 25 deletions.
diff --git a/.projen/deps.json b/.projen/deps.json
diff --git a/.projenrc.js b/.projenrc.js
@@ -6,7 +6,7 @@ const { awscdk, vscode, Task } = require('projen');
 const project = new awscdk.AwsCdkConstructLibrary({
   author: 'Arun Donti',
   authorAddress: 'donti@amazon.com',
-  cdkVersion: '2.78.0',
+  cdkVersion: '2.116.0',
   defaultReleaseBranch: 'main',
   majorVersion: 2,
   npmDistTag: 'latest',

diff --git a/package.json b/package.json
diff --git a/src/rules/secretsmanager/SecretsManagerRotationEnabled.ts b/src/rules/secretsmanager/SecretsManagerRotationEnabled.ts
@@ -120,7 +120,13 @@ function isMatchingRotationSchedule(
       const automaticallyAfterDays = Stack.of(node).resolve(
         rotationRules.automaticallyAfterDays
       );
-      if (automaticallyAfterDays !== undefined) {
+      const scheduleExpression = Stack.of(node).resolve(
+        rotationRules.scheduleExpression
+      );
+      if (
+        automaticallyAfterDays !== undefined ||
+        scheduleExpression !== undefined
+      ) {
         return true;
       }
     }

diff --git a/test/rules/Cloud9.test.ts b/test/rules/Cloud9.test.ts
@@ -21,6 +21,7 @@ describe('AWS Cloud9', () => {
     const ruleId = 'Cloud9InstanceNoIngressSystemsManager';
     test('Noncompliance ', () => {
       new CfnEnvironmentEC2(stack, 'rC9Env', {
+        imageId: 'ami-123456',
         instanceType: InstanceType.of(
           InstanceClass.T2,
           InstanceSize.MICRO
@@ -31,6 +32,7 @@ describe('AWS Cloud9', () => {
 
     test('Compliance', () => {
       new CfnEnvironmentEC2(stack, 'rC9Env', {
+        imageId: 'ami-123456',
         instanceType: InstanceType.of(
           InstanceClass.T2,
           InstanceSize.MICRO

diff --git a/yarn.lock b/yarn.lock