feat: refactor / additional flag autoGenerateIamPermissions

- remove CreationType (Single, Multi)
- replace with ResourceType (PARAMETER_MULTI) and move it to properties
   fixes: #1076
- add property 'autoGenerateIamPermissions'
   fixes: #1087
- add property 'role' for SopsSyncProvider
   fixes: #1087
- move resourceType from syncOptions to syncProperties, as it shouldn't be set by users
- move permissionhandling to own functions, to reduce cyclomatic compexity

.gitleaks.toml

@@ -0,0 +1,40 @@
+[extend]
+useDefault = true
+
+[[rules]]
+id = "generic-api-key"
+# all the other attributes from the default rule are inherited
+
+    [[rules.allowlists]]
+    regexTarget = "line"
+    regexes = [ 
+      '''objectKey''',
+      '''S3Key''',
+      '''SopsAgeKey''',
+      '''s3Key''',
+    ]
+
+[[rules]]
+id = "private-key"
+
+    [[rules.allowlists]]
+    regexTarget = "line"
+    regexes = [
+      '''(.*)OAdqlMznWINBDoyR\+PESgQJlUptwnh(.*)''',
+    ]
+
+[allowlist]
+description = "global allow list"
+paths = [
+  '''\.gitleaks\.toml''',
+  '''lambda/events/(.*?)json''',
+  '''lambda/__snapshots__/(.*?)snap''',
+  '''test-secrets/(.*?)(json|yaml|yml|env|binary)''',
+  '''test/(.*)\.integ\.snapshot/(.*?)json'''
+]
+
+regexTarget = "match"
+regexes = [
+  '''AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3''',
+]
+

lambda/events/event_create_s3_parameter_raw_simple.json

@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "PARAMETER",
-    "CreationType": "SINGLE",
     "ParameterName": "arn:aws:ssm:eu-central-1:123456789012:parameter/testsecret",
     "SopsS3File": {
       "Bucket": "..",

lambda/events/event_create_s3_parameter_yaml_complex.json

@@ -2,8 +2,7 @@
   "RequestType": "Create",
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
-    "ResourceType": "PARAMETER",
-    "CreationType": "MULTI",
+    "ResourceType": "PARAMETER_MULTI",
     "ParameterName": "arn:aws:ssm:eu-central-1:123456789012:parameter/testsecret",
     "SopsS3File": {
       "Bucket": "..",

lambda/events/event_create_s3_parameter_yaml_complex_custom_keys.json

@@ -2,8 +2,7 @@
   "RequestType": "Create",
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
-    "ResourceType": "PARAMETER",
-    "CreationType": "MULTI",
+    "ResourceType": "PARAMETER_MULTI",
     "ParameterName": "arn:aws:ssm:eu-central-1:123456789012:parameter/testsecret",
     "SopsS3File": {
       "Bucket": "..",

lambda/main.go

@@ -295,44 +295,41 @@ func (a AWS) syncSopsToSecretsmanager(ctx context.Context, event cfn.Event) (phy
 			returnData["VersionStages"] = updateSecretResp.VersionStages
 			returnData["VersionId"] = *updateSecretResp.VersionId
 			return *updateSecretResp.ARN, returnData, nil
-		} else if resourceProperties.ResourceType == "PARAMETER" {
-			if resourceProperties.CreationType == "MULTI" && resourcePropertiesFlatten {
-				log.Printf("Patching multiple string parameters")
-				v := reflect.ValueOf(finalInterface)
-				returnData := make(map[string]interface{})
-				keys := v.MapKeys()
-				keysOrder := func(i, j int) bool { return keys[i].Interface().(string) < keys[j].Interface().(string) }
-				sort.Slice(keys, keysOrder)
-				for _, key := range keys {
-					strKey := resourceProperties.ParameterKeyPrefix + key.String()
-					log.Printf("Parameter: " + strKey)
-					value := v.MapIndex(key).Interface()
-					strValue, ok := value.(string)
-					if !ok {
-						return tempArn, nil, nil
-					}
-
-					_, err := a.updateSSMParameter(strKey, []byte(strValue), resourceProperties.EncryptionKey)
-					if err != nil {
-						return tempArn, nil, err
-					}
-					// A returnData map for each parameter is not created, because it would limit the number of possible parameters unnecessarily
+		} else if resourceProperties.ResourceType == "PARAMETER_MULTI" {
+			log.Printf("Patching multiple string parameters")
+			v := reflect.ValueOf(finalInterface)
+			returnData := make(map[string]interface{})
+			keys := v.MapKeys()
+			keysOrder := func(i, j int) bool { return keys[i].Interface().(string) < keys[j].Interface().(string) }
+			sort.Slice(keys, keysOrder)
+			for _, key := range keys {
+				strKey := resourceProperties.ParameterKeyPrefix + key.String()
+				log.Printf("Parameter: " + strKey)
+				value := v.MapIndex(key).Interface()
+				strValue, ok := value.(string)
+				if !ok {
+					return tempArn, nil, nil
 				}
-				returnData["Prefix"] = resourceProperties.ParameterKeyPrefix
-				returnData["Count"] = len(keys)
-				return tempArn, returnData, nil
-			} else {
-				log.Printf("Patching single string parameter")
-				response, err := a.updateSSMParameter(resourceProperties.ParameterName, decryptedContent, resourceProperties.EncryptionKey)
+				_, err := a.updateSSMParameter(strKey, []byte(strValue), resourceProperties.EncryptionKey)
 				if err != nil {
 					return tempArn, nil, err
 				}
-				returnData := make(map[string]interface{})
-				returnData["ParameterName"] = resourceProperties.ParameterName
-				returnData["Version"] = response.Version
-				returnData["Tier"] = response.Tier
-				return tempArn, returnData, nil
+				// A returnData map for each parameter is not created, because it would limit the number of possible parameters unnecessarily
 			}
+			returnData["Prefix"] = resourceProperties.ParameterKeyPrefix
+			returnData["Count"] = len(keys)
+			return tempArn, returnData, nil
+		} else if resourceProperties.ResourceType == "PARAMETER" {
+			log.Printf("Patching single string parameter")
+			response, err := a.updateSSMParameter(resourceProperties.ParameterName, decryptedContent, resourceProperties.EncryptionKey)
+			if err != nil {
+				return tempArn, nil, err
+			}
+			returnData := make(map[string]interface{})
+			returnData["ParameterName"] = resourceProperties.ParameterName
+			returnData["Version"] = response.Version
+			returnData["Tier"] = response.Tier
+			return tempArn, returnData, nil
 		} else {
 			// Should never happen ...
 			return tempArn, nil, errors.New("Neither SecretARN nor ParameterName is provided")

src/MultiStringParameter.ts

@@ -5,12 +5,7 @@ import { ResourceEnvironment, Stack } from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
 import * as YAML from 'yaml';
 import { SopsStringParameterProps } from './SopsStringParameter';
-import {
-  CreationType,
-  ResourceType,
-  SopsSync,
-  SopsSyncOptions,
-} from './SopsSync';
+import { ResourceType, SopsSync, SopsSyncOptions } from './SopsSync';
 
 interface JSONObject {
   [key: string]: any;
@@ -83,8 +78,7 @@ export class MultiStringParameter extends Construct {
 
     this.sync = new SopsSync(this, 'SopsSync', {
       encryptionKey: this.encryptionKey,
-      resourceType: ResourceType.PARAMETER,
-      creationType: CreationType.MULTI,
+      resourceType: ResourceType.PARAMETER_MULTI,
       flatten: true,
       flattenSeparator: this.keySeparator,
       parameterKeyPrefix: this.keyPrefix,

src/SopsSecret.ts

@@ -20,12 +20,7 @@ import {
   Stack,
 } from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
-import {
-  CreationType,
-  ResourceType,
-  SopsSync,
-  SopsSyncOptions,
-} from './SopsSync';
+import { ResourceType, SopsSync, SopsSyncOptions } from './SopsSync';
 
 /**
  * The configuration options of the SopsSecret
@@ -63,7 +58,6 @@ export class SopsSecret extends Construct implements ISecret {
     this.sync = new SopsSync(this, 'SopsSync', {
       secret: this.secret,
       resourceType: ResourceType.SECRET,
-      creationType: CreationType.SINGLE,
       flattenSeparator: '.',
       ...(props as SopsSyncOptions),
     });

src/SopsStringParameter.ts

@@ -7,7 +7,7 @@ import {
 } from 'aws-cdk-lib/aws-ssm';
 import { RemovalPolicy, ResourceEnvironment, Stack } from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
-import { SopsSync, SopsSyncOptions } from './SopsSync';
+import { ResourceType, SopsSync, SopsSyncOptions } from './SopsSync';
 
 /**
  * The configuration options of the StringParameter
@@ -58,7 +58,8 @@ export class SopsStringParameter extends Construct implements IStringParameter {
 
     this.sync = new SopsSync(this, 'SopsSync', {
       encryptionKey: this.parameter.encryptionKey,
-      parameterName: this.parameter.parameterName,
+      parameterNames: [this.parameter.parameterName],
+      resourceType: ResourceType.PARAMETER,
       ...(props as SopsSyncOptions),
     });
   }