Guides

SECRETSMANAGER

docs.aws.amazon.com
AWS documentation

BatchGetSecretValue

enum_FilterNameStringType := [ "description", "name", "tag-key", "tag-value", "primary-region", "owning-service", "all" ]

valid {
    input.Body.SecretIdList[_] == STRING
    input.Body.Filters[_].Key == enum_FilterNameStringType[_]
    input.Body.Filters[_].Values[_] == STRING
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CancelRotateSecret

valid {
    input.Body.SecretId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateSecret

valid {
    input.Body.Name == STRING
    input.Body.ClientRequestToken == STRING
    input.Body.Description == STRING
    input.Body.KmsKeyId == STRING
    input.Body.SecretBinary == BLOB
    input.Body.SecretString == STRING
    input.Body.Tags[_].Key == STRING
    input.Body.Tags[_].Value == STRING
    input.Body.AddReplicaRegions[_].Region == STRING
    input.Body.AddReplicaRegions[_].KmsKeyId == STRING
    input.Body.ForceOverwriteReplicaSecret == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteResourcePolicy

valid {
    input.Body.SecretId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteSecret

valid {
    input.Body.SecretId == STRING
    input.Body.RecoveryWindowInDays == LONG
    input.Body.ForceDeleteWithoutRecovery == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeSecret

valid {
    input.Body.SecretId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetRandomPassword

valid {
    input.Body.PasswordLength == LONG
    input.Body.ExcludeCharacters == STRING
    input.Body.ExcludeNumbers == BOOLEAN
    input.Body.ExcludePunctuation == BOOLEAN
    input.Body.ExcludeUppercase == BOOLEAN
    input.Body.ExcludeLowercase == BOOLEAN
    input.Body.IncludeSpace == BOOLEAN
    input.Body.RequireEachIncludedType == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetResourcePolicy

valid {
    input.Body.SecretId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetSecretValue

valid {
    input.Body.SecretId == STRING
    input.Body.VersionId == STRING
    input.Body.VersionStage == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListSecretVersionIds

valid {
    input.Body.SecretId == STRING
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.Body.IncludeDeprecated == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListSecrets

enum_FilterNameStringType := [ "description", "name", "tag-key", "tag-value", "primary-region", "owning-service", "all" ]
enum_SortOrderType := [ "asc", "desc" ]

valid {
    input.Body.IncludePlannedDeletion == BOOLEAN
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.Body.Filters[_].Key == enum_FilterNameStringType[_]
    input.Body.Filters[_].Values[_] == STRING
    input.Body.SortOrder == enum_SortOrderType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutResourcePolicy

valid {
    input.Body.SecretId == STRING
    input.Body.ResourcePolicy == STRING
    input.Body.BlockPublicPolicy == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutSecretValue

valid {
    input.Body.SecretId == STRING
    input.Body.ClientRequestToken == STRING
    input.Body.SecretBinary == BLOB
    input.Body.SecretString == STRING
    input.Body.VersionStages[_] == STRING
    input.Body.RotationToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

RemoveRegionsFromReplication

valid {
    input.Body.SecretId == STRING
    input.Body.RemoveReplicaRegions[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ReplicateSecretToRegions

valid {
    input.Body.SecretId == STRING
    input.Body.AddReplicaRegions[_].Region == STRING
    input.Body.AddReplicaRegions[_].KmsKeyId == STRING
    input.Body.ForceOverwriteReplicaSecret == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

RestoreSecret

valid {
    input.Body.SecretId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

RotateSecret

valid {
    input.Body.SecretId == STRING
    input.Body.ClientRequestToken == STRING
    input.Body.RotationLambdaARN == STRING
    input.Body.RotationRules.AutomaticallyAfterDays == LONG
    input.Body.RotationRules.Duration == STRING
    input.Body.RotationRules.ScheduleExpression == STRING
    input.Body.RotateImmediately == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

StopReplicationToReplica

valid {
    input.Body.SecretId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

TagResource

valid {
    input.Body.SecretId == STRING
    input.Body.Tags[_].Key == STRING
    input.Body.Tags[_].Value == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UntagResource

valid {
    input.Body.SecretId == STRING
    input.Body.TagKeys[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateSecret

valid {
    input.Body.SecretId == STRING
    input.Body.ClientRequestToken == STRING
    input.Body.Description == STRING
    input.Body.KmsKeyId == STRING
    input.Body.SecretBinary == BLOB
    input.Body.SecretString == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateSecretVersionStage

valid {
    input.Body.SecretId == STRING
    input.Body.VersionStage == STRING
    input.Body.RemoveFromVersionId == STRING
    input.Body.MoveToVersionId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ValidateResourcePolicy

valid {
    input.Body.SecretId == STRING
    input.Body.ResourcePolicy == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}