1// Code generated by smithy-go-codegen DO NOT EDIT.
2
3package secretsmanager
4
5import (
6	"context"
7	"fmt"
8	awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
9	"github.com/aws/aws-sdk-go-v2/aws/signer/v4"
10	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
11	"github.com/aws/smithy-go/middleware"
12	smithyhttp "github.com/aws/smithy-go/transport/http"
13)
14
15// Configures and starts the asynchronous process of rotating this secret. If you
16// include the configuration parameters, the operation sets those values for the
17// secret and then immediately starts a rotation. If you do not include the
18// configuration parameters, the operation starts a rotation with the values
19// already stored in the secret. After the rotation completes, the protected
20// service and its clients all use the new version of the secret. This required
21// configuration information includes the ARN of an AWS Lambda function and the
22// time between scheduled rotations. The Lambda rotation function creates a new
23// version of the secret and creates or updates the credentials on the protected
24// service to match. After testing the new credentials, the function marks the new
25// secret with the staging label AWSCURRENT so that your clients all immediately
26// begin to use the new version. For more information about rotating secrets and
27// how to configure a Lambda function to rotate the secrets for your protected
28// service, see Rotating Secrets in AWS Secrets Manager
29// (https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html)
30// in the AWS Secrets Manager User Guide. Secrets Manager schedules the next
31// rotation when the previous one completes. Secrets Manager schedules the date by
32// adding the rotation interval (number of days) to the actual date of the last
33// rotation. The service chooses the hour within that 24-hour date window randomly.
34// The minute is also chosen somewhat randomly, but weighted towards the top of the
35// hour and influenced by a variety of factors that help distribute load. The
36// rotation function must end with the versions of the secret in one of two
37// states:
38//
39// * The AWSPENDING and AWSCURRENT staging labels are attached to the same
40// version of the secret, or
41//
42// * The AWSPENDING staging label is not attached to any
43// version of the secret.
44//
45// If the AWSPENDING staging label is present but not
46// attached to the same version as AWSCURRENT then any later invocation of
47// RotateSecret assumes that a previous rotation request is still in progress and
48// returns an error. Minimum permissions To run this command, you must have the
49// following permissions:
50//
51// * secretsmanager:RotateSecret
52//
53// * lambda:InvokeFunction
54// (on the function specified in the secret's metadata)
55//
56// Related operations
57//
58// * To
59// list the secrets in your account, use ListSecrets.
60//
61// * To get the details for a
62// version of a secret, use DescribeSecret.
63//
64// * To create a new version of a secret,
65// use CreateSecret.
66//
67// * To attach staging labels to or remove staging labels from a
68// version of a secret, use UpdateSecretVersionStage.
69func (c *Client) RotateSecret(ctx context.Context, params *RotateSecretInput, optFns ...func(*Options)) (*RotateSecretOutput, error) {
70	if params == nil {
71		params = &RotateSecretInput{}
72	}
73
74	result, metadata, err := c.invokeOperation(ctx, "RotateSecret", params, optFns, addOperationRotateSecretMiddlewares)
75	if err != nil {
76		return nil, err
77	}
78
79	out := result.(*RotateSecretOutput)
80	out.ResultMetadata = metadata
81	return out, nil
82}
83
84type RotateSecretInput struct {
85
86	// Specifies the secret that you want to rotate. You can specify either the Amazon
87	// Resource Name (ARN) or the friendly name of the secret. If you specify an ARN,
88	// we generally recommend that you specify a complete ARN. You can specify a
89	// partial ARN too—for example, if you don’t include the final hyphen and six
90	// random characters that Secrets Manager adds at the end of the ARN when you
91	// created the secret. A partial ARN match can work as long as it uniquely matches
92	// only one secret. However, if your secret has a name that ends in a hyphen
93	// followed by six characters (before Secrets Manager adds the hyphen and six
94	// characters to the ARN) and you try to use that as a partial ARN, then those
95	// characters cause Secrets Manager to assume that you’re specifying a complete
96	// ARN. This confusion can cause unexpected results. To avoid this situation, we
97	// recommend that you don’t create secret names ending with a hyphen followed by
98	// six characters. If you specify an incomplete ARN without the random suffix, and
99	// instead provide the 'friendly name', you must not include the random suffix. If
100	// you do include the random suffix added by Secrets Manager, you receive either a
101	// ResourceNotFoundException or an AccessDeniedException error, depending on your
102	// permissions.
103	//
104	// This member is required.
105	SecretId *string
106
107	// (Optional) Specifies a unique identifier for the new version of the secret that
108	// helps ensure idempotency. If you use the AWS CLI or one of the AWS SDK to call
109	// this operation, then you can leave this parameter empty. The CLI or SDK
110	// generates a random UUID for you and includes that in the request for this
111	// parameter. If you don't use the SDK and instead generate a raw HTTP request to
112	// the Secrets Manager service endpoint, then you must generate a
113	// ClientRequestToken yourself for new versions and include that value in the
114	// request. You only need to specify your own value if you implement your own retry
115	// logic and want to ensure that a given secret is not created twice. We recommend
116	// that you generate a UUID-type
117	// (https://wikipedia.org/wiki/Universally_unique_identifier) value to ensure
118	// uniqueness within the specified secret. Secrets Manager uses this value to
119	// prevent the accidental creation of duplicate versions if there are failures and
120	// retries during the function's processing. This value becomes the VersionId of
121	// the new version.
122	ClientRequestToken *string
123
124	// (Optional) Specifies the ARN of the Lambda function that can rotate the secret.
125	RotationLambdaARN *string
126
127	// A structure that defines the rotation configuration for this secret.
128	RotationRules *types.RotationRulesType
129}
130
131type RotateSecretOutput struct {
132
133	// The ARN of the secret.
134	ARN *string
135
136	// The friendly name of the secret.
137	Name *string
138
139	// The ID of the new version of the secret created by the rotation started by this
140	// request.
141	VersionId *string
142
143	// Metadata pertaining to the operation's result.
144	ResultMetadata middleware.Metadata
145}
146
147func addOperationRotateSecretMiddlewares(stack *middleware.Stack, options Options) (err error) {
148	err = stack.Serialize.Add(&awsAwsjson11_serializeOpRotateSecret{}, middleware.After)
149	if err != nil {
150		return err
151	}
152	err = stack.Deserialize.Add(&awsAwsjson11_deserializeOpRotateSecret{}, middleware.After)
153	if err != nil {
154		return err
155	}
156	if err = addSetLoggerMiddleware(stack, options); err != nil {
157		return err
158	}
159	if err = awsmiddleware.AddClientRequestIDMiddleware(stack); err != nil {
160		return err
161	}
162	if err = smithyhttp.AddComputeContentLengthMiddleware(stack); err != nil {
163		return err
164	}
165	if err = addResolveEndpointMiddleware(stack, options); err != nil {
166		return err
167	}
168	if err = v4.AddComputePayloadSHA256Middleware(stack); err != nil {
169		return err
170	}
171	if err = addRetryMiddlewares(stack, options); err != nil {
172		return err
173	}
174	if err = addHTTPSignerV4Middleware(stack, options); err != nil {
175		return err
176	}
177	if err = awsmiddleware.AddRawResponseToMetadata(stack); err != nil {
178		return err
179	}
180	if err = awsmiddleware.AddRecordResponseTiming(stack); err != nil {
181		return err
182	}
183	if err = addClientUserAgent(stack); err != nil {
184		return err
185	}
186	if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil {
187		return err
188	}
189	if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil {
190		return err
191	}
192	if err = addIdempotencyToken_opRotateSecretMiddleware(stack, options); err != nil {
193		return err
194	}
195	if err = addOpRotateSecretValidationMiddleware(stack); err != nil {
196		return err
197	}
198	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opRotateSecret(options.Region), middleware.Before); err != nil {
199		return err
200	}
201	if err = addRequestIDRetrieverMiddleware(stack); err != nil {
202		return err
203	}
204	if err = addResponseErrorMiddleware(stack); err != nil {
205		return err
206	}
207	if err = addRequestResponseLogging(stack, options); err != nil {
208		return err
209	}
210	return nil
211}
212
213type idempotencyToken_initializeOpRotateSecret struct {
214	tokenProvider IdempotencyTokenProvider
215}
216
217func (*idempotencyToken_initializeOpRotateSecret) ID() string {
218	return "OperationIdempotencyTokenAutoFill"
219}
220
221func (m *idempotencyToken_initializeOpRotateSecret) HandleInitialize(ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler) (
222	out middleware.InitializeOutput, metadata middleware.Metadata, err error,
223) {
224	if m.tokenProvider == nil {
225		return next.HandleInitialize(ctx, in)
226	}
227
228	input, ok := in.Parameters.(*RotateSecretInput)
229	if !ok {
230		return out, metadata, fmt.Errorf("expected middleware input to be of type *RotateSecretInput ")
231	}
232
233	if input.ClientRequestToken == nil {
234		t, err := m.tokenProvider.GetIdempotencyToken()
235		if err != nil {
236			return out, metadata, err
237		}
238		input.ClientRequestToken = &t
239	}
240	return next.HandleInitialize(ctx, in)
241}
242func addIdempotencyToken_opRotateSecretMiddleware(stack *middleware.Stack, cfg Options) error {
243	return stack.Initialize.Add(&idempotencyToken_initializeOpRotateSecret{tokenProvider: cfg.IdempotencyTokenProvider}, middleware.Before)
244}
245
246func newServiceMetadataMiddleware_opRotateSecret(region string) *awsmiddleware.RegisterServiceMetadata {
247	return &awsmiddleware.RegisterServiceMetadata{
248		Region:        region,
249		ServiceID:     ServiceID,
250		SigningName:   "secretsmanager",
251		OperationName: "RotateSecret",
252	}
253}
254