Categorygithub.com/square/password-rotation-lambda/v2
modulepackage
2.0.7
Repository: https://github.com/square/password-rotation-lambda.git
Documentation: pkg.go.dev
Overview
Versions
2
Dependencies
15
Dependents
1
Files
810 SLOC

# README

Password Rotation Lambda

password-rotation-lambda is an AWS Lambda function in Go that rotates MySQL passwords using AWS Secrets Manager. It supports Amazon RDS for MySQL and Aurora MySQL.

This package handles the four Secrets Manager rotation steps and database-specific password setting. Your main.go imports this packages (which exports itself as rotate for short) and provides AWS sessions/clients and a SecretSetter to decode your secret string.

package main

import (
	"log"

	"github.com/aws/aws-lambda-go/lambda"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/rds"
	"github.com/aws/aws-sdk-go/service/secretsmanager"

	"github.com/square/password-rotation-lambda"
	"github.com/square/password-rotation-lambda/db/mysql"
)

func main() {
	// Start AWS session using env vars automatically set by Lambda
	sess, err := session.NewSession()
	if err != nil {
		log.Fatalf("error making AWS session: %s", err)
	}

	// Make password setter for MySQL (RDS)
	ps := mysql.NewPasswordSetter(mysql.Config{
		RDSClient: rds.New(sess),                   // RDS API client
		DbClient:  mysql.NewRDSClient(true, false), // RDS MySQL cilent (true=TLS, false=dry run)
	})

	// Make Rotator which is the Lambda function/handler
	r := rotate.NewRotator(rotate.Config{
		SecretsManager: secretsmanager.New(sess),
		PasswordSetter: ps,
	})

	// Run Rotator in Lambda, waiting for events from Secrets Manager
	lambda.Start(r.Handler)
}

# Packages

No description provided by the author
No description provided by the author
No description provided by the author

# Functions

InvokedBySecretsManager returns true if the event is from Secrets Manager.
NewRotator creates a new Rotator.

# Constants

No description provided by the author
No description provided by the author
No description provided by the author
password character length for RandomPassword.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author

# Variables

Debug enables debug output to STDERR.
DebugSecret IS DANGEROUS: it prints secret values to STDERR when Debug is enabled.
DEFAULT_REPLICATION_WAIT is the default duration that password rotation lambda will wait for secret replication to secondary regions to complete.
ErrInvalidStep is returned if the "Step" value in the Secrets Manager event is not one of "createSecret", "setSecret", "testSecret", or "finishSecret".

# Structs

Config represents the user-provided configuration for a Rotator.
Event is an important event during the four-step Secrets Manager rotation process.
NullEventReceiver is the default EventReceiver if none is provided in the Config.
RandomPassword is the default SecretSetter used by Rotator is none is specified in the Config.
Rotator is the AWS Lambda function and handler.

# Interfaces

EventReceiver receives events from a Rotator during the four-step Secrets Manager rotation process.
SecretSetter manages the user-specific secret value.