in lambda/lambda_function.py [0:0]
def set_secret(service_client, arn, token):
"""Set the secret
This method should set the AWSPENDING secret in the service that the secret belongs to. For example, if the secret is a database
credential, this method should take the value of the AWSPENDING secret and set the user's password to this value in the database.
Args:
service_client (client): The secrets manager service client
arn (string): The secret ARN or other identifier
token (string): The ClientRequestToken associated with the secret version
"""
# This is where the secret should be set in the service
# First check to confirm CloudFront distribution is in Deployed state
diststatus = get_cfdistro(CFDistroId)
if 'Deployed' not in diststatus['Distribution']['Status']:
logger.error("Distribution Id, %s status is not Deployed." % CFDistroId)
raise ValueError("Distribution Id, %s status is not Deployed." % CFDistroId)
# Obtain secret value for AWSPENDING
pending = service_client.get_secret_value(
SecretId=arn,
VersionId=token,
VersionStage="AWSPENDING"
)
# Obtain secret value for AWSCURRENT
metadata = service_client.describe_secret(SecretId=arn)
for version in metadata["VersionIdsToStages"]:
logger.info("Getting current version %s for %s" % (version, arn))
if "AWSCURRENT" in metadata["VersionIdsToStages"][version]:
currenttoken = version
current = service_client.get_secret_value(
SecretId=arn,
VersionId=currenttoken,
VersionStage="AWSCURRENT"
)
pendingsecret = json.loads(pending['SecretString'])
currentsecret = json.loads(current['SecretString'])
# Update CloudFront custom header and regional WAF WebACL rule with AWSPENDING and AWSCURRENT
try:
update_wafacl(pendingsecret['HEADERVALUE'], currentsecret['HEADERVALUE'])
# Sleep for 75 seconds for regional WAF config propagation
time.sleep(75)
update_cfdistro(CFDistroId, pendingsecret['HEADERVALUE'])
except ClientError as e:
logger.error('Error: {}'.format(e))
raise ValueError("Failed to update resources CloudFront Distro Id %s , WAF WebACL Id %s " % (CFDistroId, WafAclId))