AWS Cloud Control v1.27.0, Apr 14 25

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.27.0 published on Monday, Apr 14, 2025 by Pulumi

aws-native.secretsmanager.RotationSchedule

Explore with Pulumi AI

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.27.0 published on Monday, Apr 14, 2025 by Pulumi

Create RotationSchedule Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

new RotationSchedule(name: string, args: RotationScheduleArgs, opts?: CustomResourceOptions);

@overload
def RotationSchedule(resource_name: str,
                     args: RotationScheduleArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def RotationSchedule(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     secret_id: Optional[str] = None,
                     hosted_rotation_lambda: Optional[RotationScheduleHostedRotationLambdaArgs] = None,
                     rotate_immediately_on_update: Optional[bool] = None,
                     rotation_lambda_arn: Optional[str] = None,
                     rotation_rules: Optional[RotationScheduleRotationRulesArgs] = None)

func NewRotationSchedule(ctx *Context, name string, args RotationScheduleArgs, opts ...ResourceOption) (*RotationSchedule, error)

public RotationSchedule(string name, RotationScheduleArgs args, CustomResourceOptions? opts = null)

public RotationSchedule(String name, RotationScheduleArgs args)
public RotationSchedule(String name, RotationScheduleArgs args, CustomResourceOptions options)

type: aws-native:secretsmanager:RotationSchedule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args RotationScheduleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args RotationScheduleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args RotationScheduleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args RotationScheduleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args RotationScheduleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

RotationSchedule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The RotationSchedule resource accepts the following input properties:

SecretId string: The ARN or name of the secret to rotate.
HostedRotationLambda Pulumi.AwsNative.SecretsManager.Inputs.RotationScheduleHostedRotationLambda: Creates a new Lambda rotation function based on one of the Secrets Manager rotation function templates. To use a rotation function that already exists, specify RotationLambdaARN instead.
RotateImmediatelyOnUpdate bool: Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window.
RotationLambdaArn string: The ARN of an existing Lambda rotation function. To specify a rotation function that is also defined in this template, use the Ref function.
RotationRules Pulumi.AwsNative.SecretsManager.Inputs.RotationScheduleRotationRules: A structure that defines the rotation configuration for this secret.

SecretId string: The ARN or name of the secret to rotate.
HostedRotationLambda RotationScheduleHostedRotationLambdaArgs: Creates a new Lambda rotation function based on one of the Secrets Manager rotation function templates. To use a rotation function that already exists, specify RotationLambdaARN instead.
RotateImmediatelyOnUpdate bool: Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window.
RotationLambdaArn string: The ARN of an existing Lambda rotation function. To specify a rotation function that is also defined in this template, use the Ref function.
RotationRules RotationScheduleRotationRulesArgs: A structure that defines the rotation configuration for this secret.

secretId String: The ARN or name of the secret to rotate.
hostedRotationLambda RotationScheduleHostedRotationLambda: Creates a new Lambda rotation function based on one of the Secrets Manager rotation function templates. To use a rotation function that already exists, specify RotationLambdaARN instead.
rotateImmediatelyOnUpdate Boolean: Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window.
rotationLambdaArn String: The ARN of an existing Lambda rotation function. To specify a rotation function that is also defined in this template, use the Ref function.
rotationRules RotationScheduleRotationRules: A structure that defines the rotation configuration for this secret.

secretId string: The ARN or name of the secret to rotate.
hostedRotationLambda RotationScheduleHostedRotationLambda: Creates a new Lambda rotation function based on one of the Secrets Manager rotation function templates. To use a rotation function that already exists, specify RotationLambdaARN instead.
rotateImmediatelyOnUpdate boolean: Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window.
rotationLambdaArn string: The ARN of an existing Lambda rotation function. To specify a rotation function that is also defined in this template, use the Ref function.
rotationRules RotationScheduleRotationRules: A structure that defines the rotation configuration for this secret.

secret_id str: The ARN or name of the secret to rotate.
hosted_rotation_lambda RotationScheduleHostedRotationLambdaArgs: Creates a new Lambda rotation function based on one of the Secrets Manager rotation function templates. To use a rotation function that already exists, specify RotationLambdaARN instead.
rotate_immediately_on_update bool: Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window.
rotation_lambda_arn str: The ARN of an existing Lambda rotation function. To specify a rotation function that is also defined in this template, use the Ref function.
rotation_rules RotationScheduleRotationRulesArgs: A structure that defines the rotation configuration for this secret.

secretId String: The ARN or name of the secret to rotate.
hostedRotationLambda Property Map: Creates a new Lambda rotation function based on one of the Secrets Manager rotation function templates. To use a rotation function that already exists, specify RotationLambdaARN instead.
rotateImmediatelyOnUpdate Boolean: Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window.
rotationLambdaArn String: The ARN of an existing Lambda rotation function. To specify a rotation function that is also defined in this template, use the Ref function.
rotationRules Property Map: A structure that defines the rotation configuration for this secret.

Outputs

All input properties are implicitly available as output properties. Additionally, the RotationSchedule resource produces the following output properties:

AwsId string: The ARN of the secret.
Id string: The provider-assigned unique ID for this managed resource.

AwsId string: The ARN of the secret.
Id string: The provider-assigned unique ID for this managed resource.

awsId String: The ARN of the secret.
id String: The provider-assigned unique ID for this managed resource.

awsId string: The ARN of the secret.
id string: The provider-assigned unique ID for this managed resource.

aws_id str: The ARN of the secret.
id str: The provider-assigned unique ID for this managed resource.

awsId String: The ARN of the secret.
id String: The provider-assigned unique ID for this managed resource.

Supporting Types

RotationScheduleHostedRotationLambda
, RotationScheduleHostedRotationLambdaArgs

RotationType string: The type of rotation template to use
ExcludeCharacters string: A string of the characters that you don't want in the password.
KmsKeyArn string: The ARN of the KMS key that Secrets Manager uses to encrypt the secret. If you don't specify this value, then Secrets Manager uses the key aws/secretsmanager. If aws/secretsmanager doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
MasterSecretArn string: The ARN of the secret that contains superuser credentials, if you use the alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property.
MasterSecretKmsKeyArn string: The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation function Decrypt, DescribeKey, and GenerateDataKey permission to the key in this property.
RotationLambdaName string: The name of the Lambda rotation function.
Runtime string: The python runtime associated with the Lambda function
SuperuserSecretArn string: The ARN of the secret that contains superuser credentials, if you use the alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property.
SuperuserSecretKmsKeyArn string: The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation function Decrypt, DescribeKey, and GenerateDataKey permission to the key in this property.
VpcSecurityGroupIds string: A comma-separated list of security group IDs applied to the target database.
VpcSubnetIds string: A comma separated list of VPC subnet IDs of the target database network. The Lambda rotation function is in the same subnet group.

RotationType string: The type of rotation template to use
ExcludeCharacters string: A string of the characters that you don't want in the password.
KmsKeyArn string: The ARN of the KMS key that Secrets Manager uses to encrypt the secret. If you don't specify this value, then Secrets Manager uses the key aws/secretsmanager. If aws/secretsmanager doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
MasterSecretArn string: The ARN of the secret that contains superuser credentials, if you use the alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property.
MasterSecretKmsKeyArn string: The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation function Decrypt, DescribeKey, and GenerateDataKey permission to the key in this property.
RotationLambdaName string: The name of the Lambda rotation function.
Runtime string: The python runtime associated with the Lambda function
SuperuserSecretArn string: The ARN of the secret that contains superuser credentials, if you use the alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property.
SuperuserSecretKmsKeyArn string: The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation function Decrypt, DescribeKey, and GenerateDataKey permission to the key in this property.
VpcSecurityGroupIds string: A comma-separated list of security group IDs applied to the target database.
VpcSubnetIds string: A comma separated list of VPC subnet IDs of the target database network. The Lambda rotation function is in the same subnet group.

rotationType String: The type of rotation template to use
excludeCharacters String: A string of the characters that you don't want in the password.
kmsKeyArn String: The ARN of the KMS key that Secrets Manager uses to encrypt the secret. If you don't specify this value, then Secrets Manager uses the key aws/secretsmanager. If aws/secretsmanager doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
masterSecretArn String: The ARN of the secret that contains superuser credentials, if you use the alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property.
masterSecretKmsKeyArn String: The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation function Decrypt, DescribeKey, and GenerateDataKey permission to the key in this property.
rotationLambdaName String: The name of the Lambda rotation function.
runtime String: The python runtime associated with the Lambda function
superuserSecretArn String: The ARN of the secret that contains superuser credentials, if you use the alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property.
superuserSecretKmsKeyArn String: The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation function Decrypt, DescribeKey, and GenerateDataKey permission to the key in this property.
vpcSecurityGroupIds String: A comma-separated list of security group IDs applied to the target database.
vpcSubnetIds String: A comma separated list of VPC subnet IDs of the target database network. The Lambda rotation function is in the same subnet group.

rotationType string: The type of rotation template to use
excludeCharacters string: A string of the characters that you don't want in the password.
kmsKeyArn string: The ARN of the KMS key that Secrets Manager uses to encrypt the secret. If you don't specify this value, then Secrets Manager uses the key aws/secretsmanager. If aws/secretsmanager doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
masterSecretArn string: The ARN of the secret that contains superuser credentials, if you use the alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property.
masterSecretKmsKeyArn string: The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation function Decrypt, DescribeKey, and GenerateDataKey permission to the key in this property.
rotationLambdaName string: The name of the Lambda rotation function.
runtime string: The python runtime associated with the Lambda function
superuserSecretArn string: The ARN of the secret that contains superuser credentials, if you use the alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property.
superuserSecretKmsKeyArn string: The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation function Decrypt, DescribeKey, and GenerateDataKey permission to the key in this property.
vpcSecurityGroupIds string: A comma-separated list of security group IDs applied to the target database.
vpcSubnetIds string: A comma separated list of VPC subnet IDs of the target database network. The Lambda rotation function is in the same subnet group.

rotation_type str: The type of rotation template to use
exclude_characters str: A string of the characters that you don't want in the password.
kms_key_arn str: The ARN of the KMS key that Secrets Manager uses to encrypt the secret. If you don't specify this value, then Secrets Manager uses the key aws/secretsmanager. If aws/secretsmanager doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
master_secret_arn str: The ARN of the secret that contains superuser credentials, if you use the alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property.
master_secret_kms_key_arn str: The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation function Decrypt, DescribeKey, and GenerateDataKey permission to the key in this property.
rotation_lambda_name str: The name of the Lambda rotation function.
runtime str: The python runtime associated with the Lambda function
superuser_secret_arn str: The ARN of the secret that contains superuser credentials, if you use the alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property.
superuser_secret_kms_key_arn str: The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation function Decrypt, DescribeKey, and GenerateDataKey permission to the key in this property.
vpc_security_group_ids str: A comma-separated list of security group IDs applied to the target database.
vpc_subnet_ids str: A comma separated list of VPC subnet IDs of the target database network. The Lambda rotation function is in the same subnet group.

rotationType String: The type of rotation template to use
excludeCharacters String: A string of the characters that you don't want in the password.
kmsKeyArn String: The ARN of the KMS key that Secrets Manager uses to encrypt the secret. If you don't specify this value, then Secrets Manager uses the key aws/secretsmanager. If aws/secretsmanager doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
masterSecretArn String: The ARN of the secret that contains superuser credentials, if you use the alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property.
masterSecretKmsKeyArn String: The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation function Decrypt, DescribeKey, and GenerateDataKey permission to the key in this property.
rotationLambdaName String: The name of the Lambda rotation function.
runtime String: The python runtime associated with the Lambda function
superuserSecretArn String: The ARN of the secret that contains superuser credentials, if you use the alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property.
superuserSecretKmsKeyArn String: The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation function Decrypt, DescribeKey, and GenerateDataKey permission to the key in this property.
vpcSecurityGroupIds String: A comma-separated list of security group IDs applied to the target database.
vpcSubnetIds String: A comma separated list of VPC subnet IDs of the target database network. The Lambda rotation function is in the same subnet group.

RotationScheduleRotationRules
, RotationScheduleRotationRulesArgs

AutomaticallyAfterDays int: The number of days between automatic scheduled rotations of the secret. You can use this value to check that your secret meets your compliance guidelines for how often secrets must be rotated.
Duration string: The length of the rotation window in hours, for example 3h for a three hour window. Secrets Manager rotates your secret at any time during this window. The window must not extend into the next rotation window or the next UTC day. The window starts according to the ScheduleExpression. If you don't specify a Duration, for a ScheduleExpression in hours, the window automatically closes after one hour. For a ScheduleExpression in days, the window automatically closes at the end of the UTC day.
ScheduleExpression string: A cron() or rate() expression that defines the schedule for rotating your secret. Secrets Manager rotation schedules use UTC time zone.

AutomaticallyAfterDays int: The number of days between automatic scheduled rotations of the secret. You can use this value to check that your secret meets your compliance guidelines for how often secrets must be rotated.
Duration string: The length of the rotation window in hours, for example 3h for a three hour window. Secrets Manager rotates your secret at any time during this window. The window must not extend into the next rotation window or the next UTC day. The window starts according to the ScheduleExpression. If you don't specify a Duration, for a ScheduleExpression in hours, the window automatically closes after one hour. For a ScheduleExpression in days, the window automatically closes at the end of the UTC day.
ScheduleExpression string: A cron() or rate() expression that defines the schedule for rotating your secret. Secrets Manager rotation schedules use UTC time zone.

automaticallyAfterDays Integer: The number of days between automatic scheduled rotations of the secret. You can use this value to check that your secret meets your compliance guidelines for how often secrets must be rotated.
duration String: The length of the rotation window in hours, for example 3h for a three hour window. Secrets Manager rotates your secret at any time during this window. The window must not extend into the next rotation window or the next UTC day. The window starts according to the ScheduleExpression. If you don't specify a Duration, for a ScheduleExpression in hours, the window automatically closes after one hour. For a ScheduleExpression in days, the window automatically closes at the end of the UTC day.
scheduleExpression String: A cron() or rate() expression that defines the schedule for rotating your secret. Secrets Manager rotation schedules use UTC time zone.

automaticallyAfterDays number: The number of days between automatic scheduled rotations of the secret. You can use this value to check that your secret meets your compliance guidelines for how often secrets must be rotated.
duration string: The length of the rotation window in hours, for example 3h for a three hour window. Secrets Manager rotates your secret at any time during this window. The window must not extend into the next rotation window or the next UTC day. The window starts according to the ScheduleExpression. If you don't specify a Duration, for a ScheduleExpression in hours, the window automatically closes after one hour. For a ScheduleExpression in days, the window automatically closes at the end of the UTC day.
scheduleExpression string: A cron() or rate() expression that defines the schedule for rotating your secret. Secrets Manager rotation schedules use UTC time zone.

automatically_after_days int: The number of days between automatic scheduled rotations of the secret. You can use this value to check that your secret meets your compliance guidelines for how often secrets must be rotated.
duration str: The length of the rotation window in hours, for example 3h for a three hour window. Secrets Manager rotates your secret at any time during this window. The window must not extend into the next rotation window or the next UTC day. The window starts according to the ScheduleExpression. If you don't specify a Duration, for a ScheduleExpression in hours, the window automatically closes after one hour. For a ScheduleExpression in days, the window automatically closes at the end of the UTC day.
schedule_expression str: A cron() or rate() expression that defines the schedule for rotating your secret. Secrets Manager rotation schedules use UTC time zone.

automaticallyAfterDays Number: The number of days between automatic scheduled rotations of the secret. You can use this value to check that your secret meets your compliance guidelines for how often secrets must be rotated.
duration String: The length of the rotation window in hours, for example 3h for a three hour window. Secrets Manager rotates your secret at any time during this window. The window must not extend into the next rotation window or the next UTC day. The window starts according to the ScheduleExpression. If you don't specify a Duration, for a ScheduleExpression in hours, the window automatically closes after one hour. For a ScheduleExpression in days, the window automatically closes at the end of the UTC day.
scheduleExpression String: A cron() or rate() expression that defines the schedule for rotating your secret. Secrets Manager rotation schedules use UTC time zone.

Package Details

Repository: AWS Native pulumi/pulumi-aws-native
License: Apache-2.0

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.27.0 published on Monday, Apr 14, 2025 by Pulumi

pulumi/pulumi-aws-native

aws-native.secretsmanager.RotationSchedule

On this page

On this page

Create RotationSchedule Resource

Constructor syntax

Parameters

RotationSchedule Resource Properties

Inputs

Outputs

Supporting Types

RotationScheduleHostedRotationLambda
, RotationScheduleHostedRotationLambdaArgs

RotationScheduleRotationRules
, RotationScheduleRotationRulesArgs

Package Details

On this page

On this page

aws-native.secretsmanager.RotationSchedule

On this page

On this page

Create RotationSchedule Resource

Constructor syntax

Parameters

RotationSchedule Resource Properties

Inputs

Outputs

Supporting Types

RotationScheduleHostedRotationLambda, RotationScheduleHostedRotationLambdaArgs

RotationScheduleRotationRules, RotationScheduleRotationRulesArgs

Package Details

On this page

On this page

RotationScheduleHostedRotationLambda
, RotationScheduleHostedRotationLambdaArgs

RotationScheduleRotationRules
, RotationScheduleRotationRulesArgs