chore(release): 1.106.1 (#14881)

See CHANGELOG ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · May 26, 2021 · c832c1b · c832c1b
2 parents fe32f1c + a94af94
commit c832c1b
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 102 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.106.1](https://github.com/aws/aws-cdk/compare/v1.106.0...v1.106.1) (2021-05-26)
+
+
+### Bug Fixes
+
+* **secretsmanager**: revert "Automatically grant permissions to rotation Lambda ([#14471](https://github.com/aws/aws-cdk/issues/14471))",
+  fixes [#14868](https://github.com/aws/aws-cdk/issues/14868)
+
 ## [1.106.0](https://github.com/aws/aws-cdk/compare/v1.105.0...v1.106.0) (2021-05-25)
 
 

diff --git a/packages/@aws-cdk/aws-secretsmanager/README.md b/packages/@aws-cdk/aws-secretsmanager/README.md
@@ -87,8 +87,6 @@ secret.addRotationSchedule('RotationSchedule', {
 });
 ```
 
-Note: The required permissions for Lambda to call SecretsManager and the other way round are automatically granted based on [AWS Documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions.html) as long as the Lambda is not imported.
-
 See [Overview of the Lambda Rotation Function](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-lambda-function-overview.html) on how to implement a Lambda Rotation Function.
 
 ### Using a Hosted Lambda Function

diff --git a/packages/@aws-cdk/aws-secretsmanager/lib/rotation-schedule.ts b/packages/@aws-cdk/aws-secretsmanager/lib/rotation-schedule.ts
@@ -1,5 +1,4 @@
 import * as ec2 from '@aws-cdk/aws-ec2';
-import * as iam from '@aws-cdk/aws-iam';
 import * as lambda from '@aws-cdk/aws-lambda';
 import { Duration, Resource, Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
@@ -71,35 +70,6 @@ export class RotationSchedule extends Resource {
       throw new Error('One of `rotationLambda` or `hostedRotation` must be specified.');
     }
 
-    if (props.rotationLambda?.permissionsNode.defaultChild) {
-      props.rotationLambda.grantInvoke(new iam.ServicePrincipal('secretsmanager.amazonaws.com'));
-
-      props.rotationLambda.addToRolePolicy(
-        new iam.PolicyStatement({
-          actions: [
-            'secretsmanager:DescribeSecret',
-            'secretsmanager:GetSecretValue',
-            'secretsmanager:PutSecretValue',
-            'secretsmanager:UpdateSecretVersionStage',
-          ],
-          resources: [props.secret.secretArn],
-          conditions: {
-            StringEquals: {
-              'secretsmanager:resource/AllowRotationLambdaArn': props.rotationLambda.functionArn,
-            },
-          },
-        }),
-      );
-      props.rotationLambda.addToRolePolicy(
-        new iam.PolicyStatement({
-          actions: [
-            'secretsmanager:GetRandomPassword',
-          ],
-          resources: ['*'],
-        }),
-      );
-    }
-
     new CfnRotationSchedule(this, 'Resource', {
       secretId: props.secret.secretArn,
       rotationLambdaArn: props.rotationLambda?.functionArn,

diff --git a/packages/@aws-cdk/aws-secretsmanager/test/rotation-schedule.test.ts b/packages/@aws-cdk/aws-secretsmanager/test/rotation-schedule.test.ts
@@ -41,75 +41,6 @@ test('create a rotation schedule with a rotation Lambda', () => {
   });
 });
 
-test('assign permissions for rotation schedule with a rotation Lambda', () => {
-  // GIVEN
-  const secret = new secretsmanager.Secret(stack, 'Secret');
-  const rotationLambda = new lambda.Function(stack, 'Lambda', {
-    runtime: lambda.Runtime.NODEJS_10_X,
-    code: lambda.Code.fromInline('export.handler = event => event;'),
-    handler: 'index.handler',
-  });
-
-  // WHEN
-  new secretsmanager.RotationSchedule(stack, 'RotationSchedule', {
-    secret,
-    rotationLambda,
-  });
-
-  // THEN
-  expect(stack).toHaveResource('AWS::Lambda::Permission', {
-    Action: 'lambda:InvokeFunction',
-    FunctionName: {
-      'Fn::GetAtt': [
-        'LambdaD247545B',
-        'Arn',
-      ],
-    },
-    Principal: 'secretsmanager.amazonaws.com',
-  });
-
-  expect(stack).toHaveResource('AWS::IAM::Policy', {
-    PolicyDocument: {
-      Statement: [
-        {
-          Action: [
-            'secretsmanager:DescribeSecret',
-            'secretsmanager:GetSecretValue',
-            'secretsmanager:PutSecretValue',
-            'secretsmanager:UpdateSecretVersionStage',
-          ],
-          Effect: 'Allow',
-          Resource: {
-            Ref: 'SecretA720EF05',
-          },
-          Condition: {
-            StringEquals: {
-              'secretsmanager:resource/AllowRotationLambdaArn': {
-                'Fn::GetAtt': [
-                  'LambdaD247545B',
-                  'Arn',
-                ],
-              },
-            },
-          },
-        },
-        {
-          Action: 'secretsmanager:GetRandomPassword',
-          Effect: 'Allow',
-          Resource: '*',
-        },
-      ],
-      Version: '2012-10-17',
-    },
-    PolicyName: 'LambdaServiceRoleDefaultPolicyDAE46E21',
-    Roles: [
-      {
-        Ref: 'LambdaServiceRoleA8ED4D3B',
-      },
-    ],
-  });
-});
-
 describe('hosted rotation', () => {
   test('single user not in a vpc', () => {
     // GIVEN

diff --git a/version.v1.json b/version.v1.json
@@ -1,3 +1,3 @@
 {
-  "version": "1.106.0"
+  "version": "1.106.1"
 }