Create SecretWithParameter construct for secret and SSM parameter

kris-szlapa · kris-szlapa · commit c6c54fdedab3 · 2025-07-25T04:16:34.000Z
diff --git a/packages/cdk/constructs/SecretWithParameter.ts b/packages/cdk/constructs/SecretWithParameter.ts
@@ -0,0 +1,33 @@
+import {Construct} from "constructs"
+import * as cdk from "aws-cdk-lib"
+import * as ssm from "aws-cdk-lib/aws-ssm"
+import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager"
+
+export interface SecretWithParameterProps {
+  secretName: string
+  parameterName: string
+  description: string
+  secretValue: string
+}
+
+export class SecretWithParameter extends Construct {
+  public readonly secret: secretsmanager.Secret
+  public readonly parameter: ssm.StringParameter
+
+  constructor(scope: Construct, id: string, props: SecretWithParameterProps) {
+    super(scope, id)
+
+    this.secret = new secretsmanager.Secret(this, "Secret", {
+      secretName: props.secretName,
+      description: props.description,
+      secretStringValue: cdk.SecretValue.unsafePlainText(props.secretValue)
+    })
+
+    this.parameter = new ssm.StringParameter(this, "Parameter", {
+      parameterName: props.parameterName,
+      stringValue: `{{resolve:secretsmanager:${this.secret.secretName}}}`,
+      description: `Reference to ${props.description}`,
+      tier: ssm.ParameterTier.STANDARD
+    })
+  }
+}
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -235,7 +235,7 @@ export const nagSuppressions = (stack: Stack) => {
   // Suppress secrets without rotation
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/Secrets/SlackBotTokenSecret/Resource",
+    "/EpsAssistMeStack/Secrets/SlackBotToken/Secret/Resource",
     [
       {
         id: "AwsSolutions-SMG4",
@@ -246,7 +246,7 @@ export const nagSuppressions = (stack: Stack) => {
 
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/Secrets/SlackBotSigningSecret/Resource",
+    "/EpsAssistMeStack/Secrets/SlackBotSigning/Secret/Resource",
     [
       {
         id: "AwsSolutions-SMG4",
diff --git a/packages/cdk/resources/Secrets.ts b/packages/cdk/resources/Secrets.ts
@@ -1,7 +1,7 @@
 import {Construct} from "constructs"
-import * as cdk from "aws-cdk-lib"
 import * as ssm from "aws-cdk-lib/aws-ssm"
 import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager"
+import {SecretWithParameter} from "../constructs/SecretWithParameter"
 
 export interface SecretsProps {
   slackBotToken: string
@@ -17,36 +17,23 @@ export class Secrets extends Construct {
   constructor(scope: Construct, id: string, props: SecretsProps) {
     super(scope, id)
 
-    // Create secrets in Secrets Manager
-    this.slackBotTokenSecret = new secretsmanager.Secret(this, "SlackBotTokenSecret", {
+    const slackBotToken = new SecretWithParameter(this, "SlackBotToken", {
       secretName: "/eps-assist/slack/bot-token",
+      parameterName: "/eps-assist/slack/bot-token/parameter",
       description: "Slack Bot OAuth Token for EPS Assist",
-      secretStringValue: cdk.SecretValue.unsafePlainText(JSON.stringify({
-        token: props.slackBotToken
-      }))
+      secretValue: JSON.stringify({token: props.slackBotToken})
     })
 
-    this.slackBotSigningSecret = new secretsmanager.Secret(this, "SlackBotSigningSecret", {
+    const slackBotSigning = new SecretWithParameter(this, "SlackBotSigning", {
       secretName: "/eps-assist/slack/signing-secret",
+      parameterName: "/eps-assist/slack/signing-secret/parameter",
       description: "Slack Signing Secret",
-      secretStringValue: cdk.SecretValue.unsafePlainText(JSON.stringify({
-        secret: props.slackSigningSecret
-      }))
+      secretValue: JSON.stringify({secret: props.slackSigningSecret})
     })
 
-    // Create SSM parameters that reference the secrets
-    this.slackBotTokenParameter = new ssm.StringParameter(this, "SlackBotTokenParameter", {
-      parameterName: "/eps-assist/slack/bot-token/parameter",
-      stringValue: `{{resolve:secretsmanager:${this.slackBotTokenSecret.secretName}}}`,
-      description: "Reference to Slack Bot Token in Secrets Manager",
-      tier: ssm.ParameterTier.STANDARD
-    })
-
-    this.slackSigningSecretParameter = new ssm.StringParameter(this, "SlackSigningSecretParameter", {
-      parameterName: "/eps-assist/slack/signing-secret/parameter",
-      stringValue: `{{resolve:secretsmanager:${this.slackBotSigningSecret.secretName}}}`,
-      description: "Reference to Slack Signing Secret in Secrets Manager",
-      tier: ssm.ParameterTier.STANDARD
-    })
+    this.slackBotTokenSecret = slackBotToken.secret
+    this.slackBotSigningSecret = slackBotSigning.secret
+    this.slackBotTokenParameter = slackBotToken.parameter
+    this.slackSigningSecretParameter = slackBotSigning.parameter
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -235,7 +235,7 @@ export const nagSuppressions = (stack: Stack) => {`
`235`	`235`	`// Suppress secrets without rotation`
`236`	`236`	`safeAddNagSuppression(`
`237`	`237`	`stack,`
`238`		`- "/EpsAssistMeStack/Secrets/SlackBotTokenSecret/Resource",`
	`238`	`+ "/EpsAssistMeStack/Secrets/SlackBotToken/Secret/Resource",`
`239`	`239`	`[`
`240`	`240`	`{`
`241`	`241`	`id: "AwsSolutions-SMG4",`
`@@ -246,7 +246,7 @@ export const nagSuppressions = (stack: Stack) => {`
`246`	`246`
`247`	`247`	`safeAddNagSuppression(`
`248`	`248`	`stack,`
`249`		`- "/EpsAssistMeStack/Secrets/SlackBotSigningSecret/Resource",`
	`249`	`+ "/EpsAssistMeStack/Secrets/SlackBotSigning/Secret/Resource",`
`250`	`250`	`[`
`251`	`251`	`{`
`252`	`252`	`id: "AwsSolutions-SMG4",`