Amazon DocumentDB with MongoDB compatibility Update: Support AWS Secret Manager managed password for AWS DocumentDB instance-based cluster.

AWS · AWS · commit 1e4a430ca5b7 · 2024-12-20T19:06:09.000Z
diff --git a/.changes/next-release/feature-AmazonDocumentDBwithMongoDBcompatibility-1df7d1d.json b/.changes/next-release/feature-AmazonDocumentDBwithMongoDBcompatibility-1df7d1d.json
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "Amazon DocumentDB with MongoDB compatibility",
+    "contributor": "",
+    "description": "Support AWS Secret Manager managed password for AWS DocumentDB instance-based cluster."
+}
diff --git a/services/docdb/src/main/resources/codegen-resources/service-2.json b/services/docdb/src/main/resources/codegen-resources/service-2.json
@@ -1244,6 +1244,24 @@
       },
       "documentation":"<p>The configuration setting for the log types to be enabled for export to Amazon CloudWatch Logs for a specific instance or cluster.</p> <p>The <code>EnableLogTypes</code> and <code>DisableLogTypes</code> arrays determine which logs are exported (or not exported) to CloudWatch Logs. The values within these arrays depend on the engine that is being used.</p>"
     },
+    "ClusterMasterUserSecret":{
+      "type":"structure",
+      "members":{
+        "SecretArn":{
+          "shape":"String",
+          "documentation":"<p>The Amazon Resource Name (ARN) of the secret.</p>"
+        },
+        "SecretStatus":{
+          "shape":"String",
+          "documentation":"<p>The status of the secret.</p> <p>The possible status values include the following:</p> <ul> <li> <p>creating - The secret is being created.</p> </li> <li> <p>active - The secret is available for normal use and rotation.</p> </li> <li> <p>rotating - The secret is being rotated.</p> </li> <li> <p>impaired - The secret can be used to access database credentials, but it can't be rotated. A secret might have this status if, for example, permissions are changed so that Amazon DocumentDB can no longer access either the secret or the KMS key for the secret.</p> <p>When a secret has this status, you can correct the condition that caused the status. Alternatively, modify the instance to turn off automatic management of database credentials, and then modify the instance again to turn on automatic management of database credentials.</p> </li> </ul>"
+        },
+        "KmsKeyId":{
+          "shape":"String",
+          "documentation":"<p>The Amazon Web Services KMS key identifier that is used to encrypt the secret.</p>"
+        }
+      },
+      "documentation":"<p>Contains the secret managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the master user password.</p>"
+    },
     "CopyDBClusterParameterGroupMessage":{
       "type":"structure",
       "required":[
@@ -1407,6 +1425,14 @@
         "StorageType":{
           "shape":"String",
           "documentation":"<p>The storage type to associate with the DB cluster.</p> <p>For information on storage types for Amazon DocumentDB clusters, see Cluster storage configurations in the <i>Amazon DocumentDB Developer Guide</i>.</p> <p>Valid values for storage type - <code>standard | iopt1</code> </p> <p>Default value is <code>standard </code> </p> <note> <p>When you create a DocumentDB DB cluster with the storage type set to <code>iopt1</code>, the storage type is returned in the response. The storage type isn't returned when you set it to <code>standard</code>.</p> </note>"
+        },
+        "ManageMasterUserPassword":{
+          "shape":"BooleanOptional",
+          "documentation":"<p>Specifies whether to manage the master user password with Amazon Web Services Secrets Manager.</p> <p>Constraint: You can't manage the master user password with Amazon Web Services Secrets Manager if <code>MasterUserPassword</code> is specified.</p>"
+        },
+        "MasterUserSecretKmsKeyId":{
+          "shape":"String",
+          "documentation":"<p>The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and managed in Amazon Web Services Secrets Manager. This setting is valid only if the master user password is managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the DB cluster.</p> <p>The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.</p> <p>If you don't specify <code>MasterUserSecretKmsKeyId</code>, then the <code>aws/secretsmanager</code> KMS key is used to encrypt the secret. If the secret is in a different Amazon Web Services account, then you can't use the <code>aws/secretsmanager</code> KMS key to encrypt the secret, and you must use a customer managed KMS key.</p> <p>There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.</p>"
         }
       },
       "documentation":"<p>Represents the input to <a>CreateDBCluster</a>. </p>"
@@ -1800,6 +1826,10 @@
         "StorageType":{
           "shape":"String",
           "documentation":"<p>Storage type associated with your cluster</p> <p>Storage type associated with your cluster</p> <p>For information on storage types for Amazon DocumentDB clusters, see Cluster storage configurations in the <i>Amazon DocumentDB Developer Guide</i>.</p> <p>Valid values for storage type - <code>standard | iopt1</code> </p> <p>Default value is <code>standard </code> </p>"
+        },
+        "MasterUserSecret":{
+          "shape":"ClusterMasterUserSecret",
+          "documentation":"<p>The secret managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the master user password.</p>"
         }
       },
       "documentation":"<p>Detailed information about a cluster. </p>",
@@ -3889,6 +3919,18 @@
         "StorageType":{
           "shape":"String",
           "documentation":"<p>The storage type to associate with the DB cluster.</p> <p>For information on storage types for Amazon DocumentDB clusters, see Cluster storage configurations in the <i>Amazon DocumentDB Developer Guide</i>.</p> <p>Valid values for storage type - <code>standard | iopt1</code> </p> <p>Default value is <code>standard </code> </p>"
+        },
+        "ManageMasterUserPassword":{
+          "shape":"BooleanOptional",
+          "documentation":"<p>Specifies whether to manage the master user password with Amazon Web Services Secrets Manager. If the cluster doesn't manage the master user password with Amazon Web Services Secrets Manager, you can turn on this management. In this case, you can't specify <code>MasterUserPassword</code>. If the cluster already manages the master user password with Amazon Web Services Secrets Manager, and you specify that the master user password is not managed with Amazon Web Services Secrets Manager, then you must specify <code>MasterUserPassword</code>. In this case, Amazon DocumentDB deletes the secret and uses the new password for the master user specified by <code>MasterUserPassword</code>.</p>"
+        },
+        "MasterUserSecretKmsKeyId":{
+          "shape":"String",
+          "documentation":"<p>The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and managed in Amazon Web Services Secrets Manager.</p> <p>This setting is valid only if both of the following conditions are met:</p> <ul> <li> <p>The cluster doesn't manage the master user password in Amazon Web Services Secrets Manager. If the cluster already manages the master user password in Amazon Web Services Secrets Manager, you can't change the KMS key that is used to encrypt the secret.</p> </li> <li> <p>You are enabling <code>ManageMasterUserPassword</code> to manage the master user password in Amazon Web Services Secrets Manager. If you are turning on <code>ManageMasterUserPassword</code> and don't specify <code>MasterUserSecretKmsKeyId</code>, then the <code>aws/secretsmanager</code> KMS key is used to encrypt the secret. If the secret is in a different Amazon Web Services account, then you can't use the <code>aws/secretsmanager</code> KMS key to encrypt the secret, and you must use a customer managed KMS key.</p> </li> </ul> <p>The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.</p> <p>There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.</p>"
+        },
+        "RotateMasterUserPassword":{
+          "shape":"BooleanOptional",
+          "documentation":"<p>Specifies whether to rotate the secret managed by Amazon Web Services Secrets Manager for the master user password.</p> <p>This setting is valid only if the master user password is managed by Amazon DocumentDB in Amazon Web Services Secrets Manager for the cluster. The secret value contains the updated password.</p> <p>Constraint: You must apply the change immediately when rotating the master user password.</p>"
         }
       },
       "documentation":"<p>Represents the input to <a>ModifyDBCluster</a>.</p>"
