Description
Hi, fellow DB Systel dev here. This Construct looks aewsome and does exactly what we need. Due to how permissions are handled, we cannot create new roles in any environment but DEV, and instead use imported roles created elsewhere. This construct creates its own lambda role and handles its permissions which is handy, but prevents us from using the Construct.
I'm not en expert when it comes to jsii, but from the types I've seen the class SopsSyncProvider implements SingletonFunction, which can use a role as Parameter. Maybe it would suffice to expose that parameter for the constructor of SopsSyncProvider as optional Parameter. Then the user would have to make sure the provided role has all required permissions, but the construct would not have to create a role, so we could use it.
We are using Python in our project, I would suggest something like this:
import os
from aws_cdk.aws_iam import Role
from aws_cdk.aws_kms import Key
from cdk_sops_secrets import SopsSecret, SopsSyncProvider
managed_secrets = ["my_first_secret", "my_second_secret"]
imported_role = Role.from_role_name(scope=scope, id="imported_lambda_role", role_name="my_role_name")
imported_key = Key.from_key_arn(
scope=scope,
id="imported_kms_default_key",
key_arn="myKeyArn",
)
provider = SopsSyncProvider(scope=scope, id="lambda_sops_sync_provider", role=imported_role)
for secret_name in managed_secrets:
new_secret = SopsSecret(
scope=scope,
id=secret_name,
secret_name=secret_name,
encryption_key=imported_key,
sops_file_path=f"secrets/{secret_name}.yaml",
sops_provider=provider,
)
Do you think this is feasible?