secretsmanager: Cross region policy reference imported Secret has wildcard suffix on completeSecretArn #26811
Description
Describe the bug
Pre 2.89.0 we could import a secret from a complete secret arn in one stack and reference this secret from another stack in a different region to include it in a policy/role through grantRead on the secret construct.
Since 2.89.0 the arn in the policy it treats the compleSecretArn as a partial arn adding -?????? which makes the policy invalid and not allowing access to the secret as intended.
Expected Behavior
If importing secret from a complete arn the arn used in policies should be complete arn and not include wildcard for matching a suffix. Which allows intended action by the policy.
Current Behavior
When referencing import secret construct from a cross-region stack the arn used in policies has wildcard suffix matcher appended which makes the referenced policy invalid for allowing intended action.
Reproduction Steps
- Create cdk app with following stack
- Create stack in one region which includes a Secret construct imported from a complete secret arn
- Create stack in other region which includes Role which is granted access to the secret with grantRead on the secret construct
- synthesis stack, and see additional role suffix.
Reproduction repository:
https://github.com/rv2673/aws-cdk-cross-region-secret-import-reproduction
Possible Solution
- Override
arnForPoliciesin the class returned from fromSecretAttributes method on Secret construct. - Fix conditions in the _arnForPolicies Lazy.string implementation function
Additional Information/Context
No response
CDK CLI Version
2.92.0
Framework Version
No response
Node.js Version
18
OS
ubuntu
Language
Typescript
Language Version
No response
Other information
No response