feat: added configurable 'wait' step to state machine

willdady · willdady · commit 5bf2a0c43faa · 2022-03-23T10:43:18.000+11:00
diff --git a/API.md b/API.md
@@ -116,6 +116,7 @@ The tree node.
 | --- | --- | --- |
 | <code><a href="#cdk-iam-credentials-rotator.IIamCredentialsRotatorProps.property.credentialsHandler">credentialsHandler</a></code> | <code>aws-cdk-lib.aws_lambda.IFunction</code> | Lambda function which is invoked after new credentials are created for a user. |
 | <code><a href="#cdk-iam-credentials-rotator.IIamCredentialsRotatorProps.property.usernames">usernames</a></code> | <code>string[]</code> | List of IAM usernames in target account. |
+| <code><a href="#cdk-iam-credentials-rotator.IIamCredentialsRotatorProps.property.cleanupWaitDuration">cleanupWaitDuration</a></code> | <code>aws-cdk-lib.Duration</code> | The amount of time to wait before deleting old credentials. |
 | <code><a href="#cdk-iam-credentials-rotator.IIamCredentialsRotatorProps.property.scheduleDuration">scheduleDuration</a></code> | <code>aws-cdk-lib.Duration</code> | Frequency of key rotation. |
 
 ---
@@ -144,6 +145,21 @@ List of IAM usernames in target account.
 
 ---
 
+##### `cleanupWaitDuration`<sup>Optional</sup> <a name="cleanupWaitDuration" id="cdk-iam-credentials-rotator.IIamCredentialsRotatorProps.property.cleanupWaitDuration"></a>
+
+```typescript
+public readonly cleanupWaitDuration: Duration;
+```
+
+- *Type:* aws-cdk-lib.Duration
+- *Default:* 5 minutes
+
+The amount of time to wait before deleting old credentials.
+
+This value MUST be significantly less-than `scheduleDuration`.
+
+---
+
 ##### `scheduleDuration`<sup>Optional</sup> <a name="scheduleDuration" id="cdk-iam-credentials-rotator.IIamCredentialsRotatorProps.property.scheduleDuration"></a>
 
 ```typescript
diff --git a/README.md b/README.md
@@ -7,19 +7,19 @@ AWS CDK construct for rotating IAM user credentials and sending to a third party
 Simply provide a list of usernames of IAM users which exist in the target account and a Lambda function to handle the newly created credentials for a given user.
 
 ```typescript
-const credentialsHandler = new lambda.Function(this, 'MyCredentialsHandler', {
+const myCredentialsHandler = new lambda.Function(this, 'MyCredentialsHandler', {
   handler: 'index.handler',
   code: lambda.Code.fromAsset('path/to/your/code'),
   runtime: lambda.Runtime.NODEJS_14_X,
 });
 
 new IamCredentialsRotator(this, 'MyCredentialsRotator', {
   usernames: ['homer', 'marge', 'bart', 'lisa', 'maggie'],
-  credentialsHandler,
+  credentialsHandler: myCredentialsHandler,
 });
 ```
 
-The Lambda function, `credentialsHandler` is called immediately after a new access key is created for a user. The newly created credentials must be retrieved from AWS Secrets Manager using the secret name passed in to the function. 
+The Lambda function, `credentialsHandler`, is called immediately after a new access key is created for a user. The newly created credentials must be retrieved from AWS Secrets Manager using the secret name passed in to the function. 
 
 By default, credentials are rotated once an hour. This can be changed by providing `scheduleDuration` in the constructor.
 
@@ -50,7 +50,9 @@ export async function handler(event: Event) {
 }
 ```
 
-Once your function exits the secret will be deleted from AWS Secrets Manager and old credentials for the user are also deleted at this step.
+Once your function exits the underlying AWS Step Functions workflow will wait a period of time before deleting the old credentials. During this period both the old and new credentials for the user exist. At the end of this period the old credentials are deleted.
+
+The amount of time to wait before deleting old credentials defaults to 5 minutes and can be adjusted by setting `cleanupWaitDuration`. This value MUST be less-than `scheduleDuration`.
 
 ## Architecture
 
diff --git a/images/diagram.png b/images/diagram.png
diff --git a/src/iam-credentials-rotator.ts b/src/iam-credentials-rotator.ts
@@ -26,6 +26,13 @@ export interface IIamCredentialsRotatorProps {
    * @default 1 hour
    */
   readonly scheduleDuration?: Duration;
+  /**
+   * The amount of time to wait before deleting old credentials.
+   *
+   * This value MUST be significantly less-than `scheduleDuration`.
+   * @default 5 minutes
+   */
+  readonly cleanupWaitDuration?: Duration;
 }
 
 export class IamCredentialsRotator extends Construct {
@@ -122,8 +129,16 @@ export class IamCredentialsRotator extends Construct {
       inputPath: '$.Payload',
     });
 
+    const waitBeforeCleanup = new sfn.Wait(this, 'Wait', {
+      time: sfn.WaitTime.duration(
+        props.cleanupWaitDuration || Duration.minutes(5),
+      ),
+    });
+
     const definition = credentialsRotatorLambdaTask.next(
-      credentialsHandlerLambdaTask.next(cleanupLambdaTask),
+      credentialsHandlerLambdaTask.next(
+        waitBeforeCleanup.next(cleanupLambdaTask),
+      ),
     );
 
     const stateMachine = new sfn.StateMachine(
