feat: add secret expiration tracking

Author: dariozachow

lambda/go.mod

@@ -4,12 +4,13 @@ go 1.26
 
 require (
 	github.com/aws/aws-lambda-go v1.52.0
-	github.com/aws/aws-sdk-go-v2 v1.41.5
+	github.com/aws/aws-sdk-go-v2 v1.41.7
 	github.com/aws/aws-sdk-go-v2/config v1.32.10
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3
+	github.com/aws/aws-sdk-go-v2/service/scheduler v1.17.24
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.2
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.68.1
-	github.com/aws/smithy-go v1.24.2
+	github.com/aws/smithy-go v1.25.1
 	github.com/getsops/sops/v3 v3.12.1
 	github.com/gkampitakis/go-snaps v0.5.19
 	github.com/invopop/jsonschema v0.13.0
@@ -46,8 +47,8 @@ require (
 	github.com/aws/aws-sdk-go-v2/credentials v1.19.10 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect

lambda/go.sum

@@ -69,8 +69,8 @@ github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBi
 github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
 github.com/aws/aws-lambda-go v1.52.0 h1:5NfiRaVl9FafUIt2Ld/Bv22kT371mfAI+l1Hd+tV7ZE=
 github.com/aws/aws-lambda-go v1.52.0/go.mod h1:dpMpZgvWx5vuQJfBt0zqBha60q7Dd7RfgJv23DymV8A=
-github.com/aws/aws-sdk-go-v2 v1.41.5 h1:dj5kopbwUsVUVFgO4Fi5BIT3t4WyqIDjGKCangnV/yY=
-github.com/aws/aws-sdk-go-v2 v1.41.5/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
+github.com/aws/aws-sdk-go-v2 v1.41.7 h1:DWpAJt66FmnnaRIOT/8ASTucrvuDPZASqhhLey6tLY8=
+github.com/aws/aws-sdk-go-v2 v1.41.7/go.mod h1:4LAfZOPHNVNQEckOACQx60Y8pSRjIkNZQz1w92xpMJc=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 h1:eBMB84YGghSocM7PsjmmPffTa+1FBUeNvGvFou6V/4o=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8/go.mod h1:lyw7GFp3qENLh7kwzf7iMzAxDn+NzjXEAGjKS2UOKqI=
 github.com/aws/aws-sdk-go-v2/config v1.32.10 h1:9DMthfO6XWZYLfzZglAgW5Fyou2nRI5CuV44sTedKBI=
@@ -81,10 +81,10 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18 h1:Ii4s+Sq3yDfaMLpjrJsqD6
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18/go.mod h1:6x81qnY++ovptLE6nWQeWrpXxbnlIex+4H4eYYGcqfc=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.3 h1:+mQ8NQBh7B7c2FBtppRnwkrmuwFON1XQQ+5yblomZKk=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.3/go.mod h1:u67RKh3BRmS4FYLH+rN3N4T5fqpd9m2ttAwBJYEdosU=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 h1:Rgg6wvjjtX8bNHcvi9OnXWwcE0a2vGpbwmtICOsvcf4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21/go.mod h1:A/kJFst/nm//cyqonihbdpQZwiUhhzpqTsdbhDdRF9c=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 h1:PEgGVtPoB6NTpPrBgqSE5hE/o47Ij9qk/SEZFbUOe9A=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21/go.mod h1:p+hz+PRAYlY3zcpJhPwXlLC4C+kqn70WIHwnzAfs6ps=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 h1:GpT/TrnBYuE5gan2cZbTtvP+JlHsutdmlV2YfEyNde0=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23/go.mod h1:xYWD6BS9ywC5bS3sz9Xh04whO/hzK2plt2Zkyrp4JuA=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 h1:bpd8vxhlQi2r1hiueOw02f/duEPTMK59Q4QMAoTTtTo=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23/go.mod h1:15DfR2nw+CRHIk0tqNyifu3G1YdAOy68RftkhMDDwYk=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 h1:rWyie/PxDRIdhNf4DzRk0lvjVOqFJuNnO8WwaIRVxzQ=
@@ -101,6 +101,8 @@ github.com/aws/aws-sdk-go-v2/service/kms v1.50.1 h1:wb/PYYm3wlcqGzw7Ls4GD3X5+seD
 github.com/aws/aws-sdk-go-v2/service/kms v1.50.1/go.mod h1:xvHowJ6J9CuaFE04S8fitWQXytf4sHz3DTPGhw9FtmU=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3 h1:HwxWTbTrIHm5qY+CAEur0s/figc3qwvLWsNkF4RPToo=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3/go.mod h1:uoA43SdFwacedBfSgfFSjjCvYe8aYBS7EnU5GZ/YKMM=
+github.com/aws/aws-sdk-go-v2/service/scheduler v1.17.24 h1:F4gvh9TJcEZVqirKpX/FBWEMK6tvnGSVf4FWDvFtSQw=
+github.com/aws/aws-sdk-go-v2/service/scheduler v1.17.24/go.mod h1:0/mvOL++cUfpS4KgHigHDo+x8KLYG/grOTyIOw3KCPM=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.2 h1:hezAo5AQM0moD4qitsn8bZuc2WE/MmP+cySGfJWEi1A=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.2/go.mod h1:7+wvNfdX7NZtxNyVLbbS89gYldQ3H+1nlVRr7J9KQDA=
 github.com/aws/aws-sdk-go-v2/service/signin v1.0.6 h1:MzORe+J94I+hYu2a6XmV5yC9huoTv8NRcCrUNedDypQ=
@@ -113,8 +115,8 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15 h1:edCcNp9eGIUDUCrzoCu1jWA
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15/go.mod h1:lyRQKED9xWfgkYC/wmmYfv7iVIM68Z5OQ88ZdcV1QbU=
 github.com/aws/aws-sdk-go-v2/service/sts v1.41.7 h1:NITQpgo9A5NrDZ57uOWj+abvXSb83BbyggcUBVksN7c=
 github.com/aws/aws-sdk-go-v2/service/sts v1.41.7/go.mod h1:sks5UWBhEuWYDPdwlnRFn1w7xWdH29Jcpe+/PJQefEs=
-github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=
-github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
+github.com/aws/smithy-go v1.25.1 h1:J8ERsGSU7d+aCmdQur5Txg6bVoYelvQJgtZehD12GkI=
+github.com/aws/smithy-go v1.25.1/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk=
 github.com/bahlo/generic-list-go v0.2.0/go.mod h1:2KvAjgMlE5NNynlg/5iLrrCCZ2+5xWbdbCW3pNTGyYg=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=

lambda/handle.go

@@ -71,6 +71,24 @@ func handleSecret(props BaseProps) (physicalResourceID string, data map[string]i
 
 	logger.Info("Secret data updated", "ARN", *putSecretValueResp.ARN)
 
+	// Handle expiration schedule upsert for flat JSON secrets when expiration is configured.
+	if props.properties.Expiration != nil && props.properties.ResourceType == event.SECRET {
+		stringMapBytes, smErr := props.secretDecryptedData.ToStringMap()
+		if smErr != nil {
+			logger.Warn("Could not extract string map for expiration scan", "Error", smErr)
+		} else {
+			// Convert map[string][]byte to map[string]string
+			stringMap := make(map[string]string, len(stringMapBytes))
+			for k, v := range stringMapBytes {
+				stringMap[k] = string(v)
+			}
+			if expErr := handleExpirationUpsert(props.properties, props.clients, stringMap, *putSecretValueResp.ARN); expErr != nil {
+				logger.Error("Failed to upsert expiration schedules", "Error", expErr)
+				return *putSecretValueResp.ARN, nil, expErr
+			}
+		}
+	}
+
 	return *putSecretValueResp.ARN, map[string]interface{}{
 		"ARN":           *putSecretValueResp.ARN,
 		"Name":          *putSecretValueResp.Name,

lambda/handle_expiration.go

@@ -0,0 +1,175 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/markussiebert/cdk-sops-secrets/internal/client"
+	"github.com/markussiebert/cdk-sops-secrets/internal/event"
+)
+
+const defaultExpirationSuffix = "_expiration"
+const defaultDaysBeforeExpiration = 14
+
+// expirationMessage is the payload published to the SNS topic.
+type expirationMessage struct {
+	SecretArn            string `json:"secretArn"`
+	KeyName              string `json:"keyName"`
+	ExpirationDate       string `json:"expirationDate"`
+	NotificationDate     string `json:"notificationDate"`
+	DaysBeforeExpiration int    `json:"daysBeforeExpiration"`
+}
+
+// sanitizeScheduleName converts a key name into a valid EventBridge Scheduler
+// schedule name: only [a-zA-Z0-9_-], max 64 characters.
+func sanitizeScheduleName(name string) string {
+	re := regexp.MustCompile(`[^a-zA-Z0-9_-]`)
+	sanitized := re.ReplaceAllString(name, "-")
+	if len(sanitized) > 64 {
+		sanitized = sanitized[:64]
+	}
+	return sanitized
+}
+
+// parseExpirationDate attempts to parse a date string in ISO 8601 / RFC 3339
+// formats. Accepted formats: "2006-01-02", "2006-01-02T15:04:05Z07:00".
+func parseExpirationDate(value string) (time.Time, error) {
+	value = strings.TrimSpace(value)
+	formats := []string{
+		"2006-01-02",
+		time.RFC3339,
+	}
+	for _, format := range formats {
+		if t, err := time.Parse(format, value); err == nil {
+			return t, nil
+		}
+	}
+	return time.Time{}, fmt.Errorf("unsupported date format: %q", value)
+}
+
+// scanExpirationKeys scans the flattened secret map for keys that end with the
+// given suffix and returns a map of base key → expiration time.
+func scanExpirationKeys(secretMap map[string]string, suffix string) map[string]time.Time {
+	result := make(map[string]time.Time)
+	for key, value := range secretMap {
+		if !strings.HasSuffix(key, suffix) {
+			continue
+		}
+		baseKey := strings.TrimSuffix(key, suffix)
+		t, err := parseExpirationDate(value)
+		if err != nil {
+			slog.Warn("Skipping unparseable expiration date",
+				"key", key, "value", value, "error", err)
+			continue
+		}
+		result[baseKey] = t
+	}
+	return result
+}
+
+// handleExpirationUpsert creates or updates EventBridge Scheduler schedules for
+// all expiration keys found in the decrypted secret.
+func handleExpirationUpsert(
+	props *event.SopsSyncResourcePropertys,
+	clients client.AwsClient,
+	secretMap map[string]string,
+	secretArn string,
+) error {
+	logger := slog.With("Package", "main", "Function", "handleExpirationUpsert")
+	exp := props.Expiration
+
+	suffix := defaultExpirationSuffix
+	if exp.ExpirationSuffix != nil && *exp.ExpirationSuffix != "" {
+		suffix = *exp.ExpirationSuffix
+	}
+
+	days := defaultDaysBeforeExpiration
+	if exp.DaysBeforeExpiration != nil {
+		days = *exp.DaysBeforeExpiration
+	}
+
+	expirations := scanExpirationKeys(secretMap, suffix)
+	if len(expirations) == 0 {
+		logger.Info("No expiration keys found in secret", "Suffix", suffix)
+		return nil
+	}
+
+	for baseKey, expiresAt := range expirations {
+		notifyAt := expiresAt.UTC().AddDate(0, 0, -days)
+		// Skip schedules whose notification time is already in the past.
+		if notifyAt.Before(time.Now().UTC()) {
+			logger.Warn("Notification time is in the past, skipping schedule",
+				"baseKey", baseKey,
+				"expiresAt", expiresAt.Format("2006-01-02"),
+				"notifyAt", notifyAt.Format("2006-01-02"),
+			)
+			continue
+		}
+
+		scheduleName := sanitizeScheduleName(baseKey)
+		// EventBridge Scheduler at() expression format: at(YYYY-MM-DDTHH:mm:ss)
+		scheduleExpr := fmt.Sprintf("at(%s)", notifyAt.Format("2006-01-02T15:04:05"))
+
+		msg := expirationMessage{
+			SecretArn:            secretArn,
+			KeyName:              baseKey,
+			ExpirationDate:       expiresAt.UTC().Format("2006-01-02"),
+			NotificationDate:     notifyAt.UTC().Format("2006-01-02"),
+			DaysBeforeExpiration: days,
+		}
+		msgJSON, err := json.Marshal(msg)
+		if err != nil {
+			return fmt.Errorf("failed to marshal expiration message for key %s: %v", baseKey, err)
+		}
+
+		logger.Info("Upserting expiration schedule",
+			"scheduleName", scheduleName,
+			"group", exp.ScheduleGroupName,
+			"expression", scheduleExpr,
+		)
+
+		if err := clients.SchedulerCreateOrUpdateSchedule(
+			scheduleName,
+			exp.ScheduleGroupName,
+			scheduleExpr,
+			exp.TopicArn,
+			exp.SchedulerRoleArn,
+			string(msgJSON),
+		); err != nil {
+			return fmt.Errorf("failed to upsert schedule for key %s: %v", baseKey, err)
+		}
+	}
+	return nil
+}
+
+// handleExpirationDelete removes all expiration schedules for a secret by
+// listing and deleting every schedule in the group.
+func handleExpirationDelete(
+	props *event.SopsSyncResourcePropertys,
+	clients client.AwsClient,
+) error {
+	logger := slog.With("Package", "main", "Function", "handleExpirationDelete")
+	exp := props.Expiration
+
+	names, err := clients.SchedulerListSchedules(exp.ScheduleGroupName)
+	if err != nil {
+		// If the group doesn't exist yet (e.g. stack was never fully deployed)
+		// treat it as a no-op rather than a hard failure.
+		logger.Warn("Could not list schedules, assuming group does not exist",
+			"Group", exp.ScheduleGroupName, "Error", err)
+		return nil
+	}
+
+	for _, name := range names {
+		logger.Info("Deleting expiration schedule", "Name", name, "Group", exp.ScheduleGroupName)
+		if err := clients.SchedulerDeleteSchedule(name, exp.ScheduleGroupName); err != nil {
+			// Log and continue so we attempt to delete all schedules even if one fails.
+			logger.Error("Failed to delete schedule", "Name", name, "Error", err)
+		}
+	}
+	return nil
+}