rentall-app/infrastructure/cdk/lib/secrets-stack.ts

import * as cdk from "aws-cdk-lib";
import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";
import { Construct } from "constructs";

interface SecretsStackProps extends cdk.StackProps {
  /**
   * Environment name (dev, staging, prod)
   */
  environment: string;

  /**
   * Database username (default: rentall_admin)
   */
  dbUsername?: string;
}

export class SecretsStack extends cdk.Stack {
  /**
   * Database credentials secret
   */
  public readonly databaseSecret: secretsmanager.Secret;

  /**
   * Application secrets (JWT, etc.)
   */
  public readonly appSecret: secretsmanager.Secret;

  constructor(scope: Construct, id: string, props: SecretsStackProps) {
    super(scope, id, props);

    const { environment, dbUsername = "rentall_admin" } = props;

    // Database credentials secret with auto-generated password
    this.databaseSecret = new secretsmanager.Secret(this, "DatabaseSecret", {
      secretName: `rentall/${environment}/database`,
      description: `Database credentials for rentall ${environment} environment`,
      generateSecretString: {
        secretStringTemplate: JSON.stringify({
          username: dbUsername,
        }),
        generateStringKey: "password",
        excludePunctuation: true,
        excludeCharacters: '/@"\'\\',
        passwordLength: 32,
      },
    });

    // Application secrets (JWT secret, etc.)
    this.appSecret = new secretsmanager.Secret(this, "AppSecret", {
      secretName: `rentall/${environment}/app`,
      description: `Application secrets for rentall ${environment} environment`,
      generateSecretString: {
        secretStringTemplate: JSON.stringify({
          // Add any additional app secrets here
        }),
        generateStringKey: "jwtSecret",
        excludePunctuation: false,
        passwordLength: 64,
      },
    });

    // Outputs
    new cdk.CfnOutput(this, "DatabaseSecretArn", {
      value: this.databaseSecret.secretArn,
      description: "Database credentials secret ARN",
      exportName: `DatabaseSecretArn-${environment}`,
    });

    new cdk.CfnOutput(this, "DatabaseSecretName", {
      value: this.databaseSecret.secretName,
      description: "Database credentials secret name",
      exportName: `DatabaseSecretName-${environment}`,
    });

    new cdk.CfnOutput(this, "AppSecretArn", {
      value: this.appSecret.secretArn,
      description: "Application secrets ARN",
      exportName: `AppSecretArn-${environment}`,
    });

    new cdk.CfnOutput(this, "AppSecretName", {
      value: this.appSecret.secretName,
      description: "Application secrets name",
      exportName: `AppSecretName-${environment}`,
    });
  }
}