Invalid backup secret name for certain modifications and key error for secrets with no description

[rpratnews123]

Overview

Invalid backup secret name

When you deploy this system, and then create a new secret in a source account, that secret will be replicated to the backup account. And when you update the secret value, or update the staging labels, these changes will be replicated to the backup account.

However, when you add a tag, remove a tag, or make another change to the source secret, this causes the Lambda function to return an error. The following error will be seen in the CloudWatch logs:

botocore.exceptions.ClientError: An error occurred (ValidationException) when calling the DescribeSecret operation: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!

The error arises because an invalid secret name is being passed to the DescribeSecret operation. This is because of lines 122-123 of the code:

elif event_name in ("TagResource", "UntagResource", "UpdateSecret"):
    secret_name = event_detail["requestParameters"]["secretId"]

The secret_name variable corresponds to the ARN of the secret, which consists of colons.

Therefore, when the backup secret name is generated,f"{source_account_id}/{source_account_region}/{secret_name}", it will contain colons, which is not a valid character.

No description

If there are secrets without a description, this will cause the Lambda function to return an error, namely a Key error.

This Key error arises because of line 184:

Description=secret_data["Description"]

The code assumes that the secrets have a description.

The Fix

#2