Address minor suggestions & concerns raised by core team

mabuaisha · mabuaisha · commit 1e21cf0d1cf1 · 2025-03-27T19:15:55.000+01:00
diff --git a/localstack-core/localstack/services/secretsmanager/provider.py b/localstack-core/localstack/services/secretsmanager/provider.py
@@ -738,7 +738,7 @@ def backend_rotate_secret(
     # Resolve rotation_lambda_arn and fallback to previous value if its missing
     # from the current request
     rotation_lambda_arn = rotation_lambda_arn or secret.rotation_lambda_arn
-
+    rotation_period = 0
     if rotation_lambda_arn:
         if len(rotation_lambda_arn) > 2048:
             msg = "RotationLambdaARN must <= 2048 characters long."
diff --git a/localstack-core/localstack/testing/snapshots/transformer_utility.py b/localstack-core/localstack/testing/snapshots/transformer_utility.py
@@ -648,6 +648,19 @@ def secretsmanager_api():
                 ),
                 "version_uuid",
             ),
+            KeyValueBasedTransformer(
+                lambda k, v: (
+                    v
+                    if (
+                        isinstance(k, str)
+                        and k == "RotationLambdaARN"
+                        and isinstance(v, str)
+                        and re.match(PATTERN_ARN, v)
+                    )
+                    else None
+                ),
+                "lambda-arn",
+            ),
             SortingTransformer("VersionStages"),
             SortingTransformer("Versions", lambda e: e.get("CreatedDate")),
         ]
diff --git a/tests/aws/services/secretsmanager/test_secretsmanager.py b/tests/aws/services/secretsmanager/test_secretsmanager.py
@@ -117,9 +117,6 @@ def _setup_rotation_secret(
             Description="testing rotation of secrets",
         )
 
-        sm_snapshot.add_transformer(
-            sm_snapshot.transform.key_value("RotationLambdaARN", "lambda-arn")
-        )
         sm_snapshot.add_transformers_list(
             sm_snapshot.transform.secretsmanager_secret_id_arn(cre_res, 0)
         )
@@ -139,6 +136,29 @@ def _setup_rotation_secret(
         )
         return cre_res["VersionId"], function_arn
 
+    @staticmethod
+    def _setup_invalid_rotation_secret(
+        invalid_arn: str | None, invalid_snapshot_key: str, sm_snapshot, secret_name, aws_client
+    ):
+        create_secret = aws_client.secretsmanager.create_secret(
+            Name=secret_name, SecretString="init"
+        )
+        sm_snapshot.add_transformer(
+            sm_snapshot.transform.secretsmanager_secret_id_arn(create_secret, 0)
+        )
+        sm_snapshot.match("create_secret", create_secret)
+        rotation_config = {
+            "SecretId": secret_name,
+            "RotationRules": {
+                "AutomaticallyAfterDays": 1,
+            },
+        }
+        if invalid_arn:
+            rotation_config["RotationLambdaARN"] = invalid_arn
+        with pytest.raises(Exception) as e:
+            aws_client.secretsmanager.rotate_secret(**rotation_config)
+        sm_snapshot.match(invalid_snapshot_key, e.value.response)
+
     def _assert_after_rotate_secret_with_lambda_success(
         self,
         sm_snapshot,
@@ -672,28 +692,27 @@ def test_rotate_secret_multiple_times_with_lambda_success(
     def test_rotate_secret_invalid_lambda_arn(
         self, secret_name, aws_client, account_id, sm_snapshot
     ):
-        create_secret = aws_client.secretsmanager.create_secret(
-            Name=secret_name, SecretString="init"
-        )
-        sm_snapshot.add_transformer(
-            sm_snapshot.transform.secretsmanager_secret_id_arn(create_secret, 0)
-        )
-        sm_snapshot.match("create_secret", create_secret)
-
         region_name = aws_client.secretsmanager.meta.region_name
         invalid_arn = (
             f"arn:aws:lambda:{region_name}:{account_id}:function:rotate_secret_invalid_lambda_arn"
         )
-        with pytest.raises(Exception) as e:
-            aws_client.secretsmanager.rotate_secret(
-                SecretId=secret_name,
-                RotationLambdaARN=invalid_arn,
-                RotationRules={
-                    "AutomaticallyAfterDays": 1,
-                },
-            )
-        sm_snapshot.match("rotate_secret_invalid_arn_exc", e.value.response)
+        self._setup_invalid_rotation_secret(
+            invalid_arn, "rotate_secret_invalid_arn_exc", sm_snapshot, secret_name, aws_client
+        )
+        describe_secret = aws_client.secretsmanager.describe_secret(SecretId=secret_name)
+        sm_snapshot.match("describe_secret", describe_secret)
+        assert "RotationEnabled" not in describe_secret
+        assert "RotationRules" not in describe_secret
+        assert "RotationLambdaARN" not in describe_secret
 
+    @markers.snapshot.skip_snapshot_verify(paths=["$..Error", "$..Message"])
+    @markers.aws.validated
+    def test_first_rotate_secret_with_missing_lambda_arn(
+        self, secret_name, aws_client, account_id, sm_snapshot
+    ):
+        self._setup_invalid_rotation_secret(
+            None, "rotate_secret_no_arn_exc", sm_snapshot, secret_name, aws_client
+        )
         describe_secret = aws_client.secretsmanager.describe_secret(SecretId=secret_name)
         sm_snapshot.match("describe_secret", describe_secret)
         assert "RotationEnabled" not in describe_secret
diff --git a/tests/aws/services/secretsmanager/test_secretsmanager.snapshot.json b/tests/aws/services/secretsmanager/test_secretsmanager.snapshot.json
@@ -4860,5 +4860,45 @@
         }
       }
     }
+  },
+  "tests/aws/services/secretsmanager/test_secretsmanager.py::TestSecretsManager::test_first_rotate_secret_with_missing_lambda_arn": {
+    "recorded-date": "27-03-2025, 16:33:46",
+    "recorded-content": {
+      "create_secret": {
+        "ARN": "arn:<partition>:secretsmanager:<region>:111111111111:secret:<SecretId-0idx><ArnPart-0idx>",
+        "Name": "<SecretId-0idx>",
+        "VersionId": "<version_uuid:1>",
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 200
+        }
+      },
+      "rotate_secret_no_arn_exc": {
+        "Error": {
+          "Code": "InvalidRequestException",
+          "Message": "No Lambda rotation function ARN is associated with this secret."
+        },
+        "Message": "No Lambda rotation function ARN is associated with this secret.",
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 400
+        }
+      },
+      "describe_secret": {
+        "ARN": "arn:<partition>:secretsmanager:<region>:111111111111:secret:<SecretId-0idx><ArnPart-0idx>",
+        "CreatedDate": "datetime",
+        "LastChangedDate": "datetime",
+        "Name": "<SecretId-0idx>",
+        "VersionIdsToStages": {
+          "<version_uuid:1>": [
+            "AWSCURRENT"
+          ]
+        },
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 200
+        }
+      }
+    }
   }
 }
diff --git a/tests/aws/services/secretsmanager/test_secretsmanager.validation.json b/tests/aws/services/secretsmanager/test_secretsmanager.validation.json
@@ -41,6 +41,9 @@
   "tests/aws/services/secretsmanager/test_secretsmanager.py::TestSecretsManager::test_exp_raised_on_creation_of_secret_scheduled_for_deletion": {
     "last_validated_date": "2024-03-15T08:13:16+00:00"
   },
+  "tests/aws/services/secretsmanager/test_secretsmanager.py::TestSecretsManager::test_first_rotate_secret_with_missing_lambda_arn": {
+    "last_validated_date": "2025-03-27T16:33:46+00:00"
+  },
   "tests/aws/services/secretsmanager/test_secretsmanager.py::TestSecretsManager::test_force_delete_deleted_secret": {
     "last_validated_date": "2024-10-11T14:33:45+00:00"
   },
