I'm connecting my CodePipeline to Github, so I added this lines:
CodePipelineSource.gitHub("username/repo", "main", {
authentication: cdk.SecretValue.secretsManager("github-token")
})
and when I run cdk deploy, it fails expectedly with:
Pipeline/Pipeline (Pipeline9850B417) Secrets Manager can't find the specified secret. (Service: AWSSecretsManager; Status Code: 400; Error Code: ResourceNotFoundException; Request ID: eaa59d67-bb64-472c-abc4-9d4896c09d7e; Proxy: null)
Is it possible for CDK to create the secret, with a blank or placeholder value, so that it would still fail with some sort of access denied, but then I can go to the AWS console and just fill in the value.
Clarification: I'm not expecting CDK to create an OAuth token. What I wanted to achieve is run cdk deploy, have it fail, go to Secrets Manager and find the secret with a placeholder value, enter the value, run cdk deploy again, and succeed that time.
You create a secret just like any other resource.
const secret = new secretsmanager.Secret(this, 'Secret');
It will populate it with a generated placeholder value. You can also grant some role read/write access to the secret with secret.grantRead(role);
Refer to the documentation: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html
You also need to tell the CDK that your pipeline depends on the secret with
my_pipeline.node.addDependency(secret);