apache
diff --git a/‎nifi-extension-bundles/nifi-aws-bundle/nifi-aws-parameter-providers/src/main/java/org/apache/nifi/parameter/aws/AwsSecretsManagerParameterProvider.java‎
Lines changed: 66 additions & 12 deletions b/‎nifi-extension-bundles/nifi-aws-bundle/nifi-aws-parameter-providers/src/main/java/org/apache/nifi/parameter/aws/AwsSecretsManagerParameterProvider.java‎
Lines changed: 66 additions & 12 deletions
@@ -31,6 +31,7 @@
 import org.apache.nifi.parameter.AbstractParameterProvider;
 import org.apache.nifi.parameter.Parameter;
 import org.apache.nifi.parameter.ParameterGroup;
+import org.apache.nifi.parameter.ParameterTag;
 import org.apache.nifi.parameter.VerifiableParameterProvider;
 import org.apache.nifi.processor.util.StandardValidators;
 import org.apache.nifi.processors.aws.credentials.provider.AwsCredentialsProviderService;
@@ -45,23 +46,24 @@
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.retries.DefaultRetryStrategy;
 import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
+import software.amazon.awssdk.services.secretsmanager.model.DescribeSecretRequest;
+import software.amazon.awssdk.services.secretsmanager.model.DescribeSecretResponse;
 import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
 import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;
 import software.amazon.awssdk.services.secretsmanager.model.ListSecretsRequest;
 import software.amazon.awssdk.services.secretsmanager.model.ListSecretsResponse;
 import software.amazon.awssdk.services.secretsmanager.model.ResourceNotFoundException;
 import software.amazon.awssdk.services.secretsmanager.model.SecretListEntry;
 import software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException;
+import software.amazon.awssdk.services.secretsmanager.model.Tag;
 
 import java.time.Duration;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Comparator;
-import java.util.HashSet;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
-import java.util.Set;
 import java.util.regex.Pattern;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.TrustManager;
@@ -77,7 +79,7 @@
         "key/value pairs in the secret mapping to Parameters in the group.")
 public class AwsSecretsManagerParameterProvider extends AbstractParameterProvider implements VerifiableParameterProvider {
     enum ListingStrategy implements DescribedValue {
-        ENUMERATION("Enumerate Secret Names", "Requires a set of secret names to fetch. AWS actions required: GetSecretValue."),
+        ENUMERATION("Enumerate Secret Names", "Requires a set of secret names to fetch. AWS actions required: DescribeSecret and GetSecretValue."),
 
         PATTERN("Match Pattern", "Requires a regular expression pattern to match secret names. AWS actions required: ListSecrets and GetSecretValue.");
 
@@ -196,10 +198,16 @@ public List<ParameterGroup> fetchParameters(final ConfigurationContext context)
 
         // Fetch either by pattern or by enumerated list. See description of SECRET_LISTING_STRATEGY for more details.
         final ListingStrategy listingStrategy = context.getProperty(SECRET_LISTING_STRATEGY).asAllowableValue(ListingStrategy.class);
-        final Set<String> fetchSecretNames = new HashSet<>();
+        final Map<String, List<Tag>> secretNameToTags = new HashMap<>();
+
         if (listingStrategy == ListingStrategy.ENUMERATION) {
             final String secretNames = context.getProperty(SECRET_NAMES).getValue();
-            fetchSecretNames.addAll(Arrays.asList(secretNames.split(",")));
+            for (final String secretName : secretNames.split(",")) {
+                final String trimmedName = secretName.trim();
+                // For enumeration strategy, we need to call DescribeSecret to get tags
+                final List<Tag> tags = describeSecretTags(secretsManager, trimmedName);
+                secretNameToTags.put(trimmedName, tags);
+            }
         } else {
             final Pattern secretNamePattern = Pattern.compile(context.getProperty(SECRET_NAME_PATTERN).getValue());
 
@@ -212,7 +220,9 @@ public List<ParameterGroup> fetchParameters(final ConfigurationContext context)
                         getLogger().debug("Secret [{}] does not match the secret name pattern {}", secretName, secretNamePattern);
                         continue;
                     }
-                    fetchSecretNames.add(secretName);
+                    // ListSecrets response includes tags, so we can use them directly
+                    final List<Tag> tags = entry.hasTags() ? entry.tags() : List.of();
+                    secretNameToTags.put(secretName, tags);
                 }
                 final String nextToken = listSecretsResponse.nextToken();
                 if (nextToken == null) {
@@ -223,8 +233,10 @@ public List<ParameterGroup> fetchParameters(final ConfigurationContext context)
             }
         }
 
-        for (final String secretName : fetchSecretNames) {
-            final List<ParameterGroup> secretParameterGroups = fetchSecret(secretsManager, secretName);
+        for (final Map.Entry<String, List<Tag>> entry : secretNameToTags.entrySet()) {
+            final String secretName = entry.getKey();
+            final List<ParameterTag> parameterTags = convertTags(entry.getValue());
+            final List<ParameterGroup> secretParameterGroups = fetchSecret(secretsManager, secretName, parameterTags);
             groups.addAll(secretParameterGroups);
         }
         return groups;
@@ -257,7 +269,8 @@ public List<ConfigVerificationResult> verify(final ConfigurationContext context,
         return results;
     }
 
-    private List<ParameterGroup> fetchSecret(final SecretsManagerClient secretsManager, final String secretName) {
+    private List<ParameterGroup> fetchSecret(final SecretsManagerClient secretsManager, final String secretName,
+                                              final List<ParameterTag> tags) {
         final List<ParameterGroup> groups = new ArrayList<>();
 
         final List<Parameter> parameters = new ArrayList<>();
@@ -289,7 +302,7 @@ private List<ParameterGroup> fetchSecret(final SecretsManagerClient secretsManag
                 }
                 final String parameterValue = valueNode.asText();
 
-                parameters.add(createParameter(parameterName, parameterValue));
+                parameters.add(createParameter(parameterName, parameterValue, tags));
             }
 
             groups.add(new ParameterGroup(secretName, parameters));
@@ -302,14 +315,55 @@ private List<ParameterGroup> fetchSecret(final SecretsManagerClient secretsManag
         }
     }
 
-    private Parameter createParameter(final String parameterName, final String parameterValue) {
+    private Parameter createParameter(final String parameterName, final String parameterValue,
+                                       final List<ParameterTag> tags) {
         return new Parameter.Builder()
                 .name(parameterName)
                 .value(parameterValue)
                 .provided(true)
+                .tags(tags)
                 .build();
     }
 
+    /**
+     * Retrieves tags for a secret using DescribeSecret API.
+     * This is needed for the ENUMERATION strategy since GetSecretValue does not return tags.
+     *
+     * @param secretsManager the Secrets Manager client
+     * @param secretName the name of the secret
+     * @return list of tags associated with the secret
+     */
+    private List<Tag> describeSecretTags(final SecretsManagerClient secretsManager, final String secretName) {
+        try {
+            final DescribeSecretRequest describeRequest = DescribeSecretRequest.builder()
+                    .secretId(secretName)
+                    .build();
+            final DescribeSecretResponse describeResponse = secretsManager.describeSecret(describeRequest);
+            return describeResponse.hasTags() ? describeResponse.tags() : List.of();
+        } catch (final ResourceNotFoundException e) {
+            getLogger().debug("Secret [{}] not found when describing for tags", secretName);
+            return List.of();
+        } catch (final SecretsManagerException e) {
+            getLogger().warn("Error describing secret [{}] for tags: {}", secretName, e.getMessage());
+            return List.of();
+        }
+    }
+
+    /**
+     * Converts AWS Secrets Manager Tags to NiFi ParameterTags.
+     *
+     * @param awsTags the AWS tags to convert
+     * @return list of NiFi ParameterTag objects
+     */
+    private List<ParameterTag> convertTags(final List<Tag> awsTags) {
+        if (awsTags == null || awsTags.isEmpty()) {
+            return List.of();
+        }
+        return awsTags.stream()
+                .map(tag -> new ParameterTag(tag.key(), tag.value()))
+                .toList();
+    }
+
     private ClientOverrideConfiguration createConfiguration() {
         return ClientOverrideConfiguration.builder()
                 .retryStrategy(DefaultRetryStrategy.doNotRetry())