💾 Archived View for cfdocs.wetterberg.nu › transform-aws-secretsmanager.gemini captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Use the `AWS::SecretsManager` transform, which is a macro hosted by AWS CloudFormation, to specify a Lambda function to perform secrets rotation. When Creating a change set or Updating stacks using change sets, and the templates references `AWS::SecretsManager`, AWS CloudFormation generates a Lambda function to perform secrets rotation. Use the `[HostedRotationLambda](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html)` property type of the `[AWS::SecretsManager::RotationSchedule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html)` resource to specify the attributes of the desired Lambda function.
Updating stacks using change sets
The Lambda function is included as a nested stack (that is, an AWS::CloudFormation::Stack resource) in the processed template. This resource in turns links to the appropriate function template in the AWS Secrets Manager Rotation Lambda Functions repository, based on the RotationType specified in the `[AWS::SecretsManager::RotationSchedule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html)` resource.
AWS Secrets Manager Rotation Lambda Functions
Use the `AWS::SecretsManager` transform at the top level of the template. You cannot use `AWS::SecretsManager` as a transform embedded in any other template section.
The value for the transform declaration must be a literal string. You cannot use a parameter or function to specify a transform value.
To include `AWS::SecretsManager` at the top level of a template, in the `Transform` section, use the following syntax.
1. { 2. "Transform": "AWS::SecretsManager-2020-07-23", 3. . . . 4. }
1. Transform: AWS::SecretsManager-2020-07-23
The `AWS::SecretsManager` transform does not accept any parameters. Instead, specify the properties of the secret rotation Lamdba function you want to create using the `[HostedRotationLambda](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html)` property type of the `[AWS::SecretsManager::RotationSchedule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html)` resources in the stack template.
For general considerations about using macros, see Considerations when creating AWS CloudFormation macro definitions
Considerations when creating AWS CloudFormation macro definitions
The following partial template example shows how to use the `AWS::SecretsManager` transform to specify a Lambda function for secret rotation on a MySQL database for a single user, based on the properties specified in the `HostedRotationLambda` property type of the `AWS::SecretsManager::RotationSchedule` resource.
For complete template examples illustrating secret rotations for RDS databases, Redshift clusters, and Document DB clusters, see the Examples section of AWS::SecretsManager::RotationSchedule.
AWS::SecretsManager::RotationSchedule
1. { 2. "AWSTemplateFormatVersion": "2010-09-09", 3. "Transform": "AWS::SecretsManager-2020-07-23", 4. "Resources": { 5. 6. . . . 7. 8. "MySecretRotationSchedule": { 9. "Type": "AWS::SecretsManager::RotationSchedule", 10. "DependsOn": "SecretRDSInstanceAttachment", 11. "Properties": { 12. "SecretId": { 13. "Ref": "MyRDSInstanceRotationSecret" 14. }, 15. "HostedRotationLambda": { 16. "RotationType": "MySQLSingleUser", 17. "RotationLambdaName": "SecretsManagerRotation", 18. "VpcSecurityGroupIds": { 19. "Fn::GetAtt": [ 20. "TestVPC", 21. "DefaultSecurityGroup" 22. ] 23. }, 24. "VpcSubnetIds": { 25. "Fn::Join": [ 26. ",", 27. [ 28. { 29. "Ref": "TestSubnet01" 30. }, 31. { 32. "Ref": "TestSubnet02" 33. } 34. ] 35. ] 36. } 37. }, 38. "RotationRules": { 39. "AutomaticallyAfterDays": 30 40. } 41. } 42. } 43. } 44. }
1. AWSTemplateFormatVersion: 2010-09-09 2. Transform: AWS::SecretsManager-2020-07-23 3. Resources: 4. 5. . . . 6. 7. MySecretRotationSchedule: 8. Type: AWS::SecretsManager::RotationSchedule 9. DependsOn: SecretRDSInstanceAttachment 10. Properties: 11. SecretId: !Ref MyRDSInstanceRotationSecret 12. HostedRotationLambda: 13. RotationType: MySQLSingleUser 14. RotationLambdaName: SecretsManagerRotation 15. VpcSecurityGroupIds: !GetAtt TestVPC.DefaultSecurityGroup 16. VpcSubnetIds: 17. Fn::Join: 18. - "," 19. - - Ref: TestSubnet01 20. - Ref: TestSubnet02 21. RotationRules: 22. AutomaticallyAfterDays: 30