💾 Archived View for cfdocs.wetterberg.nu › transform-aws-secretsmanager.gemini captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

AWS::SecretsManager transform

Search

Use the `AWS::SecretsManager` transform, which is a macro hosted by AWS CloudFormation, to specify a Lambda function to perform secrets rotation. When Creating a change set or Updating stacks using change sets, and the templates references `AWS::SecretsManager`, AWS CloudFormation generates a Lambda function to perform secrets rotation. Use the `[HostedRotationLambda](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html)` property type of the `[AWS::SecretsManager::RotationSchedule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html)` resource to specify the attributes of the desired Lambda function.

Creating a change set

Updating stacks using change sets

The Lambda function is included as a nested stack (that is, an AWS::CloudFormation::Stack resource) in the processed template. This resource in turns links to the appropriate function template in the AWS Secrets Manager Rotation Lambda Functions repository, based on the RotationType specified in the `[AWS::SecretsManager::RotationSchedule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html)` resource.

nested stack

AWS::CloudFormation::Stack

AWS Secrets Manager Rotation Lambda Functions

RotationType

Usage

Use the `AWS::SecretsManager` transform at the top level of the template. You cannot use `AWS::SecretsManager` as a transform embedded in any other template section.

The value for the transform declaration must be a literal string. You cannot use a parameter or function to specify a transform value.

Syntax at the top level of a template

To include `AWS::SecretsManager` at the top level of a template, in the `Transform` section, use the following syntax.

JSON

1. {
2.   "Transform": "AWS::SecretsManager-2020-07-23",
3.     . . .
4. }

YAML

1. Transform: AWS::SecretsManager-2020-07-23

Parameters

The `AWS::SecretsManager` transform does not accept any parameters. Instead, specify the properties of the secret rotation Lamdba function you want to create using the `[HostedRotationLambda](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html)` property type of the `[AWS::SecretsManager::RotationSchedule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html)` resources in the stack template.

Remarks

For general considerations about using macros, see Considerations when creating AWS CloudFormation macro definitions

Considerations when creating AWS CloudFormation macro definitions

Example

The following partial template example shows how to use the `AWS::SecretsManager` transform to specify a Lambda function for secret rotation on a MySQL database for a single user, based on the properties specified in the `HostedRotationLambda` property type of the `AWS::SecretsManager::RotationSchedule` resource.

For complete template examples illustrating secret rotations for RDS databases, Redshift clusters, and Document DB clusters, see the Examples section of AWS::SecretsManager::RotationSchedule.

Examples

AWS::SecretsManager::RotationSchedule

JSON

 1. {
 2.         "AWSTemplateFormatVersion": "2010-09-09",
 3.         "Transform": "AWS::SecretsManager-2020-07-23",
 4.         "Resources": {
 5.             
 6.             . . . 
 7.             
 8.             "MySecretRotationSchedule": {
 9.                 "Type": "AWS::SecretsManager::RotationSchedule",
10.                 "DependsOn": "SecretRDSInstanceAttachment",
11.                 "Properties": {
12.                     "SecretId": {
13.                         "Ref": "MyRDSInstanceRotationSecret"
14.                     },
15.                     "HostedRotationLambda": {
16.                         "RotationType": "MySQLSingleUser",
17.                         "RotationLambdaName": "SecretsManagerRotation",
18.                         "VpcSecurityGroupIds": {
19.                             "Fn::GetAtt": [
20.                                 "TestVPC",
21.                                 "DefaultSecurityGroup"
22.                             ]
23.                         },
24.                         "VpcSubnetIds": {
25.                             "Fn::Join": [
26.                                 ",",
27.                                 [
28.                                     {
29.                                         "Ref": "TestSubnet01"
30.                                     },
31.                                     {
32.                                         "Ref": "TestSubnet02"
33.                                     }
34.                                 ]
35.                             ]
36.                         }
37.                     },
38.                     "RotationRules": {
39.                         "AutomaticallyAfterDays": 30
40.                     }
41.                 }
42.             }
43.         }
44.     }

YAML

 1.  AWSTemplateFormatVersion: 2010-09-09
 2.  Transform: AWS::SecretsManager-2020-07-23
 3.  Resources:
 4. 
 5.       . . . 
 6.            
 7.       MySecretRotationSchedule:
 8.         Type: AWS::SecretsManager::RotationSchedule
 9.         DependsOn: SecretRDSInstanceAttachment 
10.         Properties:
11.           SecretId: !Ref MyRDSInstanceRotationSecret
12.           HostedRotationLambda:
13.             RotationType: MySQLSingleUser
14.             RotationLambdaName: SecretsManagerRotation
15.             VpcSecurityGroupIds: !GetAtt TestVPC.DefaultSecurityGroup
16.             VpcSubnetIds:
17.               Fn::Join:
18.                 - ","
19.                 - - Ref: TestSubnet01
20.                   - Ref: TestSubnet02
21.           RotationRules:
22.             AutomaticallyAfterDays: 30