AWS::SecretsManager transform - AWS CloudFormation

AWS::SecretsManager transform

Use the AWS::SecretsManager transform, which is a macro hosted by AWS CloudFormation, to specify a Lambda function to perform secrets rotation. When Creating a change set or Updating stacks using change sets, and the templates references AWS::SecretsManager, AWS CloudFormation generates a Lambda function to perform secrets rotation. Use the HostedRotationLambda property type of the AWS::SecretsManager::RotationSchedule resource to specify the attributes of the desired Lambda function.

The Lambda function is included as a nested stack (that is, an AWS::CloudFormation::Stack resource) in the processed template. This resource in turns links to the appropriate function template in the AWS Secrets Manager Rotation Lambda Functions repository, based on the RotationType specified in the AWS::SecretsManager::RotationSchedule resource.

Usage

Use the AWS::SecretsManager transform at the top level of the template. You cannot use AWS::SecretsManager as a transform embedded in any other template section.

The value for the transform declaration must be a literal string. You cannot use a parameter or function to specify a transform value.

Syntax at the top level of a template

To include AWS::SecretsManager at the top level of a template, in the Transform section, use the following syntax.

JSON

{ "Transform": "AWS::SecretsManager-2020-07-23", . . . }

YAML

Transform: AWS::SecretsManager-2020-07-23

Parameters

The AWS::SecretsManager transform does not accept any parameters. Instead, specify the properties of the secret rotation Lamdba function you want to create using the HostedRotationLambda property type of the AWS::SecretsManager::RotationSchedule resources in the stack template.

Remarks

For general considerations about using macros, see Considerations when creating AWS CloudFormation macro definitions

Example

The following partial template example shows how to use the AWS::SecretsManager transform to specify a Lambda function for secret rotation on a MySQL database for a single user, based on the properties specified in the HostedRotationLambda property type of the AWS::SecretsManager::RotationSchedule resource.

For complete template examples illustrating secret rotations for RDS databases, Redshift clusters, and Document DB clusters, see the Examples section of AWS::SecretsManager::RotationSchedule.

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::SecretsManager-2020-07-23", "Resources": { . . . "MySecretRotationSchedule": { "Type": "AWS::SecretsManager::RotationSchedule", "DependsOn": "SecretRDSInstanceAttachment", "Properties": { "SecretId": { "Ref": "MyRDSInstanceRotationSecret" }, "HostedRotationLambda": { "RotationType": "MySQLSingleUser", "RotationLambdaName": "SecretsManagerRotation", "VpcSecurityGroupIds": { "Fn::GetAtt": [ "TestVPC", "DefaultSecurityGroup" ] }, "VpcSubnetIds": { "Fn::Join": [ ",", [ { "Ref": "TestSubnet01" }, { "Ref": "TestSubnet02" } ] ] } }, "RotationRules": { "AutomaticallyAfterDays": 30 } } } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::SecretsManager-2020-07-23 Resources: . . . MySecretRotationSchedule: Type: AWS::SecretsManager::RotationSchedule DependsOn: SecretRDSInstanceAttachment Properties: SecretId: !Ref MyRDSInstanceRotationSecret HostedRotationLambda: RotationType: MySQLSingleUser RotationLambdaName: SecretsManagerRotation VpcSecurityGroupIds: !GetAtt TestVPC.DefaultSecurityGroup VpcSubnetIds: Fn::Join: - "," - - Ref: TestSubnet01 - Ref: TestSubnet02 RotationRules: AutomaticallyAfterDays: 30