AWS::SecretsManager transform
Use the AWS::SecretsManager transform, which is a macro
hosted by AWS CloudFormation, to specify a AWS Lambda function to perform secrets rotation. When Create a change set or Update CloudFormation stacks using change
sets, and the templates references
AWS::SecretsManager, AWS CloudFormation generates a AWS Lambda
function to perform secrets rotation. Use the HostedRotationLambda property type of the AWS::SecretsManager::RotationSchedule resource to specify the
attributes of the desired AWS Lambda function.
The AWS Lambda function is in a nested
stack (an AWS::CloudFormation::Stack resource) in the processed template. This resource
then links to the appropriate function template in the AWS Secrets
Manager Rotation Lambda FunctionsAWS::SecretsManager::RotationSchedule resource.
Usage
Use the AWS::SecretsManager transform at the top level
of the template. You can't use AWS::SecretsManager as a
transform embedded in any other template section.
The value for the transform declaration must be a literal string. You can't use a parameter or function to specify a transform value.
Syntax at the top level of a template
To include AWS::SecretsManager at the top level of a template, in the Transform section, use the following syntax.
JSON
{ "Transform": "AWS::SecretsManager-2020-07-23", . . . }
YAML
Transform: AWS::SecretsManager-2020-07-23
Parameters
The AWS::SecretsManager transform doesn't accept any
parameters. Instead, specify the properties of the secret rotation AWS Lambda function
you want to create using the HostedRotationLambda property type of the AWS::SecretsManager::RotationSchedule resources in the stack
template.
Remarks
For general considerations about using macros, see Considerations when creating CloudFormation macro definitions
Example
The following partial template example shows how to use the AWS::SecretsManager transform to specify a AWS Lambda function for secret
rotation on a MySQL database for a single user, based on the properties specified in the
HostedRotationLambda property type of the
AWS::SecretsManager::RotationSchedule resource.
For complete template examples illustrating secret rotations for RDS databases, Amazon Redshift clusters, and Document DB clusters, see the Examples section of AWS::SecretsManager::RotationSchedule.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::SecretsManager-2020-07-23", "Resources": { . . . "MySecretRotationSchedule": { "Type": "AWS::SecretsManager::RotationSchedule", "DependsOn": "SecretRDSInstanceAttachment", "Properties": { "SecretId": { "Ref": "MyRDSInstanceRotationSecret" }, "HostedRotationLambda": { "RotationType": "MySQLSingleUser", "RotationLambdaName": "SecretsManagerRotation", "VpcSecurityGroupIds": { "Fn::GetAtt": [ "TestVPC", "DefaultSecurityGroup" ] }, "VpcSubnetIds": { "Fn::Join": [ ",", [ { "Ref": "TestSubnet01" }, { "Ref": "TestSubnet02" } ] ] } }, "RotationRules": { "AutomaticallyAfterDays": 30 } } } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::SecretsManager-2020-07-23 Resources: . . . MySecretRotationSchedule: Type: AWS::SecretsManager::RotationSchedule DependsOn: SecretRDSInstanceAttachment Properties: SecretId: !Ref MyRDSInstanceRotationSecret HostedRotationLambda: RotationType: MySQLSingleUser RotationLambdaName: SecretsManagerRotation VpcSecurityGroupIds: !GetAtt TestVPC.DefaultSecurityGroup VpcSubnetIds: Fn::Join: - "," - - Ref: TestSubnet01 - Ref: TestSubnet02 RotationRules: AutomaticallyAfterDays: 30
