Criar um segredo do Secrets Manager com alternância automática e um cluster do Amazon Redshift com o AWS CloudFormation - AWS Secrets Manager

Criar um segredo do Secrets Manager com alternância automática e um cluster do Amazon Redshift com o AWS CloudFormation

Este exemplo cria um segredo e um cluster do Amazon Redshift usando as credenciais no segredo como usuário e senha. O modelo também cria uma função de alternância do Lambda a partir de Modelos de função de alternância e configura o segredo para alternar automaticamente entre às 8h e 10h UTC do primeiro dia de cada mês. Como uma prática recomendada de segurança, o cluster uma Amazon VPC.

Este exemplo usa os seguintes recursos do CloudFormation para o Secrets Manager:

Para obter informações sobre como criar recursos com o AWS CloudFormation, consulte Saiba mais sobre noções básicas de modelo no Guia do usuário do AWS CloudFormation.

JSON

{ "AWSTemplateFormatVersion":"2010-09-09", "Transform":"AWS::SecretsManager-2020-07-23", "Resources":{ "TestVPC":{ "Type":"AWS::EC2::VPC", "Properties":{ "CidrBlock":"10.0.0.0/16", "EnableDnsHostnames":true, "EnableDnsSupport":true } }, "TestSubnet01":{ "Type":"AWS::EC2::Subnet", "Properties":{ "CidrBlock":"10.0.96.0/19", "AvailabilityZone":{ "Fn::Select":[ "0", { "Fn::GetAZs":{ "Ref":"AWS::Region" } } ] }, "VpcId":{ "Ref":"TestVPC" } } }, "TestSubnet02":{ "Type":"AWS::EC2::Subnet", "Properties":{ "CidrBlock":"10.0.128.0/19", "AvailabilityZone":{ "Fn::Select":[ "1", { "Fn::GetAZs":{ "Ref":"AWS::Region" } } ] }, "VpcId":{ "Ref":"TestVPC" } } }, "SecretsManagerVPCEndpoint":{ "Type":"AWS::EC2::VPCEndpoint", "Properties":{ "SubnetIds":[ { "Ref":"TestSubnet01" }, { "Ref":"TestSubnet02" } ], "SecurityGroupIds":[ { "Fn::GetAtt":[ "TestVPC", "DefaultSecurityGroup" ] } ], "VpcEndpointType":"Interface", "ServiceName":{ "Fn::Sub":"com.amazonaws.${AWS::Region}.secretsmanager" }, "PrivateDnsEnabled":true, "VpcId":{ "Ref":"TestVPC" } } }, "MyRedshiftSecret":{ "Type":"AWS::SecretsManager::Secret", "Properties":{ "Description":"This is my rds instance secret", "GenerateSecretString":{ "SecretStringTemplate":"{\"username\": \"admin\"}", "GenerateStringKey":"password", "PasswordLength":16, "ExcludeCharacters":"\"@/\\" }, "Tags":[ { "Key":"AppName", "Value":"MyApp" } ] } }, "MyRedshiftCluster":{ "Type":"AWS::Redshift::Cluster", "Properties":{ "DBName":"myyamldb", "NodeType":"ds2.xlarge", "ClusterType":"single-node", "ClusterSubnetGroupName":{ "Ref":"ResdshiftSubnetGroup" }, "MasterUsername":{ "Fn::Sub":"{{resolve:secretsmanager:${MyRedshiftSecret}::username}}" }, "MasterUserPassword":{ "Fn::Sub":"{{resolve:secretsmanager:${MyRedshiftSecret}::password}}" }, "PubliclyAccessible":false, "VpcSecurityGroupIds":[ { "Fn::GetAtt":[ "TestVPC", "DefaultSecurityGroup" ] } ] } }, "ResdshiftSubnetGroup":{ "Type":"AWS::Redshift::ClusterSubnetGroup", "Properties":{ "Description":"Test Group", "SubnetIds":[ { "Ref":"TestSubnet01" }, { "Ref":"TestSubnet02" } ] } }, "SecretRedshiftAttachment":{ "Type":"AWS::SecretsManager::SecretTargetAttachment", "Properties":{ "SecretId":{ "Ref":"MyRedshiftSecret" }, "TargetId":{ "Ref":"MyRedshiftCluster" }, "TargetType":"AWS::Redshift::Cluster" } }, "MySecretRotationSchedule":{ "Type":"AWS::SecretsManager::RotationSchedule", "DependsOn":"SecretRedshiftAttachment", "Properties":{ "SecretId":{ "Ref":"MyRedshiftSecret" }, "HostedRotationLambda":{ "RotationType":"RedshiftSingleUser", "RotationLambdaName":"SecretsManagerRotationRedshift", "VpcSecurityGroupIds":{ "Fn::GetAtt":[ "TestVPC", "DefaultSecurityGroup" ] }, "VpcSubnetIds":{ "Fn::Join":[ ",", [ { "Ref":"TestSubnet01" }, { "Ref":"TestSubnet02" } ] ] } }, "RotationRules":{ "Duration": "2h", "ScheduleExpression": "cron(0 8 1 * ? *)" } } } } }

YAML

AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::SecretsManager-2020-07-23 Resources: TestVPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true TestSubnet01: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.0.96.0/19 AvailabilityZone: Fn::Select: - '0' - Fn::GetAZs: Ref: AWS::Region VpcId: Ref: TestVPC TestSubnet02: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.0.128.0/19 AvailabilityZone: Fn::Select: - '1' - Fn::GetAZs: Ref: AWS::Region VpcId: Ref: TestVPC SecretsManagerVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: SubnetIds: - Ref: TestSubnet01 - Ref: TestSubnet02 SecurityGroupIds: - Fn::GetAtt: - TestVPC - DefaultSecurityGroup VpcEndpointType: Interface ServiceName: Fn::Sub: com.amazonaws.${AWS::Region}.secretsmanager PrivateDnsEnabled: true VpcId: Ref: TestVPC MyRedshiftSecret: Type: AWS::SecretsManager::Secret Properties: Description: This is my rds instance secret GenerateSecretString: SecretStringTemplate: '{"username": "admin"}' GenerateStringKey: password PasswordLength: 16 ExcludeCharacters: "\"@/\\" Tags: - Key: AppName Value: MyApp MyRedshiftCluster: Type: AWS::Redshift::Cluster Properties: DBName: myyamldb NodeType: ds2.xlarge ClusterType: single-node ClusterSubnetGroupName: Ref: ResdshiftSubnetGroup MasterUsername: Fn::Sub: "{{resolve:secretsmanager:${MyRedshiftSecret}::username}}" MasterUserPassword: Fn::Sub: "{{resolve:secretsmanager:${MyRedshiftSecret}::password}}" PubliclyAccessible: false VpcSecurityGroupIds: - Fn::GetAtt: - TestVPC - DefaultSecurityGroup ResdshiftSubnetGroup: Type: AWS::Redshift::ClusterSubnetGroup Properties: Description: Test Group SubnetIds: - Ref: TestSubnet01 - Ref: TestSubnet02 SecretRedshiftAttachment: Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId: Ref: MyRedshiftSecret TargetId: Ref: MyRedshiftCluster TargetType: AWS::Redshift::Cluster MySecretRotationSchedule: Type: AWS::SecretsManager::RotationSchedule DependsOn: SecretRedshiftAttachment Properties: SecretId: Ref: MyRedshiftSecret HostedRotationLambda: RotationType: RedshiftSingleUser RotationLambdaName: SecretsManagerRotationRedshift VpcSecurityGroupIds: Fn::GetAtt: - TestVPC - DefaultSecurityGroup VpcSubnetIds: Fn::Join: - "," - - Ref: TestSubnet01 - Ref: TestSubnet02 RotationRules: Duration: 2h ScheduleExpression: 'cron(0 8 1 * ? *)'