使用 AWS CloudFormation 为 Amazon RDS MySQL 数据库实例创建 Secrets Manager 秘密 - AWS Secrets Manager

使用 AWS CloudFormation 为 Amazon RDS MySQL 数据库实例创建 Secrets Manager 秘密

此示例将创建一个秘密,并使用该秘密中的凭证作为用户和密码,创建一个 Amazon RDS MySQL 数据库实例。Secrets Manager 会生成一个包含 32 个字符的密码。作为安全最佳实践,该数据库位于 Amazon VPC 中。

有关为在此模板中创建的秘密启用轮换的教程,请参阅 为 AWS Secrets Manager 设置单用户轮换

有关已启用自动轮换的示例,请参阅 使用自动轮换的 Amazon RDS 凭证创建秘密

此示例将以下 CloudFormation 资源用于 Secrets Manager:

有关使用 AWS CloudFormation 创建资源的信息,请参阅《AWS CloudFormation 用户指南》中的了解模板基础知识

JSON

{ "Description": "This is an example template to demonstrate CloudFormation resources for Secrets Manager", "Resources": { "TestVPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16", "EnableDnsHostnames": true, "EnableDnsSupport": true, "Tags": [ { "Key": "Name", "Value": "SecretsManagerTutorial" } ] } }, "TestSubnet01": { "Type": "AWS::EC2::Subnet", "Properties": { "CidrBlock": "10.0.96.0/19", "AvailabilityZone": { "Fn::Select": [ "0", { "Fn::GetAZs": { "Ref": "AWS::Region" } } ] }, "VpcId": { "Ref": "TestVPC" } } }, "TestSubnet02": { "Type": "AWS::EC2::Subnet", "Properties": { "CidrBlock": "10.0.128.0/19", "AvailabilityZone": { "Fn::Select": [ "1", { "Fn::GetAZs": { "Ref": "AWS::Region" } } ] }, "VpcId": { "Ref": "TestVPC" } } }, "SecretsManagerTutorialAdmin": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Description": "AWS RDS admin credentials", "GenerateSecretString": { "SecretStringTemplate": "{\"username\": \"admin\"}", "GenerateStringKey": "password", "PasswordLength": 32, "ExcludeCharacters": "/@\"'\\" } } }, "MyDBInstance": { "Type": "AWS::RDS::DBInstance", "Properties": { "AllocatedStorage": 20, "DBInstanceClass": "db.t2.micro", "DBInstanceIdentifier":"SecretsManagerTutorialDB", "Engine": "mysql", "DBSubnetGroupName": { "Ref": "MyDBSubnetGroup" }, "MasterUsername": { "Fn::Sub": "{{resolve:secretsmanager:${SecretsManagerTutorialAdmin}::username}}" }, "MasterUserPassword": { "Fn::Sub": "{{resolve:secretsmanager:${SecretsManagerTutorialAdmin}::password}}" }, "BackupRetentionPeriod": 0, "VPCSecurityGroups": [ { "Fn::GetAtt": [ "TestVPC", "DefaultSecurityGroup" ] } ] } }, "MyDBSubnetGroup": { "Type": "AWS::RDS::DBSubnetGroup", "Properties": { "DBSubnetGroupDescription": "Test Group", "SubnetIds": [ { "Ref": "TestSubnet01" }, { "Ref": "TestSubnet02" } ] } }, "SecretRDSInstanceAttachment": { "Type": "AWS::SecretsManager::SecretTargetAttachment", "Properties": { "SecretId": { "Ref": "SecretsManagerTutorialAdmin" }, "TargetId": { "Ref": "MyDBInstance" }, "TargetType": "AWS::RDS::DBInstance" } } } }

YAML

Description: >- This is an example template to demonstrate CloudFormation resources for Secrets Manager Resources: TestVPC: Type: 'AWS::EC2::VPC' Properties: CidrBlock: 10.0.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Name Value: SecretsManagerTutorial TestSubnet01: Type: 'AWS::EC2::Subnet' Properties: CidrBlock: 10.0.96.0/19 AvailabilityZone: !Select - '0' - !GetAZs Ref: 'AWS::Region' VpcId: !Ref TestVPC TestSubnet02: Type: 'AWS::EC2::Subnet' Properties: CidrBlock: 10.0.128.0/19 AvailabilityZone: !Select - '1' - !GetAZs Ref: 'AWS::Region' VpcId: !Ref TestVPC SecretsManagerTutorialAdmin: Type: 'AWS::SecretsManager::Secret' Properties: Description: AWS RDS admin credentials GenerateSecretString: SecretStringTemplate: '{"username": "admin"}' GenerateStringKey: password PasswordLength: 32 ExcludeCharacters: '"@/\' MyDBInstance: Type: 'AWS::RDS::DBInstance' Properties: AllocatedStorage: 20 DBInstanceClass: db.t2.micro DBInstanceIdentifier: SecretsManagerTutorialDB Engine: mysql DBSubnetGroupName: !Ref MyDBSubnetGroup MasterUsername: !Sub '{{resolve:secretsmanager:${SecretsManagerTutorialAdmin}::username}}' MasterUserPassword: !Sub '{{resolve:secretsmanager:${SecretsManagerTutorialAdmin}::password}}' BackupRetentionPeriod: 0 VPCSecurityGroups: - !GetAtt - TestVPC - DefaultSecurityGroup MyDBSubnetGroup: Type: 'AWS::RDS::DBSubnetGroup' Properties: DBSubnetGroupDescription: Test Group SubnetIds: - !Ref TestSubnet01 - !Ref TestSubnet02 SecretRDSInstanceAttachment: Type: 'AWS::SecretsManager::SecretTargetAttachment' Properties: SecretId: !Ref SecretsManagerTutorialAdmin TargetId: !Ref MyDBInstance TargetType: 'AWS::RDS::DBInstance'