AWS::SecretsManager transform
Use the AWS::SecretsManager transform, which is a macro
hosted by Amazon CloudFormation, to specify a Amazon Lambda function to perform secrets rotation. When Creating a change set or Updating stacks using change sets, and the templates references
AWS::SecretsManager, Amazon CloudFormation generates a Amazon Lambda
function to perform secrets rotation. Use the HostedRotationLambda property type of the AWS::SecretsManager::RotationSchedule resource to specify the
attributes of the desired Amazon Lambda function.
The Amazon Lambda function is in a nested
stack (an AWS::CloudFormation::Stack resource) in the processed template. This resource
then links to the appropriate function template in the Amazon Secrets
Manager Rotation Lambda FunctionsAWS::SecretsManager::RotationSchedule resource.
Usage
Use the AWS::SecretsManager transform at the top level
of the template. You can't use AWS::SecretsManager as a
transform embedded in any other template section.
The value for the transform declaration must be a literal string. You can't use a parameter or function to specify a transform value.
Syntax at the top level of a template
To include AWS::SecretsManager at the top level of a template, in the Transform section, use the following syntax.
JSON
{ "Transform": "AWS::SecretsManager-2020-07-23", . . . }
YAML
Transform: AWS::SecretsManager-2020-07-23
Parameters
The AWS::SecretsManager transform doesn't accept any
parameters. Instead, specify the properties of the secret rotation Amazon Lambda function
you want to create using the HostedRotationLambda property type of the AWS::SecretsManager::RotationSchedule resources in the stack
template.
Remarks
For general considerations about using macros, see Considerations when creating Amazon CloudFormation macro definitions
Example
The following partial template example shows how to use the AWS::SecretsManager transform to specify a Amazon Lambda function for secret
rotation on a MySQL database for a single user, based on the properties specified in the
HostedRotationLambda property type of the
AWS::SecretsManager::RotationSchedule resource.
For complete template examples illustrating secret rotations for RDS databases, Amazon Redshift clusters, and Document DB clusters, see the Examples section of AWS::SecretsManager::RotationSchedule.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::SecretsManager-2020-07-23", "Resources": { . . . "MySecretRotationSchedule": { "Type": "AWS::SecretsManager::RotationSchedule", "DependsOn": "SecretRDSInstanceAttachment", "Properties": { "SecretId": { "Ref": "MyRDSInstanceRotationSecret" }, "HostedRotationLambda": { "RotationType": "MySQLSingleUser", "RotationLambdaName": "SecretsManagerRotation", "VpcSecurityGroupIds": { "Fn::GetAtt": [ "TestVPC", "DefaultSecurityGroup" ] }, "VpcSubnetIds": { "Fn::Join": [ ",", [ { "Ref": "TestSubnet01" }, { "Ref": "TestSubnet02" } ] ] } }, "RotationRules": { "AutomaticallyAfterDays": 30 } } } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::SecretsManager-2020-07-23 Resources: . . . MySecretRotationSchedule: Type: AWS::SecretsManager::RotationSchedule DependsOn: SecretRDSInstanceAttachment Properties: SecretId: !Ref MyRDSInstanceRotationSecret HostedRotationLambda: RotationType: MySQLSingleUser RotationLambdaName: SecretsManagerRotation VpcSecurityGroupIds: !GetAtt TestVPC.DefaultSecurityGroup VpcSubnetIds: Fn::Join: - "," - - Ref: TestSubnet01 - Ref: TestSubnet02 RotationRules: AutomaticallyAfterDays: 30