Create an Amazon Secrets Manager secret and an Amazon DocumentDB instance with Amazon CloudFormation - Amazon Secrets Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create an Amazon Secrets Manager secret and an Amazon DocumentDB instance with Amazon CloudFormation

This example creates a secret and an Amazon DocumentDB instance using the credentials in the secret as the user and password. The secret has a resource-based policy attached that defines who can access the secret. The template also creates a Lambda rotation function from the Rotation function templates and configures the secret to automatically rotate between 8:00 AM and 10:00 AM UTC on the first day of every month. As a security best practice, the instance is in an Amazon VPC.

This example uses the following CloudFormation resources for Secrets Manager:

For information about creating resources with Amazon CloudFormation, see Learn template basics in the Amazon CloudFormation User Guide.

JSON

{ "AWSTemplateFormatVersion":"2010-09-09", "Transform":"AWS::SecretsManager-2020-07-23", "Resources":{ "TestVPC":{ "Type":"AWS::EC2::VPC", "Properties":{ "CidrBlock":"10.0.0.0/16", "EnableDnsHostnames":true, "EnableDnsSupport":true } }, "TestSubnet01":{ "Type":"AWS::EC2::Subnet", "Properties":{ "CidrBlock":"10.0.96.0/19", "AvailabilityZone":{ "Fn::Select":[ "0", { "Fn::GetAZs":{ "Ref":"AWS::Region" } } ] }, "VpcId":{ "Ref":"TestVPC" } } }, "TestSubnet02":{ "Type":"AWS::EC2::Subnet", "Properties":{ "CidrBlock":"10.0.128.0/19", "AvailabilityZone":{ "Fn::Select":[ "1", { "Fn::GetAZs":{ "Ref":"AWS::Region" } } ] }, "VpcId":{ "Ref":"TestVPC" } } }, "SecretsManagerVPCEndpoint":{ "Type":"AWS::EC2::VPCEndpoint", "Properties":{ "SubnetIds":[ { "Ref":"TestSubnet01" }, { "Ref":"TestSubnet02" } ], "SecurityGroupIds":[ { "Fn::GetAtt":[ "TestVPC", "DefaultSecurityGroup" ] } ], "VpcEndpointType":"Interface", "ServiceName":{ "Fn::Sub":"com.amazonaws.${AWS::Region}.secretsmanager" }, "PrivateDnsEnabled":true, "VpcId":{ "Ref":"TestVPC" } } }, "MyDocDBClusterRotationSecret":{ "Type":"AWS::SecretsManager::Secret", "Properties":{ "GenerateSecretString":{ "SecretStringTemplate":"{\"username\": \"someadmin\",\"ssl\": true}", "GenerateStringKey":"password", "PasswordLength":16, "ExcludeCharacters":"\"@/\\" }, "Tags":[ { "Key":"AppName", "Value":"MyApp" } ] } }, "MyDocDBCluster":{ "Type":"AWS::DocDB::DBCluster", "Properties":{ "DBSubnetGroupName":{ "Ref":"MyDBSubnetGroup" }, "MasterUsername":{ "Fn::Sub":"{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}" }, "MasterUserPassword":{ "Fn::Sub":"{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}" }, "VpcSecurityGroupIds":[ { "Fn::GetAtt":[ "TestVPC", "DefaultSecurityGroup" ] } ] } }, "DocDBInstance":{ "Type":"AWS::DocDB::DBInstance", "Properties":{ "DBClusterIdentifier":{ "Ref":"MyDocDBCluster" }, "DBInstanceClass":"db.r5.large" } }, "MyDBSubnetGroup":{ "Type":"AWS::DocDB::DBSubnetGroup", "Properties":{ "DBSubnetGroupDescription":"", "SubnetIds":[ { "Ref":"TestSubnet01" }, { "Ref":"TestSubnet02" } ] } }, "SecretDocDBClusterAttachment":{ "Type":"AWS::SecretsManager::SecretTargetAttachment", "Properties":{ "SecretId":{ "Ref":"MyDocDBClusterRotationSecret" }, "TargetId":{ "Ref":"MyDocDBCluster" }, "TargetType":"AWS::DocDB::DBCluster" } }, "MySecretRotationSchedule":{ "Type":"AWS::SecretsManager::RotationSchedule", "DependsOn":"SecretDocDBClusterAttachment", "Properties":{ "SecretId":{ "Ref":"MyDocDBClusterRotationSecret" }, "HostedRotationLambda":{ "RotationType":"MongoDBSingleUser", "RotationLambdaName":"MongoDBSingleUser", "VpcSecurityGroupIds":{ "Fn::GetAtt":[ "TestVPC", "DefaultSecurityGroup" ] }, "VpcSubnetIds":{ "Fn::Join":[ ",", [ { "Ref":"TestSubnet01" }, { "Ref":"TestSubnet02" } ] ] } }, "RotationRules":{ "Duration": "2h", "ScheduleExpression": "cron(0 8 1 * ? *)" } } } } }

YAML

AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::SecretsManager-2020-07-23 Resources: TestVPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true TestSubnet01: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.0.96.0/19 AvailabilityZone: !Select - '0' - !GetAZs Ref: AWS::Region VpcId: !Ref TestVPC TestSubnet02: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.0.128.0/19 AvailabilityZone: !Select - '1' - !GetAZs Ref: AWS::Region VpcId: !Ref TestVPC SecretsManagerVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: SubnetIds: - !Ref TestSubnet01 - !Ref TestSubnet02 SecurityGroupIds: - !GetAtt TestVPC.DefaultSecurityGroup VpcEndpointType: Interface ServiceName: !Sub com.amazonaws.${AWS::Region}.secretsmanager PrivateDnsEnabled: true VpcId: !Ref TestVPC MyDocDBClusterRotationSecret: Type: AWS::SecretsManager::Secret Properties: GenerateSecretString: SecretStringTemplate: '{"username": "someadmin","ssl": true}' GenerateStringKey: password PasswordLength: 16 ExcludeCharacters: '"@/\' Tags: - Key: AppName Value: MyApp MyDocDBCluster: Type: AWS::DocDB::DBCluster Properties: DBSubnetGroupName: !Ref MyDBSubnetGroup MasterUsername: !Sub '{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}' MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}' VpcSecurityGroupIds: - !GetAtt TestVPC.DefaultSecurityGroup DocDBInstance: Type: AWS::DocDB::DBInstance Properties: DBClusterIdentifier: !Ref MyDocDBCluster DBInstanceClass: db.r5.large MyDBSubnetGroup: Type: AWS::DocDB::DBSubnetGroup Properties: DBSubnetGroupDescription: '' SubnetIds: - !Ref TestSubnet01 - !Ref TestSubnet02 SecretDocDBClusterAttachment: Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId: !Ref MyDocDBClusterRotationSecret TargetId: !Ref MyDocDBCluster TargetType: AWS::DocDB::DBCluster MySecretRotationSchedule: Type: AWS::SecretsManager::RotationSchedule DependsOn: SecretDocDBClusterAttachment Properties: SecretId: !Ref MyDocDBClusterRotationSecret HostedRotationLambda: RotationType: MongoDBSingleUser RotationLambdaName: MongoDBSingleUser VpcSecurityGroupIds: !GetAtt TestVPC.DefaultSecurityGroup VpcSubnetIds: !Join - ',' - - !Ref TestSubnet01 - !Ref TestSubnet02 RotationRules: Duration: 2h ScheduleExpression: cron(0 8 1 * ? *)