AWS::SecretsManager
transform
Use the AWS::SecretsManager transform, which is a macro hosted by CloudFormation, to
specify a Lambda function to perform secrets rotation. When creating a change set or
updating stacks using change sets, and the templates references
AWS::SecretsManager, CloudFormation generates a Lambda function to perform
secrets rotation. Use the HostedRotationLambda property type of the AWS::SecretsManager::RotationSchedule resource to specify the attributes of the
desired AWS Lambda function.
The AWS Lambda function is in a nested
stack (an AWS::CloudFormation::Stack resource) in the processed template. This resource
then links to the appropriate function template in the AWS Secrets
Manager Rotation Lambda Functions
Usage
Use the AWS::SecretsManager transform at the top level
of the template. You can't use AWS::SecretsManager as a
transform embedded in any other template section.
The value for the transform declaration must be a literal string. You can't use a parameter or function to specify a transform value.
Syntax at the top level of a template
To include AWS::SecretsManager at the top level of
a template, in the Transform section, use the following syntax.
JSON
{ "Transform": "AWS::SecretsManager-2020-07-23", . . . }
YAML
Transform: AWS::SecretsManager-2020-07-23
Parameters
The AWS::SecretsManager transform doesn't accept any
parameters. Instead, specify the properties of the secret rotation AWS Lambda function
you want to create using the HostedRotationLambda property type of the AWS::SecretsManager::RotationSchedule resources in the stack
template.
Remarks
For general considerations about using macros, see Considerations
Example
The following partial template example shows how to use the AWS::SecretsManager transform to specify a AWS Lambda function for secret
rotation on a MySQL database for a single user, based on the properties specified in the
HostedRotationLambda property type of the
AWS::SecretsManager::RotationSchedule resource.
For complete template examples illustrating secret rotations for RDS databases, Amazon Redshift clusters, and Document DB clusters, see the Examples section of AWS::SecretsManager::RotationSchedule.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::SecretsManager-2020-07-23", "Resources": { . . . "MySecretRotationSchedule": { "Type": "AWS::SecretsManager::RotationSchedule", "DependsOn": "SecretRDSInstanceAttachment", "Properties": { "SecretId": { "Ref": "MyRDSInstanceRotationSecret" }, "HostedRotationLambda": { "RotationType": "MySQLSingleUser", "RotationLambdaName": "SecretsManagerRotation", "VpcSecurityGroupIds": { "Fn::GetAtt": [ "TestVPC", "DefaultSecurityGroup" ] }, "VpcSubnetIds": { "Fn::Join": [ ",", [ { "Ref": "TestSubnet01" }, { "Ref": "TestSubnet02" } ] ] } }, "RotationRules": { "AutomaticallyAfterDays": 30 } } } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::SecretsManager-2020-07-23 Resources: . . . MySecretRotationSchedule: Type: AWS::SecretsManager::RotationSchedule DependsOn: SecretRDSInstanceAttachment Properties: SecretId: !Ref MyRDSInstanceRotationSecret HostedRotationLambda: RotationType: MySQLSingleUser RotationLambdaName: SecretsManagerRotation VpcSecurityGroupIds: !GetAtt TestVPC.DefaultSecurityGroup VpcSubnetIds: Fn::Join: - "," - - Ref: TestSubnet01 - Ref: TestSubnet02 RotationRules: AutomaticallyAfterDays: 30
