Buat AWS Secrets Manager rahasia dan instance Amazon DocumentDB dengan AWS CloudFormation - AWS Secrets Manager

Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.

Buat AWS Secrets Manager rahasia dan instance Amazon DocumentDB dengan AWS CloudFormation

Contoh ini membuat rahasia dan instance Amazon DocumentDB menggunakan kredensi dalam rahasia sebagai pengguna dan kata sandi. Rahasianya memiliki kebijakan berbasis sumber daya terlampir yang mendefinisikan siapa yang dapat mengakses rahasia tersebut. Template juga membuat fungsi rotasi Lambda dari Templat fungsi rotasi dan mengonfigurasi rahasia untuk memutar secara otomatis antara pukul 08:00 dan 10:00 UTC pada hari pertama setiap bulan. Sebagai praktik keamanan terbaik, instancenya ada di VPC Amazon.

Contoh ini menggunakan CloudFormation sumber daya berikut untuk Secrets Manager:

Untuk informasi tentang membuat sumber daya AWS CloudFormation, lihat Mempelajari dasar-dasar templat di Panduan AWS CloudFormation Pengguna.

JSON

{ "AWSTemplateFormatVersion":"2010-09-09", "Transform":"AWS::SecretsManager-2020-07-23", "Resources":{ "TestVPC":{ "Type":"AWS::EC2::VPC", "Properties":{ "CidrBlock":"10.0.0.0/16", "EnableDnsHostnames":true, "EnableDnsSupport":true } }, "TestSubnet01":{ "Type":"AWS::EC2::Subnet", "Properties":{ "CidrBlock":"10.0.96.0/19", "AvailabilityZone":{ "Fn::Select":[ "0", { "Fn::GetAZs":{ "Ref":"AWS::Region" } } ] }, "VpcId":{ "Ref":"TestVPC" } } }, "TestSubnet02":{ "Type":"AWS::EC2::Subnet", "Properties":{ "CidrBlock":"10.0.128.0/19", "AvailabilityZone":{ "Fn::Select":[ "1", { "Fn::GetAZs":{ "Ref":"AWS::Region" } } ] }, "VpcId":{ "Ref":"TestVPC" } } }, "SecretsManagerVPCEndpoint":{ "Type":"AWS::EC2::VPCEndpoint", "Properties":{ "SubnetIds":[ { "Ref":"TestSubnet01" }, { "Ref":"TestSubnet02" } ], "SecurityGroupIds":[ { "Fn::GetAtt":[ "TestVPC", "DefaultSecurityGroup" ] } ], "VpcEndpointType":"Interface", "ServiceName":{ "Fn::Sub":"com.amazonaws.${AWS::Region}.secretsmanager" }, "PrivateDnsEnabled":true, "VpcId":{ "Ref":"TestVPC" } } }, "MyDocDBClusterRotationSecret":{ "Type":"AWS::SecretsManager::Secret", "Properties":{ "GenerateSecretString":{ "SecretStringTemplate":"{\"username\": \"someadmin\",\"ssl\": true}", "GenerateStringKey":"password", "PasswordLength":16, "ExcludeCharacters":"\"@/\\" }, "Tags":[ { "Key":"AppName", "Value":"MyApp" } ] } }, "MyDocDBCluster":{ "Type":"AWS::DocDB::DBCluster", "Properties":{ "DBSubnetGroupName":{ "Ref":"MyDBSubnetGroup" }, "MasterUsername":{ "Fn::Sub":"{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}" }, "MasterUserPassword":{ "Fn::Sub":"{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}" }, "VpcSecurityGroupIds":[ { "Fn::GetAtt":[ "TestVPC", "DefaultSecurityGroup" ] } ] } }, "DocDBInstance":{ "Type":"AWS::DocDB::DBInstance", "Properties":{ "DBClusterIdentifier":{ "Ref":"MyDocDBCluster" }, "DBInstanceClass":"db.r5.large" } }, "MyDBSubnetGroup":{ "Type":"AWS::DocDB::DBSubnetGroup", "Properties":{ "DBSubnetGroupDescription":"", "SubnetIds":[ { "Ref":"TestSubnet01" }, { "Ref":"TestSubnet02" } ] } }, "SecretDocDBClusterAttachment":{ "Type":"AWS::SecretsManager::SecretTargetAttachment", "Properties":{ "SecretId":{ "Ref":"MyDocDBClusterRotationSecret" }, "TargetId":{ "Ref":"MyDocDBCluster" }, "TargetType":"AWS::DocDB::DBCluster" } }, "MySecretRotationSchedule":{ "Type":"AWS::SecretsManager::RotationSchedule", "DependsOn":"SecretDocDBClusterAttachment", "Properties":{ "SecretId":{ "Ref":"MyDocDBClusterRotationSecret" }, "HostedRotationLambda":{ "RotationType":"MongoDBSingleUser", "RotationLambdaName":"MongoDBSingleUser", "VpcSecurityGroupIds":{ "Fn::GetAtt":[ "TestVPC", "DefaultSecurityGroup" ] }, "VpcSubnetIds":{ "Fn::Join":[ ",", [ { "Ref":"TestSubnet01" }, { "Ref":"TestSubnet02" } ] ] } }, "RotationRules":{ "Duration": "2h", "ScheduleExpression": "cron(0 8 1 * ? *)" } } } } }

YAML

AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::SecretsManager-2020-07-23 Resources: TestVPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true TestSubnet01: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.0.96.0/19 AvailabilityZone: !Select - '0' - !GetAZs Ref: AWS::Region VpcId: !Ref TestVPC TestSubnet02: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.0.128.0/19 AvailabilityZone: !Select - '1' - !GetAZs Ref: AWS::Region VpcId: !Ref TestVPC SecretsManagerVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: SubnetIds: - !Ref TestSubnet01 - !Ref TestSubnet02 SecurityGroupIds: - !GetAtt TestVPC.DefaultSecurityGroup VpcEndpointType: Interface ServiceName: !Sub com.amazonaws.${AWS::Region}.secretsmanager PrivateDnsEnabled: true VpcId: !Ref TestVPC MyDocDBClusterRotationSecret: Type: AWS::SecretsManager::Secret Properties: GenerateSecretString: SecretStringTemplate: '{"username": "someadmin","ssl": true}' GenerateStringKey: password PasswordLength: 16 ExcludeCharacters: '"@/\' Tags: - Key: AppName Value: MyApp MyDocDBCluster: Type: AWS::DocDB::DBCluster Properties: DBSubnetGroupName: !Ref MyDBSubnetGroup MasterUsername: !Sub '{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}' MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}' VpcSecurityGroupIds: - !GetAtt TestVPC.DefaultSecurityGroup DocDBInstance: Type: AWS::DocDB::DBInstance Properties: DBClusterIdentifier: !Ref MyDocDBCluster DBInstanceClass: db.r5.large MyDBSubnetGroup: Type: AWS::DocDB::DBSubnetGroup Properties: DBSubnetGroupDescription: '' SubnetIds: - !Ref TestSubnet01 - !Ref TestSubnet02 SecretDocDBClusterAttachment: Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId: !Ref MyDocDBClusterRotationSecret TargetId: !Ref MyDocDBCluster TargetType: AWS::DocDB::DBCluster MySecretRotationSchedule: Type: AWS::SecretsManager::RotationSchedule DependsOn: SecretDocDBClusterAttachment Properties: SecretId: !Ref MyDocDBClusterRotationSecret HostedRotationLambda: RotationType: MongoDBSingleUser RotationLambdaName: MongoDBSingleUser VpcSecurityGroupIds: !GetAtt TestVPC.DefaultSecurityGroup VpcSubnetIds: !Join - ',' - - !Ref TestSubnet01 - !Ref TestSubnet02 RotationRules: Duration: 2h ScheduleExpression: cron(0 8 1 * ? *)