Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
# Buat AWS Secrets Manager rahasia dan instance Amazon DocumentDB dengan CloudFormation
Contoh ini membuat rahasia dan instance Amazon DocumentDB menggunakan kredensi dalam rahasia sebagai pengguna dan kata sandi. Rahasianya memiliki kebijakan berbasis sumber daya terlampir yang mendefinisikan siapa yang dapat mengakses rahasia tersebut. Template juga membuat fungsi rotasi Lambda dari [Templat fungsi rotasi](reference_available-rotation-templates.md) dan mengonfigurasi rahasia untuk memutar secara otomatis antara pukul 08:00 dan 10:00 UTC pada hari pertama setiap bulan. Sebagai praktik keamanan terbaik, instancenya ada di VPC Amazon.
Contoh ini menggunakan CloudFormation sumber daya berikut untuk Secrets Manager:
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html)
Untuk informasi tentang membuat sumber daya CloudFormation, lihat [Mempelajari dasar-dasar templat](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/gettingstarted.templatebasics.html) di Panduan CloudFormation Pengguna.
## JSON
```
{
"AWSTemplateFormatVersion":"2010-09-09",
"Transform":"AWS::SecretsManager-2020-07-23",
"Resources":{
"TestVPC":{
"Type":"AWS::EC2::VPC",
"Properties":{
"CidrBlock":"10.0.0.0/16",
"EnableDnsHostnames":true,
"EnableDnsSupport":true
}
},
"TestSubnet01":{
"Type":"AWS::EC2::Subnet",
"Properties":{
"CidrBlock":"10.0.96.0/19",
"AvailabilityZone":{
"Fn::Select":[
"0",
{
"Fn::GetAZs":{
"Ref":"AWS::Region"
}
}
]
},
"VpcId":{
"Ref":"TestVPC"
}
}
},
"TestSubnet02":{
"Type":"AWS::EC2::Subnet",
"Properties":{
"CidrBlock":"10.0.128.0/19",
"AvailabilityZone":{
"Fn::Select":[
"1",
{
"Fn::GetAZs":{
"Ref":"AWS::Region"
}
}
]
},
"VpcId":{
"Ref":"TestVPC"
}
}
},
"SecretsManagerVPCEndpoint":{
"Type":"AWS::EC2::VPCEndpoint",
"Properties":{
"SubnetIds":[
{
"Ref":"TestSubnet01"
},
{
"Ref":"TestSubnet02"
}
],
"SecurityGroupIds":[
{
"Fn::GetAtt":[
"TestVPC",
"DefaultSecurityGroup"
]
}
],
"VpcEndpointType":"Interface",
"ServiceName":{
"Fn::Sub":"com.amazonaws.${AWS::Region}.secretsmanager"
},
"PrivateDnsEnabled":true,
"VpcId":{
"Ref":"TestVPC"
}
}
},
"MyDocDBClusterRotationSecret":{
"Type":"AWS::SecretsManager::Secret",
"Properties":{
"GenerateSecretString":{
"SecretStringTemplate":"{\"username\": \"someadmin\",\"ssl\": true}",
"GenerateStringKey":"password",
"PasswordLength":16,
"ExcludeCharacters":"\"@/\\"
},
"Tags":[
{
"Key":"AppName",
"Value":"MyApp"
}
]
}
},
"MyDocDBCluster":{
"Type":"AWS::DocDB::DBCluster",
"Properties":{
"DBSubnetGroupName":{
"Ref":"MyDBSubnetGroup"
},
"MasterUsername":{
"Fn::Sub":"{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}"
},
"MasterUserPassword":{
"Fn::Sub":"{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}"
},
"VpcSecurityGroupIds":[
{
"Fn::GetAtt":[
"TestVPC",
"DefaultSecurityGroup"
]
}
]
}
},
"DocDBInstance":{
"Type":"AWS::DocDB::DBInstance",
"Properties":{
"DBClusterIdentifier":{
"Ref":"MyDocDBCluster"
},
"DBInstanceClass":"db.r5.large"
}
},
"MyDBSubnetGroup":{
"Type":"AWS::DocDB::DBSubnetGroup",
"Properties":{
"DBSubnetGroupDescription":"",
"SubnetIds":[
{
"Ref":"TestSubnet01"
},
{
"Ref":"TestSubnet02"
}
]
}
},
"SecretDocDBClusterAttachment":{
"Type":"AWS::SecretsManager::SecretTargetAttachment",
"Properties":{
"SecretId":{
"Ref":"MyDocDBClusterRotationSecret"
},
"TargetId":{
"Ref":"MyDocDBCluster"
},
"TargetType":"AWS::DocDB::DBCluster"
}
},
"MySecretRotationSchedule":{
"Type":"AWS::SecretsManager::RotationSchedule",
"DependsOn":"SecretDocDBClusterAttachment",
"Properties":{
"SecretId":{
"Ref":"MyDocDBClusterRotationSecret"
},
"HostedRotationLambda":{
"RotationType":"MongoDBSingleUser",
"RotationLambdaName":"MongoDBSingleUser",
"VpcSecurityGroupIds":{
"Fn::GetAtt":[
"TestVPC",
"DefaultSecurityGroup"
]
},
"VpcSubnetIds":{
"Fn::Join":[
",",
[
{
"Ref":"TestSubnet01"
},
{
"Ref":"TestSubnet02"
}
]
]
}
},
"RotationRules":{
"Duration": "2h",
"ScheduleExpression": "cron(0 8 1 * ? *)"
}
}
}
}
}
```
## YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::SecretsManager-2020-07-23
Resources:
TestVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
TestSubnet01:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.96.0/19
AvailabilityZone: !Select
- '0'
- !GetAZs
Ref: AWS::Region
VpcId: !Ref TestVPC
TestSubnet02:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.128.0/19
AvailabilityZone: !Select
- '1'
- !GetAZs
Ref: AWS::Region
VpcId: !Ref TestVPC
SecretsManagerVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
SubnetIds:
- !Ref TestSubnet01
- !Ref TestSubnet02
SecurityGroupIds:
- !GetAtt TestVPC.DefaultSecurityGroup
VpcEndpointType: Interface
ServiceName: !Sub com.amazonaws.${AWS::Region}.secretsmanager
PrivateDnsEnabled: true
VpcId: !Ref TestVPC
MyDocDBClusterRotationSecret:
Type: AWS::SecretsManager::Secret
Properties:
GenerateSecretString:
SecretStringTemplate: '{"username": "someadmin","ssl": true}'
GenerateStringKey: password
PasswordLength: 16
ExcludeCharacters: '"@/\'
Tags:
- Key: AppName
Value: MyApp
MyDocDBCluster:
Type: AWS::DocDB::DBCluster
Properties:
DBSubnetGroupName: !Ref MyDBSubnetGroup
MasterUsername: !Sub '{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}'
MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}'
VpcSecurityGroupIds:
- !GetAtt TestVPC.DefaultSecurityGroup
DocDBInstance:
Type: AWS::DocDB::DBInstance
Properties:
DBClusterIdentifier: !Ref MyDocDBCluster
DBInstanceClass: db.r5.large
MyDBSubnetGroup:
Type: AWS::DocDB::DBSubnetGroup
Properties:
DBSubnetGroupDescription: ''
SubnetIds:
- !Ref TestSubnet01
- !Ref TestSubnet02
SecretDocDBClusterAttachment:
Type: AWS::SecretsManager::SecretTargetAttachment
Properties:
SecretId: !Ref MyDocDBClusterRotationSecret
TargetId: !Ref MyDocDBCluster
TargetType: AWS::DocDB::DBCluster
MySecretRotationSchedule:
Type: AWS::SecretsManager::RotationSchedule
DependsOn: SecretDocDBClusterAttachment
Properties:
SecretId: !Ref MyDocDBClusterRotationSecret
HostedRotationLambda:
RotationType: MongoDBSingleUser
RotationLambdaName: MongoDBSingleUser
VpcSecurityGroupIds: !GetAtt TestVPC.DefaultSecurityGroup
VpcSubnetIds: !Join
- ','
- - !Ref TestSubnet01
- !Ref TestSubnet02
RotationRules:
Duration: 2h
ScheduleExpression: cron(0 8 1 * ? *)
```