I tried writing a hostedlambdarotation property in AWS cloudformation to rotate my credentials after every X days, but the deployment fails stating the following error - "Transform AWS::SecretsManager-2020-07-23 failed with: PostgreSQLSingleUser is not a supported rotation engine type."
Here in the documentation it says that the above mentioned rotation type is supported. Hostedlambdarotation property
Has anyone faced a similar issue? I am using a postgresql thus want to use the above mentioned rotation policy.
Any help will be much appreciated!
Edit: Sample Code
{
"Transform": "AWS::SecretsManager-2020-07-23",
"Resources": {
"Test": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Name": "Test",
"Description": "Secrets for db connectivity",
"SecretString": "{\"username\":\"test\",\"password\":\"test\",\"engine\":\"postgres\",\"host\":\"test.rds.amazonaws.com\",\"port\":\"5432\",\"dbname\":\"test\"}"
}
},
"TestAttachment": {
"Type": "AWS::SecretsManager::SecretTargetAttachment",
"Properties": {
"SecretId": {
"Ref": "Test"
},
"TargetId": "arn:aws:rds:test",
"TargetType": "AWS::RDS::DBInstance"
}
},
"TestSecretRotationSchedule": {
"Type": "AWS::SecretsManager::RotationSchedule",
"Properties": {
"SecretId": {
"Ref": "Test"
},
"HostedRotationLambda": {
"RotationType": "PostgreSQLSingleUser",
"RotationLambdaName": "SecretsManagerRotation",
"VpcSecurityGroupIds": "sg-testid",
"VpcSubnetIds": {
"Fn::Join": [
",",
[
"subnet-test01",
"subnet-test02"
]
]
}
},
"RotationRules": {
"AutomaticallyAfterDays": 45
}
}
}
}
}
Maybe it has been updated since you last tried? I just used more or less than same syntax in yaml and it just deployed successfully in CFN.
AuroraSecretRotationSchedule:
Type: AWS::SecretsManager::RotationSchedule
DependsOn:
- SecretAuroraClusterAttachment
- AuroraDBInstance
Properties:
HostedRotationLambda:
RotationType: PostgreSQLSingleUser
RotationLambdaName: "PGMasterSecretRotationLambda"
SecretId: !Ref AuroraMasterSecret
RotationRules:
AutomaticallyAfterDays: 30
Funny thing is I would never have gotten it if not for your question-- I specified the MasterSecretArn parameter previously, which caused an error. Disclaimer: I haven't tested if this lambda actually works, just that it deployed w/o error.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.