stackoom
  简体   繁体   中英

How to retrieve an arn of secret with random suffix in AWS Cloudformation

 原文  2023-01-23 12:03:51       amazon-web-services/ amazon-cloudformation/ aws-secrets-manager

Question

  1. I have an existing secret in secrets manager.
    The arn looks like that:
    arn:aws:secretsmanager:<region>:<accountid>:secret:<mysecret>-d1fX1Y
    As we all know the suffix is added by AWS.

"Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN. "

  1. I have a cloudformation template and I need somehow to get the arn of this secret into the template.

The arn is not static it may change.

As far as I understand it is impossible to use.Ref because the resource is not created in the same stack.

I've tried to use.Sub with wildcard but the result is the same as it doesn't do a lookup.

Maybe any1 have an idea or workaround for that?

Here is the part of the template.

Globals:
  Function:
    CodeUri: ./
    Timeout: 60
    Runtime: nodejs14.x
    VpcConfig:
      SecurityGroupIds: !Ref SecurityGroups
      SubnetIds: !Ref Subnets
    Environment:
      Variables:
        STAGE: !Sub "${Stage}"
        VERSION: !Sub "${Version}"
        SECRET_ARN: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:mysecret-*"

3 answers

solution1
 1  2023-01-23 17:49:34

What you want to accomplish is to reference an Arn across Stacks? For example, if you export the ARN in the Stack creating the Secret, another Stack can reference that ARN with Fn::ImportValue.

Fn::ImportValue - AWS CloudFormation

The intrinsic function Fn::ImportValue returns the value of an output exported by another stack.

solution2
 0  2023-01-23 16:41:00

You set it up so the ARN of the secret is passed in SSM parameter store and then use the parameter store value as a parameter in your cloudformation you can then use.Ref function to refer the secret value in your CF template.

solution3
 0  2023-01-25 20:23:41

This value is ARN of other resource (which is not other cloudformation stack) is just a resource created by terraform.

Suppose you add an SSM parameter resource with the Secret's Arn as a value to the.tf that creates the Secret. In that case, the CloudFormation template can reference that parameter with SSM dynamic references.

It looks like this (Not tested):

.tf 

resource "aws_ssm_parameter" "example" {
  name  = "example"
  type  = "String"
  value = aws_secretsmanager_secret.<your_secret_name>.arn
}

aws_ssm_parameter | Resources | hashicorp/aws | Terraform Registry

template

Globals:
  Function:
    CodeUri: ./
    Timeout: 60
    Runtime: nodejs14.x
    VpcConfig:
      SecurityGroupIds: !Ref SecurityGroups
      SubnetIds: !Ref Subnets
    Environment:
      Variables:
        STAGE: !Sub "${Stage}"
        VERSION: !Sub "${Version}"
        SECRET_ARN: !Sub "{{resolve:ssm:example}}"

Using dynamic references to specify template values - AWS CloudFormation

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS KMS ARN a secret? How to retrieve ARN through AWS SDK for Go How to get the arn of a newly created aws_cloudformation_stack terraform How to retrieve secret from cross region AWS Secret Manager in terraform How to retrieve SecretsManager secret in AWS CDK AWS CLI retrieve the ARN of the newly created policy How do retrieve the specific value of an AWS Secrets Manager secret? How to get the CloudFront distribution ARN in a CloudFormation stack for WebACLAssociation? How to get AWS SQS queue ARN in nodeJS? Terraform for_each for GCP secret, append with random_ID suffix
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM