Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

SecretsManagerRotation Lambda getting created even with false condition

0

Hi,
I am trying to use Secret Rotation functionality however want to keep it optional based on user input.
When I run the template its ignoring all the resources where the condition is false however still goes ahead and creates the SecretsManagerRotation Lambda function.

To elaborate further based on below shortened template , even when condition PasswordRotationEnabled is false (parameter PasswordRotation = -1) , CF attempts to create the Lambda function. It however does not create the SecretsManagerVPCEndpoint which means that condition is working as expected.

I also noticed that if I remove/comment out "Transform: AWS::SecretsManager-2020-07-23" from the template then CF does NOT create the lambda function.
To my mind, the existence of "Transform: AWS::SecretsManager-2020-07-23" itself triggers the creation of Lamdba.

Unless I am doing something wrong, this seems to be bug. Kindly help.

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::SecretsManager-2020-07-23

Parameters:
PasswordRotation:
Description: Specify the password rotation cycle in days (1-1000). Use -1 to disable.
Type: Number
Default: -1

Conditions:
PasswordRotationEnabled: !Not [!Equals [!Ref PasswordRotation, -1]]

Resources:
SecretsManagerVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Condition: PasswordRotationEnabled
Properties:
SubnetIds:
- !Ref PrimarySubnetId
- !Ref SecondarySubnetId
SecurityGroupIds:
- !Ref DatabaseSecurityGroup
VpcEndpointType: 'Interface'
ServiceName: !Sub "com.amazonaws.${AWS::Region}.secretsmanager"
PrivateDnsEnabled: true
VpcId: !Ref DatabaseVpcId

SecretRDSInstanceAttachment:
Type: AWS::SecretsManager::SecretTargetAttachment
Condition: PasswordRotationEnabled
Properties:
SecretId: !Ref MasterUserPassword
TargetId: !Ref DBInstance
TargetType: AWS::RDS::DBInstance

MySecretRotationSchedule:
Type: AWS::SecretsManager::RotationSchedule
Condition: PasswordRotationEnabled
DependsOn: SecretRDSInstanceAttachment
Properties:
SecretId: !Ref MasterUserPassword
HostedRotationLambda:
RotationType: MySQLSingleUser
RotationLambdaName: SecretsManagerRotation
VpcSecurityGroupIds: !Ref DatabaseSecurityGroup
VpcSubnetIds:
Fn::Join:
- ","
- - !Ref PrimarySubnetId
- !Ref SecondarySubnetId
RotationRules:
AutomaticallyAfterDays: 1

Edited by: DivAWS on Apr 15, 2021 7:42 AM

Argomenti
Gestione e amministrazione
Tag
AWS CloudFormation
Lingua
English
AWS-user-Div
posta 3 anni fa383 visualizzazioni
1 Risposta
0

Answering my own question -

If a CF template references AWS::SecretsManager, CF generates a Lambda function to perform secrets rotation. We cannot make it conditional if Transform is present.

We have two options to create the AWS pre-defined Lamdba secret-rotation functions for databases.:

  1. Refer to below link which provides the source code of Lambda functions: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html

  2. You can find the template in AWS Serverless Application Repository. You can then either create the function using AWS console or Create it as a SAM resource via CF template.

AWS-user-Div
con risposta 3 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente