By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SecretsManagerRotation Lambda getting created even with false condition

0

Hi,
I am trying to use Secret Rotation functionality however want to keep it optional based on user input.
When I run the template its ignoring all the resources where the condition is false however still goes ahead and creates the SecretsManagerRotation Lambda function.

To elaborate further based on below shortened template , even when condition PasswordRotationEnabled is false (parameter PasswordRotation = -1) , CF attempts to create the Lambda function. It however does not create the SecretsManagerVPCEndpoint which means that condition is working as expected.

I also noticed that if I remove/comment out "Transform: AWS::SecretsManager-2020-07-23" from the template then CF does NOT create the lambda function.
To my mind, the existence of "Transform: AWS::SecretsManager-2020-07-23" itself triggers the creation of Lamdba.

Unless I am doing something wrong, this seems to be bug. Kindly help.

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::SecretsManager-2020-07-23

Parameters:
PasswordRotation:
Description: Specify the password rotation cycle in days (1-1000). Use -1 to disable.
Type: Number
Default: -1

Conditions:
PasswordRotationEnabled: !Not [!Equals [!Ref PasswordRotation, -1]]

Resources:
SecretsManagerVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Condition: PasswordRotationEnabled
Properties:
SubnetIds:
- !Ref PrimarySubnetId
- !Ref SecondarySubnetId
SecurityGroupIds:
- !Ref DatabaseSecurityGroup
VpcEndpointType: 'Interface'
ServiceName: !Sub "com.amazonaws.${AWS::Region}.secretsmanager"
PrivateDnsEnabled: true
VpcId: !Ref DatabaseVpcId

SecretRDSInstanceAttachment:
Type: AWS::SecretsManager::SecretTargetAttachment
Condition: PasswordRotationEnabled
Properties:
SecretId: !Ref MasterUserPassword
TargetId: !Ref DBInstance
TargetType: AWS::RDS::DBInstance

MySecretRotationSchedule:
Type: AWS::SecretsManager::RotationSchedule
Condition: PasswordRotationEnabled
DependsOn: SecretRDSInstanceAttachment
Properties:
SecretId: !Ref MasterUserPassword
HostedRotationLambda:
RotationType: MySQLSingleUser
RotationLambdaName: SecretsManagerRotation
VpcSecurityGroupIds: !Ref DatabaseSecurityGroup
VpcSubnetIds:
Fn::Join:
- ","
- - !Ref PrimarySubnetId
- !Ref SecondarySubnetId
RotationRules:
AutomaticallyAfterDays: 1

Edited by: DivAWS on Apr 15, 2021 7:42 AM

Topics
Management & Governance
Tags
AWS CloudFormation
Language
English
AWS-user-Div
asked 3 years ago367 views
1 Answer
0

Answering my own question -

If a CF template references AWS::SecretsManager, CF generates a Lambda function to perform secrets rotation. We cannot make it conditional if Transform is present.

We have two options to create the AWS pre-defined Lamdba secret-rotation functions for databases.:

  1. Refer to below link which provides the source code of Lambda functions: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html

  2. You can find the template in AWS Serverless Application Repository. You can then either create the function using AWS console or Create it as a SAM resource via CF template.

AWS-user-Div
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content