Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CloudFormation unable to Import an AWS::SecretsManager::Secret using --import-existing-resources?

0

We're unable to import an AWS::SecretsManager::Secret using --import-existing-resources.

Looking at the criteria in Import AWS resources into a CloudFormation stack automatically:

  1. The resource must have a static custom name defined in your template.
  2. The resource must have a DeletionPolicy of Retain or RetainExceptOnCreate
  3. The resource must not already belong to another CloudFormation stack.
  4. The resource type must support CloudFormation import operations.
  5. The primary ID for the resource type must be in the template. Primary IDs with read only properties aren't supported.

it seems that 5 is the problem - aws cloudformation describe-type --type RESOURCE --type-name AWS::SecretsManager::Secret | jq -r '.Schema' leaves us with "primaryIdentifier" : [ "/properties/Id" ], "readOnlyProperties" : [ "/properties/Id" ], so presumably it is unsupported.

This seems a particularly unfortunate resource to be unsupported in this way, as secrets are one of the most likely resources to both want to create using a stack AND need to survive a stack rebuild.

Is there any hope of changing this?

Topics
Management & GovernanceAWS Cloud Development Kit (CDK)
Tags
AWS CloudFormationAWS Cloud Development Kit (CDK)
Language
English
asked a month ago34 views
1 Answer
0

Based on your analysis, you're correct that the AWS::SecretsManager::Secret resource appears to be unsupported for CloudFormation import using the --import-existing-resources feature. The key issue is that the primary identifier (Id) for the Secret resource is a read-only property, which conflicts with the fifth requirement you mentioned.

This is indeed challenging for secrets management, as secrets are resources that often need to persist beyond the lifecycle of a CloudFormation stack.

When attempting to import resources into CloudFormation, there are several requirements that must be met, and having a primary identifier that's a read-only property is a blocker for the automatic import feature.

For CloudFormation import to work properly, the resource must have a primary identifier that can be specified in the template, and it cannot be a read-only property. Since the Id property of AWS::SecretsManager::Secret is read-only, this prevents the automatic import.

As for changing this situation, there are a few potential approaches:

  1. You could use the standard resource import process (not the automatic one) if the resource type is supported in the list of importable resources.

  2. Consider using a different approach for managing secrets that need to survive stack rebuilds, such as creating them outside of CloudFormation and referencing them in your templates.

  3. You might want to submit a feature request to AWS through your account team or AWS support to request that they make AWS::SecretsManager::Secret importable.

Unfortunately, there's no immediate solution to make the automatic import work for this resource type given the current constraints with the primary identifier being read-only.
Sources
Cloudformation Import stopped working | AWS re:Post

answered a month ago
AWS
EXPERT
reviewed a day ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content