Hi,
I am trying to use Secret Rotation functionality however want to keep it optional based on user input.
When I run the template its ignoring all the resources where the condition is false however still goes ahead and creates the SecretsManagerRotation Lambda function.
To elaborate further based on below shortened template , even when condition PasswordRotationEnabled is false (parameter PasswordRotation = -1) , CF attempts to create the Lambda function. It however does not create the SecretsManagerVPCEndpoint which means that condition is working as expected.
I also noticed that if I remove/comment out "Transform: AWS::SecretsManager-2020-07-23" from the template then CF does NOT create the lambda function.
To my mind, the existence of "Transform: AWS::SecretsManager-2020-07-23" itself triggers the creation of Lamdba.
Unless I am doing something wrong, this seems to be bug. Kindly help.
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::SecretsManager-2020-07-23
Parameters:
PasswordRotation:
Description: Specify the password rotation cycle in days (1-1000). Use -1 to disable.
Type: Number
Default: -1
Conditions:
PasswordRotationEnabled: !Not [!Equals [!Ref PasswordRotation, -1]]
Resources:
SecretsManagerVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Condition: PasswordRotationEnabled
Properties:
SubnetIds:
- !Ref PrimarySubnetId
- !Ref SecondarySubnetId
SecurityGroupIds:
- !Ref DatabaseSecurityGroup
VpcEndpointType: 'Interface'
ServiceName: !Sub "com.amazonaws.${AWS::Region}.secretsmanager"
PrivateDnsEnabled: true
VpcId: !Ref DatabaseVpcId
SecretRDSInstanceAttachment:
Type: AWS::SecretsManager::SecretTargetAttachment
Condition: PasswordRotationEnabled
Properties:
SecretId: !Ref MasterUserPassword
TargetId: !Ref DBInstance
TargetType: AWS::RDS::DBInstance
MySecretRotationSchedule:
Type: AWS::SecretsManager::RotationSchedule
Condition: PasswordRotationEnabled
DependsOn: SecretRDSInstanceAttachment
Properties:
SecretId: !Ref MasterUserPassword
HostedRotationLambda:
RotationType: MySQLSingleUser
RotationLambdaName: SecretsManagerRotation
VpcSecurityGroupIds: !Ref DatabaseSecurityGroup
VpcSubnetIds:
Fn::Join:
- ","
- - !Ref PrimarySubnetId
- !Ref SecondarySubnetId
RotationRules:
AutomaticallyAfterDays: 1
Edited by: DivAWS on Apr 15, 2021 7:42 AM