- I have an existing secret in secrets manager.
The arn looks like that :
arn:aws:secretsmanager:<region>:<accountid>:secret:<mysecret>-d1fX1Y
As we all know the suffix is added by AWS.
"Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN. "
- I have a cloudformation template and I need somehow to get the arn of this secret into the template.
The arn is not static it may change.
As far as I understand it is impossible to use !Ref because the resource is not created in the same stack.
I’ve tried to use !Sub with wildcard but the result is the same as it doesn’t do a lookup.
Maybe any1 have an idea or workaround for that?
Here is the part of the template.
Globals:
Function:
CodeUri: ./
Timeout: 60
Runtime: nodejs14.x
VpcConfig:
SecurityGroupIds: !Ref SecurityGroups
SubnetIds: !Ref Subnets
Environment:
Variables:
STAGE: !Sub "${Stage}"
VERSION: !Sub "${Version}"
SECRET_ARN: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:mysecret-*"
3
Answers
You set it up so the ARN of the secret is passed in SSM parameter store and then use the parameter store value as a parameter in your cloudformation you can then use !Ref function to refer the secret value in your CF template.
What you want to accomplish is to reference an Arn across Stacks? For example, if you export the ARN in the Stack creating the Secret, another Stack can reference that ARN with Fn::ImportValue.
Fn::ImportValue – AWS CloudFormation
Suppose you add an SSM parameter resource with the Secret’s Arn as a value to the .tf that creates the Secret. In that case, the CloudFormation template can reference that parameter with SSM dynamic references.
It looks like this (Not tested):
.tf
aws_ssm_parameter | Resources | hashicorp/aws | Terraform Registry
template
Using dynamic references to specify template values – AWS CloudFormation