skip to Main Content
  1. I have an existing secret in secrets manager.
    The arn looks like that :
    arn:aws:secretsmanager:<region>:<accountid>:secret:<mysecret>-d1fX1Y
    As we all know the suffix is added by AWS.

"Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN. "

  1. I have a cloudformation template and I need somehow to get the arn of this secret into the template.

The arn is not static it may change.

As far as I understand it is impossible to use !Ref because the resource is not created in the same stack.

I’ve tried to use !Sub with wildcard but the result is the same as it doesn’t do a lookup.

Maybe any1 have an idea or workaround for that?

Here is the part of the template.

Globals:
  Function:
    CodeUri: ./
    Timeout: 60
    Runtime: nodejs14.x
    VpcConfig:
      SecurityGroupIds: !Ref SecurityGroups
      SubnetIds: !Ref Subnets
    Environment:
      Variables:
        STAGE: !Sub "${Stage}"
        VERSION: !Sub "${Version}"
        SECRET_ARN: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:mysecret-*"

3

Answers


  1. You set it up so the ARN of the secret is passed in SSM parameter store and then use the parameter store value as a parameter in your cloudformation you can then use !Ref function to refer the secret value in your CF template.

    Login or Signup to reply.
  2. What you want to accomplish is to reference an Arn across Stacks? For example, if you export the ARN in the Stack creating the Secret, another Stack can reference that ARN with Fn::ImportValue.

    Fn::ImportValue – AWS CloudFormation

    The intrinsic function Fn::ImportValue returns the value of an output exported by another stack.

    Login or Signup to reply.
  3. This value is ARN of other resource (which is not other cloudformation stack) is just a resource created by terraform.

    Suppose you add an SSM parameter resource with the Secret’s Arn as a value to the .tf that creates the Secret. In that case, the CloudFormation template can reference that parameter with SSM dynamic references.

    It looks like this (Not tested):

    .tf

    resource "aws_ssm_parameter" "example" {
      name  = "example"
      type  = "String"
      value = aws_secretsmanager_secret.<your_secret_name>.arn
    }
    

    aws_ssm_parameter | Resources | hashicorp/aws | Terraform Registry

    template

    Globals:
      Function:
        CodeUri: ./
        Timeout: 60
        Runtime: nodejs14.x
        VpcConfig:
          SecurityGroupIds: !Ref SecurityGroups
          SubnetIds: !Ref Subnets
        Environment:
          Variables:
            STAGE: !Sub "${Stage}"
            VERSION: !Sub "${Version}"
            SECRET_ARN: !Sub "{{resolve:ssm:example}}"
    

    Using dynamic references to specify template values – AWS CloudFormation

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search