So I used cloudformation to generate an RDS DB instance and AWS Secrets Manager Secret and they are tied together as shown in the cloudformation config below:
"MyDBInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"AllocatedStorage": 20,
"DBInstanceClass": "db.t2.micro",
"Engine": "mysql",
"DBSubnetGroupName": {
"Ref": "MyDBSubnetGroup"
},
"MasterUsername": rdsadmin,
"MasterUserPassword": {
"Fn::Sub": "{{resolve:secretsmanager:${MYRDSPASSWORD}:SecretString}}"
},
I want to be able to MANUALLY set a new password in one place (preferably AWS Secrets manager) and have it then automatically synced to the other place (preferably modifying the RDS Instance with the new password). The doc below is very useful if you want to setup a rotation schedule, but that’s not what we are trying to achieve. If this can’t be ‘synced’, then maybe I can work out a script of CLI calls to imitate the behavior?
https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_RDSsecret.html
2
Answers
AWS CloudFormation is not designed to do this, so no.
If you are looking for an AWS service that is designed to manage infrastructure, take a look at AWS Systems Manager.
That being said. I’ve not seen anything that does this specifically though anywhere in AWS on my travels over the years. But I’ve also never looked for this specific requirement.
IMO, it sounds like you’re trying to find a technical solution to what is fundamentally a process challenge. Perhaps over complicating the implementation. If you do really want to look at some kind of automation for this, you could probably cobble together some complex setup using Lambdas and the AWS SDK, but this wouldn’t be how I’d approach this. Sledge hammer to crack a nut and all.
You would setup an AWS EventBridge rule to capture SecretsManager secret change events. You would then configure EventBridge to invoke an AWS Lambda function when that even occurs. You would put code in the Lambda function that reads the event, pulls the password value out of SecretsManager, and finally updates the RDS server with the new password, and/or any other services you want to update.
Note that this is very similar to the same process documented here, except that process runs automatically on a schedule, instead of in response to a manual change of the secret value.