Aurora Serverless password rotation setup using CloudFormation (and Lambda rotation templates)

Question 1

AWS has Fully Configured and Ready-to-Use Rotation Support for some supported RDS engines, including Amazon Aurora (Serverless also?)

I’m trying to setup the password rotation in my CloudFormation template using AWS::SecretsManager::RotationSchedule (note that this is not a fully functional template, only an illustration):

  DBCluster:
    Type: AWS::RDS::DBCluster
    Properties:
      Engine        : aurora
      EngineMode    : serverless
      EngineVersion : 5.6.10a

  Secret:
    Type: AWS::SecretsManager::Secret
    Properties:
      GenerateSecretString:
        SecretStringTemplate: '{"username": "admin"}'
        GenerateStringKey: password
        PasswordLength: 20
        ExcludeCharacters: '"@/\'

  SecretTargetAttachment:
    Type: AWS::SecretsManager::SecretTargetAttachment
    Properties:
      SecretId: !Ref Secret
      TargetId: !Ref DBCluster
      TargetType: AWS::RDS::DBCluster

  SecretRotation:
    Type: AWS::SecretsManager::RotationSchedule
    Properties:
      SecretId: !Ref UserAdminSecret
      RotationLambdaARN: <ARN_GET_FROM_SERVERLESS_APPLICATION_REPOSITORY>
      RotationRules:
        AutomaticallyAfterDays: 1

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

DBCluster:

Type: AWS::RDS::DBCluster

Properties:

Engine : aurora

EngineMode : serverless

EngineVersion : 5.6.10a

Secret:

Type: AWS::SecretsManager::Secret

Properties:

GenerateSecretString:

SecretStringTemplate: '{"username": "admin"}'

GenerateStringKey: password

PasswordLength: 20

ExcludeCharacters: '"@/\'

SecretTargetAttachment:

Type: AWS::SecretsManager::SecretTargetAttachment

Properties:

SecretId: !Ref Secret

TargetId: !Ref DBCluster

TargetType: AWS::RDS::DBCluster

SecretRotation:

Type: AWS::SecretsManager::RotationSchedule

Properties:

SecretId: !Ref UserAdminSecret

RotationLambdaARN:

RotationRules:

AutomaticallyAfterDays: 1

But the AWS Lambda rotation function fails with the following message:

“Database engine must be set to ‘mysql’ in order to use this rotation
lambda”: KeyError

Looks like Aurora Serverless is not supported by the AWS Lambda rotation function provided by AWS.

Is there an easy way to setup Aurora Serverless secret rotation using existing Lambda rotation templates?

Any example available to write my own rotation function for Aurora Serverless?

PS: This question is kind of related to Creating an Aurora Serverless Cluster from cloudformation?

Question 2

The RotationSchedule resource has a dependency on the SecretTargetAttachment resource. The attachment resource updates your secret-string value to contain connection information such as db engine, port and endpoint.

Unfortunately, there is no way for CloudFormation to know about this implicit dependency between the two resources. You need to put a DependsOn on the RotationSchedule resource with the attachment resource’s logical id.

See the RotationSchedule resource in this example – https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#aws-resource-secretsmanager-rotationschedule–examples

Aurora Serverless password rotation setup using CloudFormation (and Lambda rotation templates)

Question:

Answer:

Leave a Reply Cancel reply