使用CloudFormation(和Lambda旋转模板)的Aurora无服务器密码旋转设置 [英] Aurora Serverless password rotation setup using CloudFormation (and Lambda rotation templates)
问题描述
AWS has Fully Configured and Ready-to-Use Rotation Support for some supported RDS engines, including Amazon Aurora (Serverless also?)
我正在尝试使用 AWS :: SecretsManager :: RotationSchedule
(请注意,这不是功能齐全的模板,仅是说明):
I'm trying to setup the password rotation in my CloudFormation template using AWS::SecretsManager::RotationSchedule
(note that this is not a fully functional template, only an illustration):
DBCluster:
Type: AWS::RDS::DBCluster
Properties:
Engine : aurora
EngineMode : serverless
EngineVersion : 5.6.10a
Secret:
Type: AWS::SecretsManager::Secret
Properties:
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: password
PasswordLength: 20
ExcludeCharacters: '"@/\'
SecretTargetAttachment:
Type: AWS::SecretsManager::SecretTargetAttachment
Properties:
SecretId: !Ref Secret
TargetId: !Ref DBCluster
TargetType: AWS::RDS::DBCluster
SecretRotation:
Type: AWS::SecretsManager::RotationSchedule
Properties:
SecretId: !Ref UserAdminSecret
RotationLambdaARN: <ARN_GET_FROM_SERVERLESS_APPLICATION_REPOSITORY>
RotationRules:
AutomaticallyAfterDays: 1
但是AWS Lambda旋转功能失败,并显示以下消息:
But the AWS Lambda rotation function fails with the following message:
数据库引擎必须设置为'mysql'才能使用此轮换lambda":KeyError
"Database engine must be set to 'mysql' in order to use this rotation lambda": KeyError
AWS提供的AWS Lambda旋转功能不支持类似Aurora Serverless的功能.
Looks like Aurora Serverless is not supported by the AWS Lambda rotation function provided by AWS.
是否有一种简单的方法可以使用现有的Lambda旋转模板?
Is there an easy way to setup Aurora Serverless secret rotation using existing Lambda rotation templates?
有没有可用于为Aurora Serverless编写我自己的旋转功能的示例?
Any example available to write my own rotation function for Aurora Serverless?
PS:该问题与从中创建Aurora无服务器群集有关形成云了吗?
推荐答案
RotationSchedule资源依赖于SecretTargetAttachment资源.附件资源会更新您的秘密字符串值,以包含连接信息,例如db引擎,端口和端点.
The RotationSchedule resource has a dependency on the SecretTargetAttachment resource. The attachment resource updates your secret-string value to contain connection information such as db engine, port and endpoint.
不幸的是,CloudFormation无法了解两种资源之间的隐式依赖关系.您需要将 DependsOn 放在具有附件资源的逻辑ID的RotationSchedule资源.
Unfortunately, there is no way for CloudFormation to know about this implicit dependency between the two resources. You need to put a DependsOn on the RotationSchedule resource with the attachment resource's logical id.
See the RotationSchedule resource in this example - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#aws-resource-secretsmanager-rotationschedule--examples
这篇关于使用CloudFormation(和Lambda旋转模板)的Aurora无服务器密码旋转设置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!