aws-secrets-manager-rotation-lambdas

v0.2.1

Published

3 years ago

aws secrets manager js lambdas for psql password rotation incl. cloudformation and other snippets

Downloads

0High
0Medium
0Low

smartinspereira

aws-secrets-manager-rotation-lambdas

aws secrets manager js lambdas for psql password rotation incl. cloudformation and other snippets


# cloudformation:
AWSSecretsManagerSecretRDSDBInstance:
  Type: AWS::SecretsManager::Secret
  Properties:
    Name: <Name> # whatever name suits your needs
    GenerateSecretString:
      SecretStringTemplate: '{ "username": "masteruser" }' # whatever name suits your needs
      GenerateStringKey: password
      PasswordLength: 128
      ExcludePunctuation: true # choose your pw composition. mind: set same settings in code manually

AWSSecretsManagerSecretTargetAttachment:
  Type: AWS::SecretsManager::SecretTargetAttachment
  Properties:
    SecretId:
      Ref: AWSSecretsManagerSecretRDSDBInstance
    TargetId:
      Ref: AWSRDSDBInstance
    TargetType: AWS::RDS::DBInstance

AWSSecretsManagerRotationSchedule:
  Type: AWS::SecretsManager::RotationSchedule
  Properties:
    RotationLambdaARN:
      Fn::GetAtt:
        - RotateLambdaFunction
        - Arn
    RotationRules:
      AutomaticallyAfterDays: 1 # set to automatically rotate each day
    SecretId:
      Ref: AWSSecretsManagerSecretRDSDBInstance

AWSLambdaPermissionSM:
  Type: AWS::Lambda::Permission
  DependsOn: RotateLambdaFunction
  Properties:
    FunctionName:
      Ref: RotateLambdaFunction
    Action: lambda:InvokeFunction
    Principal: secretsmanager.amazonaws.com

AWSRDSDBInstance:
  Type: AWS::RDS::DBInstance
  DeletionPolicy: Snapshot
  Properties:
    DBInstanceIdentifier: <DBInstanceIdentifier>
    DBName: <DBName>

    MasterUsername:
      Fn::Join:
        - ''
        - - '{{resolve:secretsmanager:'
          - Ref: AWSSecretsManagerSecretRDSDBInstance
          - ::username}}
    MasterUserPassword:
      Fn::Join:
        - ''
        - - '{{resolve:secretsmanager:'
          - Ref: AWSSecretsManagerSecretRDSDBInstance
          - ::password}}


# non cloudformation lambda example:
rotate:
  handler: src/database/rotate.handler # set your handler
  reservedConcurrency: 1 # just to be sure we have no race conditions
  memorySize: 2048 # set memory high to speed things up
  iamRoleStatements: # needed minimum permissions
    - Effect: Allow
      Action:
        - secretsmanager:DescribeSecret
        - secretsmanager:GetSecretValue
        - secretsmanager:PutSecretValue
        - secretsmanager:UpdateSecretVersionStage
      Resource: ${self:custom.resources.AWSSMSecretRDS.arn}
    - Effect: Allow
      Action:
        - secretsmanager:GetRandomPassword
      Resource: '*'


# your handler file should look similar to this
'use strict'
const { rotateSingleUser } = require('aws-secrets-manager-rotation-lambdas')
exports.handler = rotateSingleUser

Pkg
Stats

Discover Tips

General search

Package details

User packages

Sponsor

About

Twitter

GitHub

Twitter

GitHub

Site

Open Software & Tools

Framework

Server

Data Store

Caching

CSS / Styling

Typeface

Avatars

Data Viz

Date formatting

Infinite scrolling

Markdown rendering

Repository url parsing

User data

Compiling

Types

Odds & Ends

aws-secrets-manager-rotation-lambdas

v0.2.1

Published

Vulnerabilities

Links

Maintainers

Keywords

Readme

aws-secrets-manager-rotation-lambdas