search

aws-cloudformation / aws-cloudformation-resource-providers-rds

The CloudFormation Resource Provider Package For Amazon Relational Database Service
https://aws.amazon.com/rds/
Apache License 2.0
26 stars 42 forks source link

Requested attribute SecretArn does not exist in schema for AWS::RDS::DBCluster #502

Closed TomasChmelik closed 3 months ago

TomasChmelik commented 7 months ago

According to the AWS documentation there should be "SecretArn" attribute on DBCluster resource: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html#aws-resource-rds-dbcluster-return-values

It is a bit worrisome that its description is "Property description not available." but shouldn't this be available in CloudFormation?

When ManageMasterUserPassword is se to true the RDS will create new secret in secret manager which isn't referencable anywhere in CloudFormation template, which is where the RDS cluster SecretArn attribute comes in

{
    "Resources": {
        "DatabaseCluster": {
            "Type": "AWS::RDS::DBCluster",
            "Properties": {
                "ManageMasterUserPassword": true,
                // other properties
            }
        }
    },
    "Outputs": {
        "ClusterSecretArn": {
            "Value": {
                "Fn::Sub": "${DatabaseCluster.SecretArn}"
            },
            "Export": {
                "Name": "cluster-secret-arn"
            }
        }
    },
}
zrfr commented 3 months ago

I'm sorry, where are you seeing "property description not available"?

CloudFormation does expose the ARN of the secret, but the full name of the attribute is MasterUserSecret.SecretArn. Using only SecretArn won't work. So, in your example, {"Fn::Sub": "${DatabaseCluster.MasterUserSecret.SecretArn}"} should do what you want.

TomasChmelik commented 3 months ago

It seems that AWS updated/fixed the documentation. Previously it was just SecretArn, or maybe I'm really stupid and overlooked this.

In any case it seems it should work now