search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.1k stars 53 forks source link

Support Password management with Amazon RDS and AWS Secrets Manager via CloudFormation #1482

Open sushdesh opened 1 year ago

sushdesh commented 1 year ago

Name of the resource

AWS::RDS::DBInstance

Resource name

No response

Description

AWS RDS has added support for Password management with Amazon RDS and AWS Secrets Manager

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html

Customers who use CloudFormation cannot leverage this functionality as its not supported.

Other Details

No response

osdrv commented 1 year ago

@sushdesh thanks for the report. The new SecretsManager integration is now fully supported in RDS CloudFormation. Please refer to the corresponding CFN documentation:

The documentation page you shared above is yet being updated.

ryparker commented 1 year ago

Could we have some additional details on what the expected behavior is when restoring a DB instance/cluster from a snapshot that had ManageMasterUserPassword: true?

Here's what I've noticed:

Scenario A) I restore a DBCluster that originally had ManageMasterUserPassword: true and I include ManageMasterUserPassword: true in the restored DBCluster template. This results in Cfn throwing

Resource handler returned message: "null" (RequestToken: 995487fe-1699-334c-99d2-5e27cea9d8a6, HandlerErrorCode: InternalFailure)

Scenario B) I restore a DBCluster that originally had ManageMasterUserPassword: true and I do not include theManageMasterUserPassword prop in the restored DBCluster template. This deploys successfully however the secret is not recreated. I am able to login to the database using the same password that was generated for the original cluster.