How to manually rotate or update a parameter

[diegosasw]

I am wondering if there is any way to update parameters each time a Cloud Formation template runs or what the options are.

For example, say we have a database such as AWS DocumentDB that requires a master user name and password when creating. When using cfn-secret-provider I would generate the secured parameter and store it at Parameter Store

  docDbPassword:
    Type: Custom::Secret
    Properties:
      Name: !Ref docDbAdminPassword
      Description: DocumentDB password
      Alphabet: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
      Length: 16
      ReturnSecret: true
      ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider

being able to access now that secret with !GetAtt docDbPassword.Secret. All great.

If I re-run the cloud formation template I can see the secret is not re-generated. Is there any recommended approach to manually "rotate" a parameter or to re-generate a new secret and update the database master password, for example, so that every time I run the cloud formation template I can flag Custom::Secret to overwrite the secret and update the AWS accordingly? Or is that too risky? (I actually don't know if all AWS resources or databases allow updating credentials that way)

PS: this is a great useful tool I have been using for some months, thank you and congrats!

[mvanholsteijn]

Hi @diegosasw, good to hear you are happy with it! To force an update of the password you can specify the property Version witg an appropriate value.

I would recommend explicit automated updates of the property at a regular intervals, so that you always know what and why the password refresh is happening.

[diegosasw]

Fantastic! 👍

I just found that description of Version in the custom secret docs itself. Apologies, I must have missed it before.