/secrets_manager_aws

A demo template on using CloudFormation to create an Amazon RDS database. The template additionally creates a username and password for the database, and stores it in AWS Secrets Manager.

MIT LicenseMIT

RDS and Secrets Manager for AWS Deployment.

This repo contains the yaml file and python file needed to spin up both a PostgreSQL RDS database and Secrets Manager to hold the username/password for the RDS database in AWS. When the stack is first created in AWS, the secret is immediately changed to a complex combination of characters. You may then access that secret via the AWS Console, from the AWS CLI, or you may retrieve that secret for use in your code by using the language of your choice.

A Note on Secret Rotation

To set up automation of the secret rotation, I would currently recommend enabling this feature via the AWS Console. There is AWS documentation on building / editing a Lambda for secret rotation. It is not for the faint of heart, however, nor the inexperienced, as the pre-built Lambdas available for secret rotation for RDS are fairly complex.

See more

Template Parameters

This template uses multiple parameters, most of which are default values. It does, however, have a parameter that you will need to update the value of before deploying the stack.

Parameter Description Current Value
VPCStackName The name of your parent stack that builds a VPC network with public and private subnets. sharina-cf-built

How to Deploy

Prerequisites

If you prefer to deploy this stack via the command line, you will need the AWS CLI.

You will need to have already deployed a stack that builds out a VPC network with public and private subnets in three AWS Availability Zones. Subnets will need to be exported from this parent stack.

The CloudFormation template used to accomplish the build of a parent stack for this template can be found in the 1Strategy GitHub repo: vpc-starter-template.

You will also need to create a folder called "parameters," and within it, a file called "create_params.json" file. Within this file, add the parameter noted above in order to deploy from the AWS CLI. The format for the Json should be as follows (to run the) create-stack command outlined below:

[
    {
        "ParameterKey": "VPCStackName",
        "ParameterValue": "sharina-cf-built"
    }
]

Validate/Lint Stack

aws cloudformation validate-template --template-body file://ramp-up-project-rotation.yaml

Create the Stack

If you have multiple profiles you could deploy to, make sure to include the command --profile <profile-name> into your command.

aws cloudformation create-stack \
--template-body file://templates/ramp-up-project-rotation.yaml \
--parameters file://parameters/create_params.json \
--stack-name <<Stack Name>> \
--capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
--disable-rollback

To update the stack, use the update-stack command:

aws cloudformation update-stack \
--template-body file://templates/ramp-up-project-rotation.yaml \
--parameters file://parameters/create_params.json \
--stack-name <<Stack Name>> \
--capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND

Install PSQL onto the Webserver

If you wish, here are some additional follow-up steps to take, via your terminal, to install PostgreSQL to your webserver. Note that your username and password will be located in AWS Secrets Manager.

SSH into your webserver via your bastion host

ssh -J ec2-user@bastionHostIPAddress ec2-user@webserverIPAddress -i <<publicKeyFileName>>.pem

Do an update

sudo yum update

Install PostgreSQL.

  • Which version of PostgreSQL you get will depend on the version of the distribution. More about this here.
sudo yum install postgresql-server

Initialize your database:

sudo postgresql-setup initdb

Connect to your AWS PostgreSQL DB:

  • You'll find your Database Name (DBName) in the AWS console, under the Configuration tab, after you have clicked on your Database link (in your list of Databases).
psql -h <<databaseEndPointAddress>> -U <<yourDBUsername>> <<yourDBName>>

Interact with your DB as usual, using SQL.

Contributors

Sharina Stubbs

Many thanks to the following for sharing their knowledge.

  • Alexandra Shumway
  • Doug Ireton
  • Julie Erlemeier
  • Stephanie Lingwood

Resources Used

AWS Docs:

RDS:

Blog Posts and Resources Outside AWS:

Secrets Manager: