Ability to use a secrets manager secret to set the master password

Question

Ability to use a secrets manager secret to set the master password

Closed this issue 6 years ago · 6 comments

This is a feature request rather than an issue.

I'd like t o be able to use secrets manager to manage my secrets rather than specify the master password directly in cloudformation source code.

For the stacks I have at the moment I have created a bit of a copy of your projects for an aws secret here, it's also published here if you want to try it out.

Then I would like to be able to use this stack as the provider for the password using something like #4 with code like this...

  Key:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      Parameters:
        AlertingModule: !GetAtt 'Alerting.Outputs.StackName'
      TemplateURL: './node_modules/@cfn-modules/kms-key/module.yml'
  MySqlMasterPassword:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      Parameters:
        KmsKeyModule: !GetAtt 'Key.Outputs.StackName'
        Name: "SQL/Prod/MASTER-PASSWORD"
      TemplateURL: './node_modules/cfn-modules-secret/module.yml'
  AuroraServerlessCluster:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      Parameters:
        VpcModule: !GetAtt 'Vpc.Outputs.StackName'
        AlertingModule: !GetAtt 'Alerting.Outputs.StackName'
        ClientSgModule: !GetAtt 'ClientSg.Outputs.StackName'
        KmsKeyModule: !GetAtt 'Key.Outputs.StackName'
        DBName: 'finance_tracker'
        DBMasterUsername: 'master'
        DBMasterUserPasswordSecretModule: !GetAtt 'MySqlMasterPassword.Outputs.StackName'
      TemplateURL: './node_modules/@cfn-modules/rds-aurora-serverless/module.yml'

This will probably need some discussion so I guess this is very much a work in progress. If you think it would be a good idea, I would be very happy if the code moves from here into this organisation and then a PR to allow it's use in this repo.

michaelwittig commented 6 years ago

done

michaelwittig commented 6 years ago

see #6

Answer 1 · 2019-03-21T14:00:32.000Z

that's great! I'm happy with the new secret module and it's integration into the aurora module. If you are fine with moving the repo over to the cfn-modules org that's fine for me. Otherwise, we can also fork your repo. Let me know what you think :)

Answer 2 · 2019-03-24T10:51:58.000Z

Happy to transfer ptmclean/secret. That is probably the cleanest way. I think I need permission to create repositories in the the cfn-modules organisation to do that. If that's right then could you grant that and then I'll transfer.

Answer 3 · 2019-03-26T11:13:59.000Z

Thanks for that! I have transferred the repo. There are a few things still needed there, in particular, the build/package upload. There may be other things, it would certainly be worth a once over. Let me know if you would like me to look at anything with cfn-modules/secret. When I get a chance I'll clean up #4 to allow use of this module in the Aurora module.

Answer 4 · 2019-03-26T11:52:35.000Z

Thanks @ptmclean I added you as a collaborator to the new repository (invite link should be in your inbox). I will add all the needed stuff including tests now.