--- AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::SecretsManager-2020-07-23 Description: "This template deploys rotation secrets for the database schemas (qs-1snm79fe6)." Metadata: LintSpellExclude: - Discngine - 3decision Parameters: Subnets: Type: String DatabaseName: Type: String VpcId: Type: String DBSecurityGroup: Type: String NodeGroupArn: Type: String InitialPassword: Type: String Default: "Ch4ng3m3f0rs3cur3p4ss" Resources: AdminPassword: Type: AWS::SecretsManager::Secret UpdateReplacePolicy: Retain DeletionPolicy: Delete Properties: Description: String SecretString: !Sub '{"username": "admin", "password": "${InitialPassword}"}' Name: 3dec-admin-db UserPassword: Type: AWS::SecretsManager::Secret UpdateReplacePolicy: Retain DeletionPolicy: Delete Properties: Description: String SecretString: !Sub '{"username": "PD_T1_DNG_THREEDECISION", "password": "${InitialPassword}"}' Name: 3dec-user-db ChemblPassword: Type: AWS::SecretsManager::Secret UpdateReplacePolicy: Retain DeletionPolicy: Delete Properties: Description: String SecretString: !Sub '{"username": "CHEMBL_29", "password": "${InitialPassword}"}' Name: 3dec-chembl-db ChoralPassword: Type: AWS::SecretsManager::Secret UpdateReplacePolicy: Retain DeletionPolicy: Delete Properties: Description: String GenerateSecretString: SecretStringTemplate: '{"username": "CHORAL_OWNER"}' GenerateStringKey: "password" PasswordLength: 30 ExcludeCharacters: "' ! \" # $ % & ( ) * + , - . / : ; < = > ? @ [ \\ ] ^ ` { | } ~" Name: 3dec-choral-db LambdaSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Creates lambda security group to acces database" VpcId: !Ref VpcId SecurityGroupIngress: - SourceSecurityGroupId: !Ref DBSecurityGroup IpProtocol: TCP FromPort: 1521 ToPort: 1521 SecurityGroupEgress: - CidrIp: 0.0.0.0/0 IpProtocol: "-1" AllowLambdaAccess: Type: AWS::EC2::SecurityGroupIngress Properties: FromPort: 1521 ToPort: 1521 IpProtocol: TCP SourceSecurityGroupId: !Ref LambdaSecurityGroup GroupId: !Ref DBSecurityGroup SecretRDSInstanceAttachment: Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId: !Ref AdminPassword TargetId: !Ref DatabaseName TargetType: AWS::RDS::DBInstance AdminRotate: Type: AWS::SecretsManager::RotationSchedule DependsOn: SecretRDSInstanceAttachment UpdateReplacePolicy: Retain DeletionPolicy: Delete Metadata: { cfn-lint: { config: { ignore_checks: [ E3002 ] } } } Properties: HostedRotationLambda: ExcludeCharacters: "' ! \" # $ % & ( ) * + , - . / : ; < = > ? @ [ \\ ] ^ ` { | } ~" RotationLambdaName: SecretsManagerRotation RotationType: OracleSingleUser VpcSubnetIds: !Ref Subnets VpcSecurityGroupIds: !Ref LambdaSecurityGroup RotateImmediatelyOnUpdate: true RotationRules: AutomaticallyAfterDays: 30 SecretId: !Ref AdminPassword UserSecretRDSInstanceAttachment: Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId: !Ref UserPassword TargetId: !Ref DatabaseName TargetType: AWS::RDS::DBInstance UserRotate: Type: AWS::SecretsManager::RotationSchedule DependsOn: AdminRotate UpdateReplacePolicy: Retain DeletionPolicy: Delete Metadata: { cfn-lint: { config: { ignore_checks: [ E3002 ] } } } Properties: RotationLambdaARN: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:SecretsManagerRotation' RotateImmediatelyOnUpdate: true RotationRules: AutomaticallyAfterDays: 30 SecretId: !Ref UserPassword ChemblSecretRDSInstanceAttachment: Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId: !Ref ChemblPassword TargetId: !Ref DatabaseName TargetType: AWS::RDS::DBInstance ChemblRotate: Type: AWS::SecretsManager::RotationSchedule DependsOn: AdminRotate UpdateReplacePolicy: Retain DeletionPolicy: Delete Metadata: { cfn-lint: { config: { ignore_checks: [ E3002 ] } } } Properties: RotationLambdaARN: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:SecretsManagerRotation' RotateImmediatelyOnUpdate: true RotationRules: AutomaticallyAfterDays: 30 SecretId: !Ref ChemblPassword ChoralSecretRDSInstanceAttachment: Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId: !Ref ChoralPassword TargetId: !Ref DatabaseName TargetType: AWS::RDS::DBInstance ChoralRotate: Type: AWS::SecretsManager::RotationSchedule DependsOn: AdminRotate UpdateReplacePolicy: Retain DeletionPolicy: Delete Metadata: { cfn-lint: { config: { ignore_checks: [ E3002 ] } } } Properties: RotationLambdaARN: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:SecretsManagerRotation' RotateImmediatelyOnUpdate: false RotationRules: AutomaticallyAfterDays: 30 SecretId: !Ref ChoralPassword Role: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: AWS: - !Ref NodeGroupArn Action: - 'sts:AssumeRole' Description: 'Role designed to create kubernetes secrets from secrets manager for 3decision quickstart' RoleName: !Sub '3decision-database-secrets-${AWS::Region}' Policy: Type: AWS::IAM::Policy Properties: PolicyName: !Sub '3decision-database-secrets-${AWS::Region}' Roles: - !Ref Role PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - secretsmanager:GetResourcePolicy - secretsmanager:GetSecretValue - secretsmanager:DescribeSecret - secretsmanager:ListSecretVersionIds Resource: - !Ref AdminPassword - !Ref UserPassword - !Ref ChemblPassword - !Ref ChoralPassword Outputs: RoleArn: Value: !GetAtt Role.Arn