Dynamic References in AWS CloudFormation

AWS CloudFormation allows you to reference dynamic values from Systems Manager Parameter Store and Secrets Manager. These references are resolved during stack operations such as create, update, or delete.

Key Points:

• Systems Manager Parameter Store: Stores plaintext or encrypted values.
• Secrets Manager: Manages and rotates secrets such as database credentials.

Supported Reference Types:

• ssm: For plaintext values in Parameter Store.
• ssm-secure: For secure strings in Parameter Store.
• secretsmanager: For secrets in Secrets Manager.

Syntax for Dynamic References:

• For SSM: {{resolve:ssm:parameter-name:version}}

Examples:

1. Amazon S3 Bucket Access Control:
   • Resolved from SSM Parameter Store using {{resolve:ssm:parameter-name}}.
2. IAM User Password:
   • Resolved as a secure parameter from Parameter Store using {{resolve:ssm-secure:parameter-name}}.
3. RDS Database Credentials:
   • Master username and password resolved from Secrets Manager using {{resolve:secretsmanager:secret-id:json-key:version-stage}}.

CloudFormation and RDS Integration:

• Implicit Secret Creation: When creating an RDS Database with ManageMasterUserPassword: true, RDS will create a secret in Secrets Manager for the Master User Password.
  • Retrieve secret ARN using GetAtt intrinsic function in CloudFormation outputs.

• Explicit Secret Creation: Create a secret within the CloudFormation template.
  • Use GenerateStringKey for automatic password generation.
  • Reference the secret in the RDS instance using dynamic references.
  • Create a secret RDS attachment for password rotation and automatic updates.