01-secret-rotation.yml

Transform: "AWS::Serverless-2016-10-31"

Parameters:
  AppName:
    Type: String
  ApplicationSG:
    Type: AWS::EC2::SecurityGroup::Id
  Subnets:
    Type: List<AWS::EC2::Subnet::Id>
  Secret:
    Type: String

Resources:
  Function:
    Type: AWS::Serverless::Application
    Properties:
      Location:
        ApplicationId: arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationSingleUser
        SemanticVersion: 1.0.64
      Parameters: 
        endpoint: !Sub 'https://secretsmanager.${AWS::Region}.amazonaws.com'
        functionName: !Sub ${AppName}SecretRotation
        vpcSecurityGroupIds: !Ref ApplicationSG
        vpcSubnetIds: !Join [',', !Ref Subnets]

  FunctionPermissions:
    Type: AWS::Lambda::Permission
    Properties:
      Action: 'lambda:InvokeFunction'
      FunctionName: !GetAtt Function.Outputs.RotationLambdaARN
      Principal: 'secretsmanager.amazonaws.com'

  RotationSchedule:
    DependsOn:
    - FunctionPermissions
    Type: "AWS::SecretsManager::RotationSchedule"
    Properties:
      SecretId: !Ref Secret
      RotationLambdaARN: !GetAtt Function.Outputs.RotationLambdaARN
      RotationRules:
        AutomaticallyAfterDays: 7