1
00:00:00,150 --> 00:00:01,890
‫So, let's talk about Secrets Manager

2
00:00:01,890 --> 00:00:05,220
‫and its integration with CloudFormation.

3
00:00:05,220 --> 00:00:07,500
‫So in the case of RDS and Aurora,

4
00:00:07,500 --> 00:00:11,610
‫if we specify a CloudFormation template that looks like this

5
00:00:11,610 --> 00:00:15,840
‫and in it, we specify the Manage Master user password

6
00:00:15,840 --> 00:00:20,370
‫bullion to be true, then automatically a secret

7
00:00:20,370 --> 00:00:23,250
‫is going to be created by RDS.

8
00:00:23,250 --> 00:00:24,240
‫How does that work?

9
00:00:24,240 --> 00:00:25,980
‫Where your CloudFormation template, of course,

10
00:00:25,980 --> 00:00:28,710
‫we have defined an RDS or a database,

11
00:00:28,710 --> 00:00:30,870
‫therefore it's going to be created

12
00:00:30,870 --> 00:00:35,070
‫and then RDS will create a secret in Secrets Manager

13
00:00:35,070 --> 00:00:38,220
‫and generate a password for your admin.

14
00:00:38,220 --> 00:00:40,770
‫What's going to happen is that the benefit of this

15
00:00:40,770 --> 00:00:44,730
‫is that the secret is going to be entirely managed by RDS,

16
00:00:44,730 --> 00:00:47,220
‫including the rotation mechanism.

17
00:00:47,220 --> 00:00:51,150
‫So it's a shorthand to make it more simple for you.

18
00:00:51,150 --> 00:00:54,150
‫In that case, if you wanted to have a reference

19
00:00:54,150 --> 00:00:55,260
‫to that secret,

20
00:00:55,260 --> 00:00:58,710
‫what you can do is that you can get the secret ARN

21
00:00:58,710 --> 00:01:02,130
‫out of the Get Attribute function on my cluster,

22
00:01:02,130 --> 00:01:04,080
‫as you can see on the bottom right.

23
00:01:04,080 --> 00:01:06,300
‫So that's the first way of doing things.

24
00:01:06,300 --> 00:01:09,360
‫The second way is to actually define the secret

25
00:01:09,360 --> 00:01:12,780
‫in Secrets Manager within CloudFormation

26
00:01:12,780 --> 00:01:15,000
‫and then you use a dynamic reference.

27
00:01:15,000 --> 00:01:18,330
‫So if we wanted to, again, create an RDS database

28
00:01:18,330 --> 00:01:20,760
‫but this time we wanted to manage the secret ourself,

29
00:01:20,760 --> 00:01:22,020
‫how would we do?

30
00:01:22,020 --> 00:01:25,950
‫Well, the first thing to do would be to generate a secret

31
00:01:25,950 --> 00:01:27,930
‫as part of your resources

32
00:01:27,930 --> 00:01:32,910
‫and you define what it is and the password length and so on.

33
00:01:32,910 --> 00:01:36,480
‫Then you reference the secret in your RDS database instance

34
00:01:36,480 --> 00:01:40,260
‫for the master username and master user password

35
00:01:40,260 --> 00:01:42,630
‫and this is using a dynamic reference.

36
00:01:42,630 --> 00:01:45,960
‫As you can see, the syntax right here with the resolve

37
00:01:45,960 --> 00:01:49,410
‫type of syntax is using a dynamic reference

38
00:01:49,410 --> 00:01:53,730
‫and then we link the secret to the RDS database instance

39
00:01:53,730 --> 00:01:54,570
‫by doing what's called

40
00:01:54,570 --> 00:01:58,350
‫a Secret RDS Database Instance Attachment

41
00:01:58,350 --> 00:02:01,230
‫so that we know and we tell AWS

42
00:02:01,230 --> 00:02:05,880
‫that this secret is tightly linked with our RDS database.

43
00:02:05,880 --> 00:02:07,650
‫Okay, so that's it for this lecture

44
00:02:07,650 --> 00:02:10,953
‫I hope you liked it and I will see you in the next lecture.