-1
  1. I have an existing secret in secrets manager.
    The arn looks like that :
    arn:aws:secretsmanager:<region>:<accountid>:secret:<mysecret>-d1fX1Y
    As we all know the suffix is added by AWS.

"Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN. "

  1. I have a cloudformation template and I need somehow to get the arn of this secret into the template.

The arn is not static it may change.

As far as I understand it is impossible to use !Ref because the resource is not created in the same stack.

I've tried to use !Sub with wildcard but the result is the same as it doesn't do a lookup.

Maybe any1 have an idea or workaround for that?

Here is the part of the template.

Globals:
  Function:
    CodeUri: ./
    Timeout: 60
    Runtime: nodejs14.x
    VpcConfig:
      SecurityGroupIds: !Ref SecurityGroups
      SubnetIds: !Ref Subnets
    Environment:
      Variables:
        STAGE: !Sub "${Stage}"
        VERSION: !Sub "${Version}"
        SECRET_ARN: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:mysecret-*"
stolyar
  • 1
  • 2

3 Answers3

1

You set it up so the ARN of the secret is passed in SSM parameter store and then use the parameter store value as a parameter in your cloudformation you can then use !Ref function to refer the secret value in your CF template.

furydrive
  • 372
  • 2
  • 5
1

What you want to accomplish is to reference an Arn across Stacks? For example, if you export the ARN in the Stack creating the Secret, another Stack can reference that ARN with Fn::ImportValue.

Fn::ImportValue - AWS CloudFormation

The intrinsic function Fn::ImportValue returns the value of an output exported by another stack.

jhashimoto
  • 259
  • 2
  • 4
  • Hi thank you for you answer, what I'm trying to accomplish is to set an **environment variable** in cloudformation with a specific value. This value is ARN of other resource (which is not other cloudformation stack) is just a resource created by terraform. The question is: is it possible to just query other resource from cloudformation to get his arn. – stolyar Jan 25 '23 at 06:10
  • I may not fully understand what you want to do, but I have added another answer. – jhashimoto Jan 25 '23 at 20:28
0

This value is ARN of other resource (which is not other cloudformation stack) is just a resource created by terraform.

Suppose you add an SSM parameter resource with the Secret's Arn as a value to the .tf that creates the Secret. In that case, the CloudFormation template can reference that parameter with SSM dynamic references.

It looks like this (Not tested):

.tf

resource "aws_ssm_parameter" "example" {
  name  = "example"
  type  = "String"
  value = aws_secretsmanager_secret.<your_secret_name>.arn
}

aws_ssm_parameter | Resources | hashicorp/aws | Terraform Registry

template

Globals:
  Function:
    CodeUri: ./
    Timeout: 60
    Runtime: nodejs14.x
    VpcConfig:
      SecurityGroupIds: !Ref SecurityGroups
      SubnetIds: !Ref Subnets
    Environment:
      Variables:
        STAGE: !Sub "${Stage}"
        VERSION: !Sub "${Version}"
        SECRET_ARN: !Sub "{{resolve:ssm:example}}"

Using dynamic references to specify template values - AWS CloudFormation

jhashimoto
  • 259
  • 2
  • 4
  • Thank you. A little note for those who will use this method it works only for non-secured SSM params. – stolyar Jan 29 '23 at 13:23