updated the stack to use secrets manageer to store the database password so it will no longer be visable in the stack or the config.php file

Author: jtrollin

templates/00-master.yaml

@@ -56,7 +56,7 @@ Metadata:
         - DatabaseEncrpytedBoolean
         - DatabaseCmk
         - DatabaseMasterUsername
-        - DatabaseMasterPassword
+        # - DatabaseMasterPassword
         - DatabaseName
     - Label:
         default: Caching Tier
@@ -95,8 +95,8 @@ Metadata:
         default: DB Instance Class
       DatabaseMasterUsername:
         default: DB Master Username
-      DatabaseMasterPassword:
-        default: DB Master Password
+      # DatabaseMasterPassword:
+      #   default: DB Master Password
       DatabaseName:
         default: DB Name
       EfsCmk:
@@ -319,14 +319,14 @@ Parameters:
     MinLength: 1
     Type: String
     Default: moodle
-  DatabaseMasterPassword:
-    AllowedPattern: ^([a-zA-Z0-9`~!#$%^&*()_+,\\-])*$
-    ConstraintDescription: Must be letters (upper or lower), numbers, spaces, and these special characters `~!#$%^&*()_+,-
-    Description: The Amazon RDS master password. Letters, numbers, spaces, and these special characters `~!#$%^&*()_+,-
-    MaxLength: 41
-    MinLength: 8
-    NoEcho: true
-    Type: String
+  # DatabaseMasterPassword:
+  #   AllowedPattern: ^([a-zA-Z0-9`~!#$%^&*()_+,\\-])*$
+  #   ConstraintDescription: Must be letters (upper or lower), numbers, spaces, and these special characters `~!#$%^&*()_+,-
+  #   Description: The Amazon RDS master password. Letters, numbers, spaces, and these special characters `~!#$%^&*()_+,-
+  #   MaxLength: 41
+  #   MinLength: 8
+  #   NoEcho: true
+  #   Type: String
   DatabaseName:
     AllowedPattern: ^([a-zA-Z0-9]*)$
     Description: The Amazon RDS master database name.
@@ -806,6 +806,15 @@ Conditions:
     !Equals [ true, !Ref UseCloudFrontBoolean ]   
 
 Resources:
+  MyRDSInstanceSecret:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Description: 'This is the secret for my RDS instance'
+      GenerateSecretString:
+        SecretStringTemplate: !Sub '{"username": "${DatabaseMasterUsername}"}'
+        GenerateStringKey: 'password'
+        PasswordLength: 16
+        ExcludeCharacters: '"@/\'
   vpc:
     Type: AWS::CloudFormation::Stack
     Properties:
@@ -900,16 +909,16 @@ Resources:
           !GetAtt [ vpc, Outputs.Vpc ]
       TemplateURL: https://s3.amazonaws.com/aws-refarch/moodle/latest/templates/03-publicalb.yaml
   rds:
-    DependsOn: [ securitygroups, securitygroups ]
+    DependsOn: [ securitygroups ]
     Type: AWS::CloudFormation::Stack
     Properties:
       Parameters:
         DatabaseInstanceType:
           !Ref DatabaseInstanceType
-        DatabaseMasterUsername:
-          !Ref DatabaseMasterUsername
-        DatabaseMasterPassword:
-          !Ref DatabaseMasterPassword
+        # DatabaseMasterUsername:
+        #   !Ref DatabaseMasterUsername
+        MyRDSInstanceSecretArn:
+          !Ref MyRDSInstanceSecret
         DatabaseName:
           !Ref DatabaseName
         DatabaseEncrpytedBoolean:
@@ -989,10 +998,10 @@ Resources:
       Parameters:
         DatabaseClusterEndpointAddress:
           !GetAtt [ rds, Outputs.DatabaseClusterEndpointAddress ]
-        DatabaseMasterUsername:
-          !Ref DatabaseMasterUsername
-        DatabaseMasterPassword:
-          !Ref DatabaseMasterPassword
+        # DatabaseMasterUsername:
+        #   !Ref DatabaseMasterUsername
+        MyRDSInstanceSecretArn:
+          !Ref MyRDSInstanceSecret
         DatabaseName:
           !Ref DatabaseName
         ElasticFileSystem:
@@ -1032,10 +1041,10 @@ Resources:
       Parameters:
         DatabaseClusterEndpointAddress:
           !GetAtt [ rds, Outputs.DatabaseClusterEndpointAddress ]
-        DatabaseMasterUsername:
-          !Ref DatabaseMasterUsername
-        DatabaseMasterPassword:
-          !Ref DatabaseMasterPassword
+        # DatabaseMasterUsername:
+        #   !Ref DatabaseMasterUsername
+        MyRDSInstanceSecretArn:
+          !Ref MyRDSInstanceSecret
         DatabaseName:
           !Ref DatabaseName
         ElasticFileSystem:

templates/03-rds.yaml

@@ -10,8 +10,8 @@ Metadata:
         default: Database Parameters
       Parameters:
         - DatabaseInstanceType
-        - DatabaseMasterUsername
-        - DatabaseMasterPassword
+        # - DatabaseMasterUsername
+        # - DatabaseMasterPassword
         - DatabaseName
         - DatabaseEncrpytedBoolean
         - DatabaseCmk
@@ -25,10 +25,10 @@ Metadata:
         default: AWS KMS Customer Master Key (CMK) to encrypt DB 
       DatabaseInstanceType:
         default: DB Instance Class 
-      DatabaseMasterUsername:
-        default: DB Master Username
-      DatabaseMasterPassword:
-        default: DB Master Password
+      # DatabaseMasterUsername:
+      #   default: DB Master Username
+      # DatabaseMasterPassword:
+      #   default: DB Master Password
       DatabaseName:
         default: DB Name
       DatabaseSecurityGroup:
@@ -62,20 +62,22 @@ Parameters:
     Default: db.r4.large
     Description: The Amazon RDS database instance class.
     Type: String
-  DatabaseMasterUsername:
-    AllowedPattern: ^([a-zA-Z0-9]*)$
-    Description: The Amazon RDS master username.
-    ConstraintDescription: Must contain only alphanumeric characters and be at least 8 characters.
-    MaxLength: 16
-    MinLength: 1
-    Type: String
-  DatabaseMasterPassword:
-    AllowedPattern: ^([a-z0-9A-Z`~!#$%^&*()_+,\\-])*$
-    ConstraintDescription: Must be letters (upper or lower), numbers, and these special characters '_'`~!#$%^&*()_+,-    
-    Description: The Amazon RDS master password.
-    MaxLength: 41
-    MinLength: 8
-    NoEcho: true
+  # DatabaseMasterUsername:
+  #   AllowedPattern: ^([a-zA-Z0-9]*)$
+  #   Description: The Amazon RDS master username.
+  #   ConstraintDescription: Must contain only alphanumeric characters and be at least 8 characters.
+  #   MaxLength: 16
+  #   MinLength: 1
+  #   Type: String
+  # DatabaseMasterPassword:
+  #   AllowedPattern: ^([a-z0-9A-Z`~!#$%^&*()_+,\\-])*$
+  #   ConstraintDescription: Must be letters (upper or lower), numbers, and these special characters '_'`~!#$%^&*()_+,-    
+  #   Description: The Amazon RDS master password.
+  #   MaxLength: 41
+  #   MinLength: 8
+  #   NoEcho: true
+  #   Type: String
+  MyRDSInstanceSecretArn:
     Type: String
   DatabaseName:
     AllowedPattern: ^([a-zA-Z0-9]*)$
@@ -142,7 +144,6 @@ Conditions:
     !Equals ['', !Ref DatabaseCmk]
 
 Resources:
-
   DatabaseCluster:
     Type: AWS::RDS::DBCluster
     Properties:
@@ -153,8 +154,8 @@ Resources:
       DBClusterParameterGroupName: default.aurora-postgresql11
       KmsKeyId:
         !If [ UseAWS-ManagedCMK, !Ref 'AWS::NoValue', !Ref DatabaseCmk ]
-      MasterUsername: !Ref DatabaseMasterUsername
-      MasterUserPassword: !Ref DatabaseMasterPassword
+      MasterUsername: !Join ['', ['{{resolve:secretsmanager:', !Ref MyRDSInstanceSecretArn, ':SecretString:username}}' ]]
+      MasterUserPassword: !Join ['', ['{{resolve:secretsmanager:', !Ref MyRDSInstanceSecretArn, ':SecretString:password}}' ]]
       Port: 5432
       StorageEncrypted: !Ref DatabaseEncrpytedBoolean
       Tags:
@@ -231,4 +232,5 @@ Outputs:
     Value: !Ref DataSubnetGroup
   DatabaseClusterEndpointAddress:
     Value: !GetAtt DatabaseCluster.Endpoint.Address
+