updated flow for SSM param first

copilot/todo-app/addons/db.yml

@@ -1,8 +1,5 @@
 ---
 AWSTemplateFormatVersion: 2010-09-09
-Transform:
-  - "AWS::Serverless-2016-10-31"
-  - "AWS::SecretsManager-2020-07-23"
 
 Parameters:
   App:
@@ -183,34 +180,6 @@ Resources:
         IncludeSpace: false
         PasswordLength: 16
 
-  SecretRotationTemplate:
-    Type: AWS::Serverless::Application
-    Properties:
-      Location:
-        ApplicationId: arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSPostgreSQLRotationSingleUser
-        SemanticVersion: 1.1.60
-      Parameters:
-        endpoint: !Sub https://secretsmanager.${AWS::Region}.amazonaws.com
-        functionName: !Sub ${AWS::StackName}-func
-        vpcSecurityGroupIds: !Ref RotationSecurityGroup
-        vpcSubnetIds:
-          Fn::Join:
-            - ","
-            - - !Select [
-                  0,
-                  !Split [
-                    ",",
-                    { "Fn::ImportValue": !Sub "${App}-${Env}-PrivateSubnets" },
-                  ],
-                ]
-              - !Select [
-                  1,
-                  !Split [
-                    ",",
-                    { "Fn::ImportValue": !Sub "${App}-${Env}-PrivateSubnets" },
-                  ],
-                ]
-
   SecretCredentialPolicy:
     Type: AWS::SecretsManager::ResourcePolicy
     Properties:
@@ -230,15 +199,6 @@ Resources:
                   - !Ref "AWS::AccountId"
                   - ":root"
 
-  SecretRotationSchedule:
-    Type: AWS::SecretsManager::RotationSchedule
-    DependsOn: SecretAuroraClusterAttachment
-    Properties:
-      SecretId: !Ref AuroraSecret
-      RotationLambdaARN: !GetAtt SecretRotationTemplate.Outputs.RotationLambdaARN
-      RotationRules:
-        AutomaticallyAfterDays: 30
-
   AuroraDBCluster:
     Type: AWS::RDS::DBCluster
     Properties:
@@ -288,3 +248,27 @@ Outputs:
   PostgresData: # injected as POSTGRES_DATA environment variable by Copilot.
     Description: "The JSON secret that holds the database username and password. Fields are 'host', 'dbname', 'username', 'password'"
     Value: !Ref AuroraSecret
+
+  AuroraDBCluster:
+    Description: "Cluster Reference for Credential Rotation"
+    Value: !Ref AuroraDBCluster
+    Export:
+      Name: AuroraDBCluster
+
+  RotationSecurityGroup:
+    Description: "The Credential Rotation Security Group"
+    Value: !Ref RotationSecurityGroup
+    Export:
+      Name: RotationSecurityGroup
+
+  SecretAuroraClusterAttachment:
+    Description: "The Credential Attachment to the Cluster"
+    Value: !Ref SecretAuroraClusterAttachment
+    Export:
+      Name: SecretAuroraClusterAttachment
+
+  AuroraSecret:
+    Description: "The secret credential to pass to rotation stack"
+    Value: !Ref AuroraSecret
+    Export:
+      Name: AuroraSecret

copilot/todo-app/manifest.yml

@@ -30,9 +30,7 @@ cpu: 256
 memory: 512
 # Number of tasks that should be running in your service.
 count: 1
-#Define secrets here:
-secrets: # Pass secrets from AWS Systems Manager (SSM) Parameter Store.
-  DEMO_PARAMETER: DEMO_PARAMETER # The key is the name of the environment variable, the value is the name of the SSM parameter.
+
 # Optional fields for more advanced use-cases.
 #
 variables: # Pass environment variables as key value pairs.

rotation.yml

@@ -0,0 +1,52 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+Transform:
+  - "AWS::Serverless-2016-10-31"
+
+Parameters:
+  App:
+    Type: String
+    Description: Your application's name.
+  Env:
+    Type: String
+    Description: The environment name your service, job, or workflow is being deployed to.
+  Name:
+    Type: String
+    Description: The name of the service, job, or workflow being deployed.
+
+Resources:
+  SecretRotationTemplate:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location:
+        ApplicationId: arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSPostgreSQLRotationSingleUser
+        SemanticVersion: 1.1.60
+      Parameters:
+        endpoint: !Sub https://secretsmanager.${AWS::Region}.amazonaws.com
+        functionName: !Sub ${AWS::StackName}-func
+        vpcSecurityGroupIds: !ImportValue RotationSecurityGroup
+        vpcSubnetIds:
+          Fn::Join:
+            - ","
+            - - !Select [
+                  0,
+                  !Split [
+                    ",",
+                    { "Fn::ImportValue": !Sub "${App}-${Env}-PrivateSubnets" },
+                  ],
+                ]
+              - !Select [
+                  1,
+                  !Split [
+                    ",",
+                    { "Fn::ImportValue": !Sub "${App}-${Env}-PrivateSubnets" },
+                  ],
+                ]
+
+  SecretRotationSchedule:
+    Type: AWS::SecretsManager::RotationSchedule
+    Properties:
+      SecretId: !ImportValue AuroraSecret
+      RotationLambdaARN: !GetAtt SecretRotationTemplate.Outputs.RotationLambdaARN
+      RotationRules:
+        AutomaticallyAfterDays: 30