Hands-on:Dynamic reference to get the DB password

Given context

A company is using AWS CloudFormation to deploy its two-tier web application to the cloud. The application frontend is hosted on an Auto Scaling group of Amazon EC2 instances, and the database is an Amazon RDS for MySQL instance. The database password is rotated every 60 days to improve security.

dynamic references in AWS CloudFormation are a mechanism for retrieving values stored in other AWS services during stack creation, update, or deletion. They provide a way to access and use external values from various AWS resources in your CloudFormation templates. Here’s a more detailed explanation of how dynamic references work and their significance:

1. Value Retrieval: Dynamic references enable you to specify external values, such as secrets, configuration parameters, or other resource attributes, directly within your CloudFormation templates. Instead of hardcoding values, you reference the source of these values using a dynamic reference.
2. Automatic Resolution: CloudFormation automatically resolves dynamic references at the time of stack operations. This means that CloudFormation retrieves the actual value from the referenced source during these operations, ensuring that your stack has access to the most up-to-date information.
3. Supported AWS Services: Dynamic references can be used with various AWS services, including AWS Secrets Manager, AWS Systems Manager Parameter Store, AWS Identity and Access Management (IAM) roles, and more. Each dynamic reference type is designed to work with specific AWS services.
4. Security and Management: Dynamic references are particularly useful when dealing with sensitive information like passwords or API keys. By using services like AWS Secrets Manager or Systems Manager Parameter Store, you can securely manage and centralize these values while making them accessible to your CloudFormation stacks.
5. Flexibility: Dynamic references are flexible because they allow you to reference a specific attribute or property of an external resource. For example, you can use dynamic references to access a particular parameter stored in Systems Manager Parameter Store or retrieve a specific secret from AWS Secrets Manager.
6. Synchronization with Resource Updates: When the referenced external value changes, CloudFormation ensures that your stack remains in sync with these updates. If the source value changes, CloudFormation will automatically detect the change and update the resources that depend on it.
7. Avoiding Hardcoding: By using dynamic references, you avoid hardcoding values in your CloudFormation templates. This not only makes your templates more maintainable but also enhances security by centralizing sensitive data management.

Here’s a simple example using AWS Secrets Manager:

Resources:
  MySecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: MyDatabasePassword
      GenerateSecretString:
        SecretStringTemplate: '{"username":"admin"}'
        GenerateStringKey: "password"
        PasswordLength: 16

In this example, MySecret is a dynamic reference to an AWS Secrets Manager secret that generates a random password. When you use this secret in other resources, CloudFormation will automatically resolve the password attribute when necessary.

Dynamic references enhance the flexibility, security, and maintainability of your CloudFormation templates, making it easier to manage complex infrastructure while keeping sensitive data secure.