This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html).
# AWS::SecretsManager::RotationSchedule
Configure the rotation schedule and Lambda rotation function for a secret. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html).
For database credentials, refer to the following resources:
+ Amazon RDS master user credentials: [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html)
+ Amazon Redshift admin user credentials: [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html)
Choose one of the following options for the rotation function:
+ Create a new rotation function using `HostedRotationLambda` based on a [Secrets Manager rotation function template](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html).
+ Use an existing rotation function by specifying its ARN with `RotationLambdaARN`.
**Important**
For database secrets defined in the same CloudFormation template as the database or service:
Use the [AWS::SecretsManager::SecretTargetAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html) resource to populate the secret with connection details.
Add a `DependsOn` attribute to the `RotationSchedule` resource that uses a `SecretTargetAttachment`. This ensures the rotation is configured after the secret is populated with connection details.
**Note**
You can define only one rotation schedule per secret.
## Syntax
To declare this entity in your CloudFormation template, use the following syntax:
### JSON
```
{
"Type" : "AWS::SecretsManager::RotationSchedule",
"Properties" : {
"[ExternalSecretRotationMetadata](#cfn-secretsmanager-rotationschedule-externalsecretrotationmetadata)" : [ ExternalSecretRotationMetadataItem, ... ],
"[ExternalSecretRotationRoleArn](#cfn-secretsmanager-rotationschedule-externalsecretrotationrolearn)" : String,
"[HostedRotationLambda](#cfn-secretsmanager-rotationschedule-hostedrotationlambda)" : HostedRotationLambda,
"[RotateImmediatelyOnUpdate](#cfn-secretsmanager-rotationschedule-rotateimmediatelyonupdate)" : Boolean,
"[RotationLambdaARN](#cfn-secretsmanager-rotationschedule-rotationlambdaarn)" : String,
"[RotationRules](#cfn-secretsmanager-rotationschedule-rotationrules)" : RotationRules,
"[SecretId](#cfn-secretsmanager-rotationschedule-secretid)" : String
}
}
```
### YAML
```
Type: AWS::SecretsManager::RotationSchedule
Properties:
[ExternalSecretRotationMetadata](#cfn-secretsmanager-rotationschedule-externalsecretrotationmetadata):
- ExternalSecretRotationMetadataItem
[ExternalSecretRotationRoleArn](#cfn-secretsmanager-rotationschedule-externalsecretrotationrolearn): String
[HostedRotationLambda](#cfn-secretsmanager-rotationschedule-hostedrotationlambda):
HostedRotationLambda
[RotateImmediatelyOnUpdate](#cfn-secretsmanager-rotationschedule-rotateimmediatelyonupdate): Boolean
[RotationLambdaARN](#cfn-secretsmanager-rotationschedule-rotationlambdaarn): String
[RotationRules](#cfn-secretsmanager-rotationschedule-rotationrules):
RotationRules
[SecretId](#cfn-secretsmanager-rotationschedule-secretid): String
```
## Properties
`ExternalSecretRotationMetadata`
Property description not available.
*Required*: No
*Type*: Array of [ExternalSecretRotationMetadataItem](aws-properties-secretsmanager-rotationschedule-externalsecretrotationmetadataitem.md)
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`ExternalSecretRotationRoleArn`
Property description not available.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`HostedRotationLambda`
Creates a new Lambda rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html). To use a rotation function that already exists, specify `RotationLambdaARN` instead.
You must specify `Transform: AWS::SecretsManager-2024-09-16`at the beginning of the CloudFormation template. Transforms are macros hosted by AWS CloudFormation that help you create and manage complex infrastructure. The `Transform: AWS::SecretsManager-2024-09-16` transform automatically extends the CloudFormation stack to include a nested stack (of type `AWS::CloudFormation::Stack`), which then creates and updates on your behalf during subsequent stack operations, the appropriate rotation Lambda function for your database or service. For general information on transforms, see the [AWS CloudFormation documentation.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-reference.html)
For Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html).
For Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html).
*Required*: No
*Type*: [HostedRotationLambda](aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.md)
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`RotateImmediatelyOnUpdate`
Determines whether to rotate the secret immediately or wait until the next scheduled rotation window when the rotation schedule is updated. The rotation schedule is defined in `RotationRules`.
The default for `RotateImmediatelyOnUpdate` is `true`. If you don't specify this value, Secrets Manager rotates the secret immediately.
If you set `RotateImmediatelyOnUpdate` to `false`, Secrets Manager tests the rotation configuration by running the [`testSecret` step](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) of the Lambda rotation function. This test creates an `AWSPENDING` version of the secret and then removes it.
When changing an existing rotation schedule and setting `RotateImmediatelyOnUpdate` to `false`:
+ If using `AutomaticallyAfterDays` or a `ScheduleExpression` with `rate()`, the previously scheduled rotation might still occur.
+ To prevent unintended rotations, use a `ScheduleExpression` with `cron()` for granular control over rotation windows.
Rotation is an asynchronous process. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html).
*Required*: No
*Type*: Boolean
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`RotationLambdaARN`
The ARN of an existing Lambda rotation function. To specify a rotation function that is also defined in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function.
For Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html).
For Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html).
To create a new rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html), specify `HostedRotationLambda` instead.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`RotationRules`
A structure that defines the rotation configuration for this secret.
*Required*: No
*Type*: [RotationRules](aws-properties-secretsmanager-rotationschedule-rotationrules.md)
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`SecretId`
The ARN or name of the secret to rotate. This is unique for each rotation schedule definition.
To reference a secret also created in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the secret's logical ID.
*Required*: Yes
*Type*: String
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
## Return values
### Ref
When you pass the logical ID of an `AWS::SecretsManager::RotationSchedule` resource to the intrinsic `Ref` function, the function returns the ARN of the secret being configured, such as:
*arn:aws:secretsmanager: us-west-2*:*123456789012*:secret:*my-path/my-secret-name*-*1a2b3c*
You can use the ARN to reference a secret you create in one part of the stack template from within the definition of another resource later, in the same template. You typically do this when you define the [AWS::SecretsManager::SecretTargetAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html) resource type.
For more information about using the `Ref` function, see [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html).
### Fn::GetAtt
The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html).
## Examples
**Topics**
+ [Automatic rotation with a cron expression](#aws-resource-secretsmanager-rotationschedule--examples--Automatic_rotation_with_a_cron_expression)
+ [Automatic rotation with a rate expression](#aws-resource-secretsmanager-rotationschedule--examples--Automatic_rotation_with_a_rate_expression)
+ [DocumentDB secret rotation example](#aws-resource-secretsmanager-rotationschedule--examples--DocumentDB_secret_rotation_example)
### Automatic rotation with a cron expression
The following example rotates a secret every day between 1:00 AM and 3:00 AM UTC.
#### JSON
```
"MySecretRotationSchedule": {
"Type": "AWS::SecretsManager::RotationSchedule",
"DependsOn": "MyRotationLambda",
"Properties": {
"SecretId": {"Ref": "MySecret"},
"RotationLambdaARN": {"Fn::GetAtt": "MyRotationLambda.Arn"},
"RotationRules": {
"Duration": "2h",
"ScheduleExpression": "cron(0 1 * * ? *)"
}
}
}
```
#### YAML
```
MySecretRotationSchedule:
Type: AWS::SecretsManager::RotationSchedule
DependsOn: MyRotationLambda
Properties:
SecretId: !Ref MySecret
RotationLambdaARN: !GetAtt MyRotationLambda.Arn
RotationRules:
Duration: 2h
ScheduleExpression: 'cron(0 1 * * ? *)'
```
### Automatic rotation with a rate expression
The following example rotates a secret between midnight and 6:00 AM UTC every 10 days.
#### JSON
```
"MySecretRotationSchedule": {
"Type": "AWS::SecretsManager::RotationSchedule",
"DependsOn": "MyRotationLambda",
"Properties": {
"SecretId": {"Ref": "MySecret"},
"RotationLambdaARN": {"Fn::GetAtt": "MyRotationLambda.Arn"},
"RotationRules": {
"Duration": "6h",
"ScheduleExpression": "rate(10 days)"
}
}
}
```
#### YAML
```
MySecretRotationSchedule:
Type: AWS::SecretsManager::RotationSchedule
DependsOn: MyRotationLambda
Properties:
SecretId: !Ref MySecret
RotationLambdaARN: !GetAtt MyRotationLambda.Arn
RotationRules:
Duration: 6h
ScheduleExpression: 'rate(10 days)'
```
### DocumentDB secret rotation example
The following example creates a DocumentDB database instance and a secret with credentials. The secret is configured to rotate on the first Sunday of every month between 4:00 AM and 6:00 AM UTC.
#### JSON
```
{
"AWSTemplateFormatVersion":"2010-09-09",
"Transform":"AWS::SecretsManager-2024-09-16",
"Resources":{
"TestVPC":{
"Type":"AWS::EC2::VPC",
"Properties":{
"CidrBlock":"10.0.0.0/16",
"EnableDnsHostnames":true,
"EnableDnsSupport":true
}
},
"TestSubnet01":{
"Type":"AWS::EC2::Subnet",
"Properties":{
"CidrBlock":"10.0.96.0/19",
"AvailabilityZone":{
"Fn::Select":[
"0",
{
"Fn::GetAZs":{
"Ref":"AWS::Region"
}
}
]
},
"VpcId":{
"Ref":"TestVPC"
}
}
},
"TestSubnet02":{
"Type":"AWS::EC2::Subnet",
"Properties":{
"CidrBlock":"10.0.128.0/19",
"AvailabilityZone":{
"Fn::Select":[
"1",
{
"Fn::GetAZs":{
"Ref":"AWS::Region"
}
}
]
},
"VpcId":{
"Ref":"TestVPC"
}
}
},
"SecretsManagerVPCEndpoint":{
"Type":"AWS::EC2::VPCEndpoint",
"Properties":{
"SubnetIds":[
{
"Ref":"TestSubnet01"
},
{
"Ref":"TestSubnet02"
}
],
"SecurityGroupIds":[
{
"Fn::GetAtt":[
"TestVPC",
"DefaultSecurityGroup"
]
}
],
"VpcEndpointType":"Interface",
"ServiceName":{
"Fn::Sub":"com.amazonaws.${AWS::Region}.secretsmanager"
},
"PrivateDnsEnabled":true,
"VpcId":{
"Ref":"TestVPC"
}
}
},
"MyDocDBClusterRotationSecret":{
"Type":"AWS::SecretsManager::Secret",
"Properties":{
"GenerateSecretString":{
"SecretStringTemplate":"{"username": "someadmin","ssl": true}",
"GenerateStringKey":"password",
"PasswordLength":16,
"ExcludeCharacters":"\"@/\\"
},
"Tags":[
{
"Key":"AppName",
"Value":"MyApp"
}
]
}
},
"MyDocDBCluster":{
"Type":"AWS::DocDB::DBCluster",
"Properties":{
"DBSubnetGroupName":{
"Ref":"MyDBSubnetGroup"
},
"MasterUsername":{
"Fn::Sub":"{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}"
},
"MasterUserPassword":{
"Fn::Sub":"{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}"
},
"VpcSecurityGroupIds":[
{
"Fn::GetAtt":[
"TestVPC",
"DefaultSecurityGroup"
]
}
]
}
},
"DocDBInstance":{
"Type":"AWS::DocDB::DBInstance",
"Properties":{
"DBClusterIdentifier":{
"Ref":"MyDocDBCluster"
},
"DBInstanceClass":"db.r5.large"
}
},
"MyDBSubnetGroup":{
"Type":"AWS::DocDB::DBSubnetGroup",
"Properties":{
"DBSubnetGroupDescription":"DescriptionS",
"SubnetIds":[
{
"Ref":"TestSubnet01"
},
{
"Ref":"TestSubnet02"
}
]
}
},
"SecretDocDBClusterAttachment":{
"Type":"AWS::SecretsManager::SecretTargetAttachment",
"Properties":{
"SecretId":{
"Ref":"MyDocDBClusterRotationSecret"
},
"TargetId":{
"Ref":"MyDocDBCluster"
},
"TargetType":"AWS::DocDB::DBCluster"
}
},
"MySecretRotationSchedule":{
"Type":"AWS::SecretsManager::RotationSchedule",
"DependsOn":"SecretDocDBClusterAttachment",
"Properties":{
"SecretId":{
"Ref":"MyDocDBClusterRotationSecret"
},
"HostedRotationLambda":{
"RotationType":"MongoDBSingleUser",
"RotationLambdaName":"MongoDBSingleUser",
"VpcSecurityGroupIds":{
"Fn::GetAtt":[
"TestVPC",
"DefaultSecurityGroup"
]
},
"VpcSubnetIds":{
"Fn::Join":[
",",
[
{
"Ref":"TestSubnet01"
},
{
"Ref":"TestSubnet02"
}
]
]
}
},
"RotationRules":{
"Duration": "2h",
"ScheduleExpression": "cron(0 4 ? * SUN#1 *)"
}
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::SecretsManager-2024-09-16
Resources:
TestVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
TestSubnet01:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.96.0/19
AvailabilityZone:
Fn::Select:
- '0'
- Fn::GetAZs:
Ref: AWS::Region
VpcId:
Ref: TestVPC
TestSubnet02:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.128.0/19
AvailabilityZone:
Fn::Select:
- '1'
- Fn::GetAZs:
Ref: AWS::Region
VpcId:
Ref: TestVPC
SecretsManagerVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
SubnetIds:
- Ref: TestSubnet01
- Ref: TestSubnet02
SecurityGroupIds:
- Fn::GetAtt:
- TestVPC
- DefaultSecurityGroup
VpcEndpointType: Interface
ServiceName:
Fn::Sub: com.amazonaws.${AWS::Region}.secretsmanager
PrivateDnsEnabled: true
VpcId:
Ref: TestVPC
MyDocDBClusterRotationSecret:
Type: AWS::SecretsManager::Secret
Properties:
GenerateSecretString:
SecretStringTemplate: '{"username": "someadmin","ssl": true}'
GenerateStringKey: password
PasswordLength: 16
ExcludeCharacters: "\"@/\\"
Tags:
- Key: AppName
Value: MyApp
MyDocDBCluster:
Type: AWS::DocDB::DBCluster
Properties:
DBSubnetGroupName:
Ref: MyDBSubnetGroup
MasterUsername:
Fn::Sub: "{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}"
MasterUserPassword:
Fn::Sub: "{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}"
VpcSecurityGroupIds:
- Fn::GetAtt:
- TestVPC
- DefaultSecurityGroup
DocDBInstance:
Type: AWS::DocDB::DBInstance
Properties:
DBClusterIdentifier:
Ref: MyDocDBCluster
DBInstanceClass: db.r5.large
MyDBSubnetGroup:
Type: AWS::DocDB::DBSubnetGroup
Properties:
DBSubnetGroupDescription: 'Description'
SubnetIds:
- Ref: TestSubnet01
- Ref: TestSubnet02
SecretDocDBClusterAttachment:
Type: AWS::SecretsManager::SecretTargetAttachment
Properties:
SecretId:
Ref: MyDocDBClusterRotationSecret
TargetId:
Ref: MyDocDBCluster
TargetType: AWS::DocDB::DBCluster
MySecretRotationSchedule:
Type: AWS::SecretsManager::RotationSchedule
DependsOn: SecretDocDBClusterAttachment
Properties:
SecretId:
Ref: MyDocDBClusterRotationSecret
HostedRotationLambda:
RotationType: MongoDBSingleUser
RotationLambdaName: MongoDBSingleUser
VpcSecurityGroupIds:
Fn::GetAtt:
- TestVPC
- DefaultSecurityGroup
VpcSubnetIds:
Fn::Join:
- ","
- - Ref: TestSubnet01
- Ref: TestSubnet02
RotationRules:
Duration: 2h
ScheduleExpression: 'cron(0 4 ? * SUN#1 *)'
```
## See also
+ [RotateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RotateSecret.html) in the AWS Secrets Manager API Reference
+ [Rotate secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html) in the AWS Secrets Manager User Guide
+ [AWS::SecretsManager::RotationSchedule HostedRotationLambda](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html)
# AWS::SecretsManager::RotationSchedule ExternalSecretRotationMetadataItem
The metadata needed to successfully rotate a managed external secret. A list of key value pairs in JSON format specified by the partner. For more information, see [Managed external secret partners](https://docs.aws.amazon.com/secretsmanager/latest/userguide/mes-partners.html).
## Syntax
To declare this entity in your CloudFormation template, use the following syntax:
### JSON
```
{
"[Key](#cfn-secretsmanager-rotationschedule-externalsecretrotationmetadataitem-key)" : String,
"[Value](#cfn-secretsmanager-rotationschedule-externalsecretrotationmetadataitem-value)" : String
}
```
### YAML
```
[Key](#cfn-secretsmanager-rotationschedule-externalsecretrotationmetadataitem-key): String
[Value](#cfn-secretsmanager-rotationschedule-externalsecretrotationmetadataitem-value): String
```
## Properties
`Key`
The key that identifies the item.
*Required*: Yes
*Type*: String
*Minimum*: `1`
*Maximum*: `256`
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`Value`
The value of the specified item.
*Required*: Yes
*Type*: String
*Minimum*: `1`
*Maximum*: `2048`
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
# AWS::SecretsManager::RotationSchedule HostedRotationLambda
Creates a new Lambda rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html).
You must specify `Transform: AWS::SecretsManager-2024-09-16` at the beginning of the CloudFormation template.
For Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html).
For Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html).
## Syntax
To declare this entity in your CloudFormation template, use the following syntax:
### JSON
```
{
"[ExcludeCharacters](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-excludecharacters)" : String,
"[KmsKeyArn](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-kmskeyarn)" : String,
"[MasterSecretArn](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-mastersecretarn)" : String,
"[MasterSecretKmsKeyArn](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-mastersecretkmskeyarn)" : String,
"[RotationLambdaName](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-rotationlambdaname)" : String,
"[RotationType](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-rotationtype)" : String,
"[Runtime](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-runtime)" : String,
"[SuperuserSecretArn](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-superusersecretarn)" : String,
"[SuperuserSecretKmsKeyArn](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-superusersecretkmskeyarn)" : String,
"[VpcSecurityGroupIds](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-vpcsecuritygroupids)" : String,
"[VpcSubnetIds](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-vpcsubnetids)" : String
}
```
### YAML
```
[ExcludeCharacters](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-excludecharacters): String
[KmsKeyArn](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-kmskeyarn): String
[MasterSecretArn](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-mastersecretarn): String
[MasterSecretKmsKeyArn](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-mastersecretkmskeyarn): String
[RotationLambdaName](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-rotationlambdaname): String
[RotationType](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-rotationtype): String
[Runtime](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-runtime): String
[SuperuserSecretArn](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-superusersecretarn): String
[SuperuserSecretKmsKeyArn](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-superusersecretkmskeyarn): String
[VpcSecurityGroupIds](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-vpcsecuritygroupids): String
[VpcSubnetIds](#cfn-secretsmanager-rotationschedule-hostedrotationlambda-vpcsubnetids): String
```
## Properties
`ExcludeCharacters`
A string of the characters that you don't want in the password.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`KmsKeyArn`
The ARN of the KMS key that Secrets Manager uses to encrypt the secret. If you don't specify this value, then Secrets Manager uses the key `aws/secretsmanager`. If `aws/secretsmanager` doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`MasterSecretArn`
The ARN of the secret that contains superuser credentials, if you use the [ Alternating users rotation strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users). CloudFormation grants the execution role for the Lambda rotation function `GetSecretValue` permission to the secret in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html).
You must create the superuser secret before you can set this property.
You must also include the superuser secret ARN as a key in the JSON of the rotating secret so that the Lambda rotation function can find it. CloudFormation does not hardcode secret ARNs in the Lambda rotation function, so you can use the function to rotate multiple secrets. For more information, see [JSON structure of Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html).
You can specify `MasterSecretArn` or `SuperuserSecretArn` but not both. They represent the same superuser secret.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`MasterSecretKmsKeyArn`
The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the [alternating users strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key `aws/secretsmanager`. CloudFormation grants the execution role for the Lambda rotation function `Decrypt`, `DescribeKey`, and `GenerateDataKey` permission to the key in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html).
You can specify `MasterSecretKmsKeyArn` or `SuperuserSecretKmsKeyArn` but not both. They represent the same superuser secret KMS key.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`RotationLambdaName`
The name of the Lambda rotation function.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`RotationType`
The rotation template to base the rotation function on, one of the following:
+ `Db2SingleUser` to use the template [SecretsManagerRDSDb2RotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-db2-singleuser).
+ `Db2MultiUser` to use the template [SecretsManagerRDSDb2RotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-db2-multiuser).
+ `MySQLSingleUser` to use the template [SecretsManagerRDSMySQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-singleuser).
+ `MySQLMultiUser` to use the template [SecretsManagerRDSMySQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-multiuser).
+ `PostgreSQLSingleUser` to use the template [ SecretsManagerRDSPostgreSQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-singleuser)
+ `PostgreSQLMultiUser` to use the template [SecretsManagerRDSPostgreSQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-multiuser).
+ `OracleSingleUser` to use the template [SecretsManagerRDSOracleRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-singleuser).
+ `OracleMultiUser` to use the template [SecretsManagerRDSOracleRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-multiuser).
+ `MariaDBSingleUser` to use the template [SecretsManagerRDSMariaDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-singleuser).
+ `MariaDBMultiUser` to use the template [SecretsManagerRDSMariaDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-multiuser).
+ `SQLServerSingleUser` to use the template [SecretsManagerRDSSQLServerRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-singleuser).
+ `SQLServerMultiUser` to use the template [SecretsManagerRDSSQLServerRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-multiuser).
+ `RedshiftSingleUser` to use the template [SecretsManagerRedshiftRotationSingleUsr](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-singleuser).
+ `RedshiftMultiUser` to use the template [SecretsManagerRedshiftRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-multiuser).
+ `MongoDBSingleUser` to use the template [SecretsManagerMongoDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-singleuser).
+ `MongoDBMultiUser` to use the template [SecretsManagerMongoDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-multiuser).
*Required*: Yes
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`Runtime`
Do not set this value if you are using `Transform: AWS::SecretsManager-2024-09-16`. Over time, the updated rotation lambda artifacts vended by AWS may not be compatible with the code or shared object files defined in the rotation function deployment package.
Only define the `Runtime` key if:
1. You are using `Transform: AWS::SecretsManager-2020-07-23`.
1. The code or shared object files defined in the rotation function deployment package are incompatible with Python 3.10.
The Python Runtime version for with the rotation function. By default, CloudFormation deploys Python 3.10 binaries for the rotation function. To use a different version of Python, you must do the following two steps:
1. Deploy the matching version Python binaries with your rotation function.
1. Set the version number in this field. For example, for Python 3.10, enter **python3.10**.
If you only do one of the steps, your rotation function will be incompatible with the binaries. For more information, see [Why did my Lambda rotation function fail with a "pg module not found" error](https://repost.aws/knowledge-center/secrets-manager-lambda-rotation).
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`SuperuserSecretArn`
The ARN of the secret that contains superuser credentials, if you use the [ Alternating users rotation strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users). CloudFormation grants the execution role for the Lambda rotation function `GetSecretValue` permission to the secret in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html).
You must create the superuser secret before you can set this property.
You must also include the superuser secret ARN as a key in the JSON of the rotating secret so that the Lambda rotation function can find it. CloudFormation does not hardcode secret ARNs in the Lambda rotation function, so you can use the function to rotate multiple secrets. For more information, see [JSON structure of Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html).
You can specify `MasterSecretArn` or `SuperuserSecretArn` but not both. They represent the same superuser secret.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`SuperuserSecretKmsKeyArn`
The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the [alternating users strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key `aws/secretsmanager`. CloudFormation grants the execution role for the Lambda rotation function `Decrypt`, `DescribeKey`, and `GenerateDataKey` permission to the key in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html).
You can specify `MasterSecretKmsKeyArn` or `SuperuserSecretKmsKeyArn` but not both. They represent the same superuser secret KMS key.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`VpcSecurityGroupIds`
A comma-separated list of security group IDs applied to the target database.
The template applies the same security groups as on the Lambda rotation function that is created as part of this stack.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`VpcSubnetIds`
A comma separated list of VPC subnet IDs of the target database network. The Lambda rotation function is in the same subnet group.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
# AWS::SecretsManager::RotationSchedule RotationRules
The rotation schedule and window. We recommend you use `ScheduleExpression` to set a cron or rate expression for the schedule and `Duration` to set the length of the rotation window.
**Important**
When changing an existing rotation schedule and setting `RotateImmediatelyOnUpdate` to `false`:
If using `AutomaticallyAfterDays` or a `ScheduleExpression` with `rate()`, the previously scheduled rotation might still occur.
To prevent unintended rotations, use a `ScheduleExpression` with `cron()` for granular control over rotation windows.
## Syntax
To declare this entity in your CloudFormation template, use the following syntax:
### JSON
```
{
"[AutomaticallyAfterDays](#cfn-secretsmanager-rotationschedule-rotationrules-automaticallyafterdays)" : Integer,
"[Duration](#cfn-secretsmanager-rotationschedule-rotationrules-duration)" : String,
"[ScheduleExpression](#cfn-secretsmanager-rotationschedule-rotationrules-scheduleexpression)" : String
}
```
### YAML
```
[AutomaticallyAfterDays](#cfn-secretsmanager-rotationschedule-rotationrules-automaticallyafterdays): Integer
[Duration](#cfn-secretsmanager-rotationschedule-rotationrules-duration): String
[ScheduleExpression](#cfn-secretsmanager-rotationschedule-rotationrules-scheduleexpression): String
```
## Properties
`AutomaticallyAfterDays`
The number of days between automatic scheduled rotations of the secret. You can use this value to check that your secret meets your compliance guidelines for how often secrets must be rotated.
In `DescribeSecret` and `ListSecrets`, this value is calculated from the rotation schedule after every successful rotation. In `RotateSecret`, you can set the rotation schedule in `RotationRules` with `AutomaticallyAfterDays` or `ScheduleExpression`, but not both.
*Required*: No
*Type*: Integer
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`Duration`
The length of the rotation window in hours, for example `3h` for a three hour window. Secrets Manager rotates your secret at any time during this window. The window must not extend into the next rotation window or the next UTC day. The window starts according to the `ScheduleExpression`. If you don't specify a `Duration`, for a `ScheduleExpression` in hours, the window automatically closes after one hour. For a `ScheduleExpression` in days, the window automatically closes at the end of the UTC day. For more information, including examples, see [Schedule expressions in Secrets Manager rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html) in the *Secrets Manager Users Guide*.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`ScheduleExpression`
A `cron()` or `rate()` expression that defines the schedule for rotating your secret. Secrets Manager rotation schedules use UTC time zone. Secrets Manager rotates your secret any time during a rotation window.
Secrets Manager `rate()` expressions represent the interval in hours or days that you want to rotate your secret, for example `rate(12 hours)` or `rate(10 days)`. You can rotate a secret as often as every four hours. If you use a `rate()` expression, the rotation window starts at midnight. For a rate in hours, the default rotation window closes after one hour. For a rate in days, the default rotation window closes at the end of the day. You can set the `Duration` to change the rotation window. The rotation window must not extend into the next UTC day or into the next rotation window.
You can use a `cron()` expression to create a rotation schedule that is more detailed than a rotation interval. For more information, including examples, see [Schedule expressions in Secrets Manager rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html) in the *Secrets Manager Users Guide*. For a cron expression that represents a schedule in hours, the default rotation window closes after one hour. For a cron expression that represents a schedule in days, the default rotation window closes at the end of the day. You can set the `Duration` to change the rotation window. The rotation window must not extend into the next UTC day or into the next rotation window.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
## See also
+ [AWS::SecretsManager::RotationSchedule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html)
+ [Rotate secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html) in the AWS Secrets Manager User Guide