I created a secret using CloudFormation template that looked like this:
"DBSecretCredentials": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Name": "MyAwesomeSecret",
"Description": "Something",
"GenerateSecretString": {
"SecretStringTemplate": "{\"USER\":\"superman\"}",
"GenerateStringKey": "PASSWORD",
"PasswordLength": 30,
"ExcludeCharacters": "\"@/\\"
},
"Tags": [
{
"Key": "AppName",
"Value": "Something"
},
{
"Key": "Environment",
"Value": {
"Ref": "Environment"
}
}
]
}
}
When I deleted CloudFormation stack, I was expecting the secret to be there in "pending deletion" status with 7 days retention policy as that is what AWS mandates.
When I visited AWS Console, there was no secret with pending deletion mode. (Yes, I clicked on gear icon and checked "Show secrets scheduled for deletion" checkbox.
I queried AWS Secrets Manager using CLI to list all the secrets but it did not return the secret that was deleted as a result of CloudFormation Stack deletion.
Am I missing something here?
When a CloudFormation stack is deleted, Secrets Manager is called with the "force-delete-without-recovery" option and all secrets are deleted permanently. This is to enable CloudFormation to be able to delete each referenced secret without leaving artifacts in your account.