I am creating a secrets manager resource via terraform (sample code below), I looked up a few examples and understand that I can hook this resource up with a lambda for key rotation, which will generate a random secret and store it. Is there already inbuild lambda/code to do this in aws? Also, when lambda does the rotation, does it immediately expire the old key or can we set the time such that it only expires after a certain number of days. I assume the timeline can be set via lambda or terraform. Some examples would be helpful.
resource "aws_secretsmanager_secret" "example" {
name = "example"
}
Use another resource AWS::SecretsManager::RotationSchedule for setting the rotation schedule settings.
MySecretRotationSchedule:
Type: AWS::SecretsManager::RotationSchedule
DependsOn: MyRotationLambda
Properties:
SecretId: !Ref MySecret
RotationLambdaARN: !GetAtt MyRotationLambda.Arn
RotationRules:
Duration: 2h
ScheduleExpression: 'cron(0 1 * * ? *)'