Create an Aurora cluster with password generated by Secrets Manager

aurora-cluster.yml

AWSTemplateFormatVersion: 2010-09-09
Description: This creates an Aurora RDS cluster with 2 instances and using Secrets Manger to generate and store the password

Parameters: 
  SubnetA:
    Description: Subnets to use for Aurora deployment
    Type: AWS::EC2::Subnet::Id

  SubnetB:
    Description: Subnets to use for Aurora deployment
    Type: AWS::EC2::Subnet::Id

  
  DefaultSecurityGroup:
    Description: Default VPC security group
    Type: AWS::EC2::SecurityGroup::Id

  KmsKeyId:
    Description: KMS Key ID to use for encrypting secrets
    Type: String
  
  DBName:
    Description: Name of database
    Type: String
  
  DBInstanceType:
    Description: Instance type for instances in the Aurora cluster
    Type: String

  DeleteAutomatedBackups:
    Description: Defines whether to keep automated database backups when DB instance deleted
    Type: String

  DeletionProtection:
    Description: Defines whether deletion protection should be enabled
    Type: String

Resources:
  DBSubnetGroup:
    Type: AWS::RDS::DBSubnetGroup
    Properties: 
      DBSubnetGroupDescription: Subnet group that Aurora instances are deployed into
      DBSubnetGroupName: aurora-subnet-group
      SubnetIds:
        - !Ref SubnetA
        - !Ref SubnetB

# Creates custom DB Parameter Group 
  DBParameterGroup:
    Type: AWS::RDS::DBParameterGroup
    Properties:
      Description: Custom parameter group for instances in Aurora cluster
      Family: aurora-mysql5.7
      Parameters:
        max_allowed_packet: '134217728'
      Tags:
        - Key: Name
          Value: aurora-parameter-group

  DBCluster:
    Type: AWS::RDS::DBCluster
    Properties:
      BackupRetentionPeriod: 7
      DatabaseName: !Ref DBName
      DBClusterParameterGroupName: default.aurora-mysql5.7
      DBSubnetGroupName: !Ref DBSubnetGroup
      DeletionProtection: !Ref DeletionProtection
      Engine: aurora-mysql
      EngineMode: provisioned
      EngineVersion: 5.7.12
      MasterUsername: !Join ['', ['{{resolve:secretsmanager:', !Ref DBSecret, ':SecretString:username}}' ]]
      MasterUserPassword: !Join ['', ['{{resolve:secretsmanager:', !Ref DBSecret, ':SecretString:password}}' ]]
      Port: 3306
      PreferredBackupWindow: 00:00-00:30
      PreferredMaintenanceWindow: Sun:23:00-Sun:23:30
      StorageEncrypted: true
      Tags:
        - Key: Name
          Value: DBCluster
      VpcSecurityGroupIds:
        - !Ref DefaultSecurityGroup
  
  DBInstanceA:
    Type: AWS::RDS::DBInstance
    Properties:
      DBClusterIdentifier: !Ref DBCluster
      DBInstanceClass: !Ref DBInstanceType
      DBParameterGroupName: !Ref DBParameterGroup
      DBSubnetGroupName: !Ref DBSubnetGroup
      DeleteAutomatedBackups: !Ref DeleteAutomatedBackups
      Engine: aurora-mysql
  
  DBInstanceB:
    Type: AWS::RDS::DBInstance
    Properties:
      DBClusterIdentifier: !Ref DBCluster
      DBInstanceClass: !Ref DBInstanceType
      DBParameterGroupName: !Ref DBParameterGroup
      DBSubnetGroupName: !Ref DBSubnetGroup
      DeleteAutomatedBackups: !Ref DeleteAutomatedBackups
      Engine: aurora-mysql

  DBSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Description: Username and password for database
      KmsKeyId: !Ref KmsKeyId
      GenerateSecretString:
        GenerateStringKey: "password"
        PasswordLength: 20
        SecretStringTemplate: '{"username": "master-user"}'
        ExcludePunctuation: True
      Tags: 
        - Key: Name
          Value: db-secret
      Name: DBSecret

  DBSecretAttachment:
    Type: AWS::SecretsManager::SecretTargetAttachment
    Properties:
      SecretId: !Ref DBSecret
      TargetId: !Ref DBCluster
      TargetType: AWS::RDS::DBCluster