To create an AWS::RDS::DBProxy using CloudFormation, you need to provide a SecretsManager Secret as the authentication method. In the below example, it's the secret pointed to by BootstrapProxySecretArn:
Resources:
TestDBProxy:
Type: AWS::RDS::DBProxy
Properties:
DBProxyName: !Ref ProxyName
EngineFamily: MYSQL
RoleArn:
!Ref BootstrapSecretReaderRoleArn
Auth:
- {AuthScheme: SECRETS, SecretArn: !Ref BootstrapProxySecretArn, IAMAuth: DISABLED}
VpcSubnetIds:
But the CloudFormation docs don't explain what this secret needs to contain. Is it a secret containing the password for that database username?
The templates for different databases for secrete manager are here. For MySQL it would be:
{
"engine": "mysql",
"host": "<required: instance host name/resolvable DNS name>",
"username": "<required: username>",
"password": "<required: password>",
"dbname": "<optional: database name. If not specified, defaults to None>",
"port": "<optional: TCP port number. If not specified, defaults to 3306>"
}
Alternatively, you can always use AWS console to create the secret automatically for you for your database, and inspect its structure which then you can re-use in CloudFormation.