VaporShell.SecretsManager.psm1

# PSM1 Contents
function Format-Json {
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [String]
        $Json
    )
    Begin {
        $cleaner = {
            param([String]$Line)
            Process{
                [Regex]::Replace(
                    $Line,
                    "\\u(?<Value>[a-zA-Z0-9]{4})",
                    {
                        param($m)([char]([int]::Parse(
                            $m.Groups['Value'].Value,
                            [System.Globalization.NumberStyles]::HexNumber
                        ))).ToString()
                    }
                )
            }
        }
    }
    Process {
        if ($PSVersionTable.PSVersion.Major -lt 6) {
            try {
                $indent = 0;
                $res = $Json -split '\n' | ForEach-Object {
                    if ($_ -match '[\}\]]') {
                        # This line contains ] or }, decrement the indentation level
                        $indent--
                    }
                    $line = (' ' * $indent * 2) + $_.TrimStart().Replace(': ', ': ')
                    if ($_ -match '[\{\[]') {
                        # This line contains [ or {, increment the indentation level
                        $indent++
                    }
                    $cleaner.Invoke($line)
                }
                $res -join "`n"
            }
            catch {
                ($Json -split '\n' | ForEach-Object {$cleaner.Invoke($_)}) -join "`n"
            }
        }
        else {
            ($Json -split '\n' | ForEach-Object {$cleaner.Invoke($_)}) -join "`n"
        }
    }
}

function Get-TrueCount {
    Param
    (
        [parameter(Mandatory = $false,Position = 0,ValueFromPipeline = $true)]
        $Array
    )
    Process {
        if ($array) {
            if ($array.Count) {
                $count = $array.Count
            }
            else {
                $count = 1
            }
        }
        else {
            $count = 0
        }
    }
    End {
        return $count
    }
}

function New-VSError {
    <#
    .SYNOPSIS
    Error generator function to use in tandem with $PSCmdlet.ThrowTerminatingError()
    
    .PARAMETER Result
    Allows input of an error from AWS SDK, resulting in the Exception message being parsed out.
    
    .PARAMETER String
    Used to create basic String message errors in the same wrapper
    #>

    [cmdletbinding(DefaultParameterSetName="Result")]
    param(
        [parameter(Position=0,ParameterSetName="Result")]
        $Result,
        [parameter(Position=0,ParameterSetName="String")]
        $String
    )
    switch ($PSCmdlet.ParameterSetName) {
        Result { $Exception = "$($result.Exception.InnerException.Message)" }
        String { $Exception = "$String" }
    }
    $e = New-Object "System.Exception" $Exception
    $errorRecord = New-Object 'System.Management.Automation.ErrorRecord' $e, $null, ([System.Management.Automation.ErrorCategory]::InvalidOperation), $null
    return $errorRecord
}

function ResolveS3Endpoint {
    <#
    .SYNOPSIS
    Resolves the S3 endpoint most appropriate for each region.
    #>

    Param
    (
      [parameter(Mandatory=$true,Position=0)]
      [ValidateSet("eu-west-2","ap-south-1","us-east-2","sa-east-1","us-west-1","us-west-2","eu-west-1","ap-southeast-2","ca-central-1","ap-northeast-2","us-east-1","eu-central-1","ap-southeast-1","ap-northeast-1")]
      [String]
      $Region
    )
    $endpointMap = @{
        "us-east-2" = "s3.us-east-2.amazonaws.com"
        "us-east-1" = "s3.amazonaws.com"
        "us-west-1" = "s3-us-west-1.amazonaws.com"
        "us-west-2" = "s3-us-west-2.amazonaws.com"
        "ca-central-1" = "s3.ca-central-1.amazonaws.com"
        "ap-south-1" = "s3.ap-south-1.amazonaws.com"
        "ap-northeast-2" = "s3.ap-northeast-2.amazonaws.com"
        "ap-southeast-1" = "s3-ap-southeast-1.amazonaws.com"
        "ap-southeast-2" = "s3-ap-southeast-2.amazonaws.com"
        "ap-northeast-1" = "s3-ap-northeast-1.amazonaws.com"
        "eu-central-1" = "s3.eu-central-1.amazonaws.com"
        "eu-west-1" = "s3-eu-west-1.amazonaws.com"
        "eu-west-2" = "s3.eu-west-2.amazonaws.com"
        "sa-east-1" = "s3-sa-east-1.amazonaws.com"
    }
    return $endpointMap[$Region]
}

function Add-VSSecretsManagerRotationScheduleHostedRotationLambda {
    <#
    .SYNOPSIS
        Adds an AWS::SecretsManager::RotationSchedule.HostedRotationLambda resource property to the template.

    .DESCRIPTION
        Adds an AWS::SecretsManager::RotationSchedule.HostedRotationLambda resource property to the template.


    .LINK
        http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html

    .PARAMETER RotationType
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-rotationtype
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER RotationLambdaName
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-rotationlambdaname
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER KmsKeyArn
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-kmskeyarn
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER MasterSecretArn
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-mastersecretarn
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER VpcSecurityGroupIds
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-vpcsecuritygroupids
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER MasterSecretKmsKeyArn
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-mastersecretkmskeyarn
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER VpcSubnetIds
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-hostedrotationlambda.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda-vpcsubnetids
        PrimitiveType: String
        UpdateType: Mutable

    .FUNCTIONALITY
        Vaporshell
    #>

    [OutputType([SecretsManagerRotationScheduleHostedRotationLambda])]
    [cmdletbinding()]
    Param(
        [parameter(Mandatory = $true)]
        [object]
        $RotationType,
        [parameter(Mandatory = $false)]
        [object]
        $RotationLambdaName,
        [parameter(Mandatory = $false)]
        [object]
        $KmsKeyArn,
        [parameter(Mandatory = $false)]
        [object]
        $MasterSecretArn,
        [parameter(Mandatory = $false)]
        [object]
        $VpcSecurityGroupIds,
        [parameter(Mandatory = $false)]
        [object]
        $MasterSecretKmsKeyArn,
        [parameter(Mandatory = $false)]
        [object]
        $VpcSubnetIds
    )
    Process {
        $obj = [SecretsManagerRotationScheduleHostedRotationLambda]::new($PSBoundParameters)
        Write-Debug "$($MyInvocation.MyCommand) PSBoundParameters:`n$($PSBoundParameters | ConvertTo-Json -Depth 20 | Format-Json)"
        Write-Verbose "Resulting object from $($MyInvocation.MyCommand): `n$($obj.ToJson() | Format-Json)"
        $obj
    }
}

Export-ModuleMember -Function 'Add-VSSecretsManagerRotationScheduleHostedRotationLambda'

function Add-VSSecretsManagerRotationScheduleRotationRules {
    <#
    .SYNOPSIS
        Adds an AWS::SecretsManager::RotationSchedule.RotationRules resource property to the template. The RotationRules property is used as part of the AWS::SecretsManager::RotationSchedule: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html resource type to configure how and when Secrets Manager performs rotation for the associated secret.

    .DESCRIPTION
        Adds an AWS::SecretsManager::RotationSchedule.RotationRules resource property to the template.
The RotationRules property is used as part of the AWS::SecretsManager::RotationSchedule: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html resource type to configure how and when Secrets Manager performs rotation for the associated secret.

    .LINK
        http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-rotationrules.html

    .PARAMETER AutomaticallyAfterDays
        Specifies the number of days after the previous rotation before Secrets Manager triggers the next automatic rotation.
You can specify a minimum value of 1 and a maximum value of 1000.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-rotationrules.html#cfn-secretsmanager-rotationschedule-rotationrules-automaticallyafterdays
        PrimitiveType: Integer
        UpdateType: Mutable

    .FUNCTIONALITY
        Vaporshell
    #>

    [OutputType([SecretsManagerRotationScheduleRotationRules])]
    [cmdletbinding()]
    Param(
        [parameter(Mandatory = $false)]
        [object]
        $AutomaticallyAfterDays
    )
    Process {
        $obj = [SecretsManagerRotationScheduleRotationRules]::new($PSBoundParameters)
        Write-Debug "$($MyInvocation.MyCommand) PSBoundParameters:`n$($PSBoundParameters | ConvertTo-Json -Depth 20 | Format-Json)"
        Write-Verbose "Resulting object from $($MyInvocation.MyCommand): `n$($obj.ToJson() | Format-Json)"
        $obj
    }
}

Export-ModuleMember -Function 'Add-VSSecretsManagerRotationScheduleRotationRules'

function Add-VSSecretsManagerSecretGenerateSecretString {
    <#
    .SYNOPSIS
        Adds an AWS::SecretsManager::Secret.GenerateSecretString resource property to the template. Use the GenerateSecretString property as part of the AWS::SecretsManager::Secret: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html resource type to dynamically generate a random text string to use as a password. You use this an alternative to hardcoding a password directly in the SecretString property. When you generate a AWS::SecretsManager::Secret: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html resource type, you must include one or the other, but not both.

    .DESCRIPTION
        Adds an AWS::SecretsManager::Secret.GenerateSecretString resource property to the template.
Use the GenerateSecretString property as part of the AWS::SecretsManager::Secret: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html resource type to dynamically generate a random text string to use as a password. You use this an alternative to hardcoding a password directly in the SecretString property. When you generate a AWS::SecretsManager::Secret: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html resource type, you must include one or the other, but not both.

SecretString enables you to place a literal value directly into the secret, an action not recommended. Instead, we recommend that you use the GenerateSecretString property to dynamically generate a random password. The operation returns a complete JSON structure to use as the secret value. The structure begins with the string you supply using the SecretStringTemplate. This template string must be a properly formatted JSON string that contains all of the secret value information except the password. The operation then generates a random password using the rules specified by the other parameters. Finally, the operations inserts the generated password into the secret value structure along with the JSON key name specified by the GenerateStringKey parameter.

For examples, see AWS::SecretsManager::Secret: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html.

    .LINK
        http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html

    .PARAMETER ExcludeUppercase
        Specifies that the generated password should not include uppercase letters. The default behavior is False, and the generated password can include uppercase letters.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-excludeuppercase
        PrimitiveType: Boolean
        UpdateType: Mutable

    .PARAMETER RequireEachIncludedType
        Specifies whether the generated password must include at least one of every allowed character type. By default, Secrets Manager enables this parameter, and the generated password includes at least one of every character type.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-requireeachincludedtype
        PrimitiveType: Boolean
        UpdateType: Mutable

    .PARAMETER IncludeSpace
        Specifies that the generated password can include the space character. By default, Secrets Manager disables this parameter, and the generated password doesn't include space

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-includespace
        PrimitiveType: Boolean
        UpdateType: Mutable

    .PARAMETER ExcludeCharacters
        A string that excludes characters in the generated password. By default, all characters from the included sets can be used. The string can be a minimum length of 0 characters and a maximum length of 7168 characters.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-excludecharacters
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER GenerateStringKey
        The JSON key name used to add the generated password to the JSON structure specified by the SecretStringTemplate parameter. If you specify this parameter, then you must also specify SecretStringTemplate.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-generatestringkey
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER PasswordLength
        The desired length of the generated password. The default value if you do not include this parameter is 32 characters.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-passwordlength
        PrimitiveType: Integer
        UpdateType: Mutable

    .PARAMETER ExcludePunctuation
        Specifies that the generated password should not include punctuation characters. The default if you do not include this switch parameter is that punctuation characters can be included.
The following are the punctuation characters that *can* be included in the generated password if you don't explicitly exclude them with ExcludeCharacters or ExcludePunctuation:
! " # $ % & ' * + , - . / : ; < = > ? @ ] ^ _ { | } ~

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-excludepunctuation
        PrimitiveType: Boolean
        UpdateType: Mutable

    .PARAMETER ExcludeLowercase
        Specifies the generated password should not include lowercase letters. By default, SEcrets Manager disables this parameter, and the generated password can include lowercase False, and the generated password can include lowercase letters.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-excludelowercase
        PrimitiveType: Boolean
        UpdateType: Mutable

    .PARAMETER SecretStringTemplate
        A properly structured JSON string that the generated password can be added to. If you specify this parameter, then you must also specify GenerateStringKey. Secrets Manager combines this with the generated random string and inserts into the JSON structure specified by this parameter. The merged JSON string returns as the completed SecretString of the secret. By default, Secrets Manager does not return the generated random password string, and doesn't embed it in a JSON structure.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-secretstringtemplate
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER ExcludeNumbers
        Specifies that the generated password should exclude digits. By default, Secrets Manager does not enable the parameter, False, and the generated password can include digits.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html#cfn-secretsmanager-secret-generatesecretstring-excludenumbers
        PrimitiveType: Boolean
        UpdateType: Mutable

    .FUNCTIONALITY
        Vaporshell
    #>

    [OutputType([SecretsManagerSecretGenerateSecretString])]
    [cmdletbinding()]
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingPlainTextForPassword","PasswordLength")]
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingUserNameAndPasswordParams","PasswordLength")]
    Param(
        [parameter(Mandatory = $false)]
        [object]
        $ExcludeUppercase,
        [parameter(Mandatory = $false)]
        [object]
        $RequireEachIncludedType,
        [parameter(Mandatory = $false)]
        [object]
        $IncludeSpace,
        [parameter(Mandatory = $false)]
        [object]
        $ExcludeCharacters,
        [parameter(Mandatory = $false)]
        [object]
        $GenerateStringKey,
        [parameter(Mandatory = $false)]
        [object]
        $PasswordLength,
        [parameter(Mandatory = $false)]
        [object]
        $ExcludePunctuation,
        [parameter(Mandatory = $false)]
        [object]
        $ExcludeLowercase,
        [parameter(Mandatory = $false)]
        [object]
        $SecretStringTemplate,
        [parameter(Mandatory = $false)]
        [object]
        $ExcludeNumbers
    )
    Process {
        $obj = [SecretsManagerSecretGenerateSecretString]::new($PSBoundParameters)
        Write-Debug "$($MyInvocation.MyCommand) PSBoundParameters:`n$($PSBoundParameters | ConvertTo-Json -Depth 20 | Format-Json)"
        Write-Verbose "Resulting object from $($MyInvocation.MyCommand): `n$($obj.ToJson() | Format-Json)"
        $obj
    }
}

Export-ModuleMember -Function 'Add-VSSecretsManagerSecretGenerateSecretString'

function Add-VSSecretsManagerSecretReplicaRegion {
    <#
    .SYNOPSIS
        Adds an AWS::SecretsManager::Secret.ReplicaRegion resource property to the template.

    .DESCRIPTION
        Adds an AWS::SecretsManager::Secret.ReplicaRegion resource property to the template.


    .LINK
        http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-replicaregion.html

    .PARAMETER KmsKeyId
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-replicaregion.html#cfn-secretsmanager-secret-replicaregion-kmskeyid
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER Region
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-replicaregion.html#cfn-secretsmanager-secret-replicaregion-region
        PrimitiveType: String
        UpdateType: Mutable

    .FUNCTIONALITY
        Vaporshell
    #>

    [OutputType([SecretsManagerSecretReplicaRegion])]
    [cmdletbinding()]
    Param(
        [parameter(Mandatory = $false)]
        [object]
        $KmsKeyId,
        [parameter(Mandatory = $true)]
        [object]
        $Region
    )
    Process {
        $obj = [SecretsManagerSecretReplicaRegion]::new($PSBoundParameters)
        Write-Debug "$($MyInvocation.MyCommand) PSBoundParameters:`n$($PSBoundParameters | ConvertTo-Json -Depth 20 | Format-Json)"
        Write-Verbose "Resulting object from $($MyInvocation.MyCommand): `n$($obj.ToJson() | Format-Json)"
        $obj
    }
}

Export-ModuleMember -Function 'Add-VSSecretsManagerSecretReplicaRegion'

function New-VSSecretsManagerResourcePolicy {
    <#
    .SYNOPSIS
        Adds an AWS::SecretsManager::ResourcePolicy resource to the template. Attaches the contents of the specified resource-based permission policy to a secret. A resource-based policy is optional. Alternatively, you can use IAM identity-based policies to specify the Amazon Resource Name (ARN of the secret in the policy statement Resources element. You can also use a combination of both identity-based and resource-based policies. The affected users and roles receive the permissions permitted by all relevant policies.

    .DESCRIPTION
        Adds an AWS::SecretsManager::ResourcePolicy resource to the template. Attaches the contents of the specified resource-based permission policy to a secret. A resource-based policy is optional. Alternatively, you can use IAM identity-based policies to specify the Amazon Resource Name (ARN of the secret in the policy statement Resources element. You can also use a combination of both identity-based and resource-based policies. The affected users and roles receive the permissions permitted by all relevant policies.

    .LINK
        http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html

    .PARAMETER LogicalId
        The logical ID must be alphanumeric (A-Za-z0-9) and unique within the template. Use the logical name to reference the resource in other parts of the template. For example, if you want to map an Amazon Elastic Block Store volume to an Amazon EC2 instance, you reference the logical IDs to associate the block stores with the instance.

    .PARAMETER BlockPublicPolicy
        + AWS::SecretsManager::SecretTargetAttachment: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html#cfn-secretsmanager-resourcepolicy-blockpublicpolicy
        PrimitiveType: Boolean
        UpdateType: Mutable

    .PARAMETER SecretId
        Specifies the Amazon Resource Name ARN or the friendly name of the secret to attach a resource-based permissions policy.
If you use this property to change the SecretId for an existing resource-based policy, Secrets Manager removes the policy from the original secret, and then attaches the policy to the secret with the specified SecretId. This results in changing the permissions for two secrets.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html#cfn-secretsmanager-resourcepolicy-secretid
        PrimitiveType: String
        UpdateType: Immutable

    .PARAMETER ResourcePolicy
        Specifies a JSON object constructed according to the grammar and syntax for a resource-based policy. The policy identifies who can access or manage this secret and associated versions. For information on how to format a JSON object as a parameter for this resource type, see Using Resource-based Policies for Secrets Manager: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html in the AWS Secrets Manager User Guide. Those same rules apply here.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html#cfn-secretsmanager-resourcepolicy-resourcepolicy
        PrimitiveType: Json
        UpdateType: Mutable

    .PARAMETER DeletionPolicy
        With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when its stack is deleted. You specify a DeletionPolicy attribute for each resource that you want to control. If a resource has no DeletionPolicy attribute, AWS CloudFormation deletes the resource by default.

        To keep a resource when its stack is deleted, specify Retain for that resource. You can use retain for any resource. For example, you can retain a nested stack, S3 bucket, or EC2 instance so that you can continue to use or modify those resources after you delete their stacks.

        You must use one of the following options: "Delete","Retain","Snapshot"

    .PARAMETER UpdateReplacePolicy
        Use the UpdateReplacePolicy attribute to retain or (in some cases) backup the existing physical instance of a resource when it is replaced during a stack update operation.

        When you initiate a stack update, AWS CloudFormation updates resources based on differences between what you submit and the stack's current template and parameters. If you update a resource property that requires that the resource be replaced, AWS CloudFormation recreates the resource during the update. Recreating the resource generates a new physical ID. AWS CloudFormation creates the replacement resource first, and then changes references from other dependent resources to point to the replacement resource. By default, AWS CloudFormation then deletes the old resource. Using the UpdateReplacePolicy, you can specify that AWS CloudFormation retain or (in some cases) create a snapshot of the old resource.

        For resources that support snapshots, such as AWS::EC2::Volume, specify Snapshot to have AWS CloudFormation create a snapshot before deleting the old resource instance.

        You can apply the UpdateReplacePolicy attribute to any resource. UpdateReplacePolicy is only executed if you update a resource property whose update behavior is specified as Replacement, thereby causing AWS CloudFormation to replace the old resource with a new one with a new physical ID. For example, if you update the Engine property of an AWS::RDS::DBInstance resource type, AWS CloudFormation creates a new resource and replaces the current DB instance resource with the new one. The UpdateReplacePolicy attribute would then dictate whether AWS CloudFormation deleted, retained, or created a snapshot of the old DB instance. The update behavior for each property of a resource is specified in the reference topic for that resource in the AWS Resource and Property Types Reference. For more information on resource update behavior, see Update Behaviors of Stack Resources.

        The UpdateReplacePolicy attribute applies to stack updates you perform directly, as well as stack updates performed using change sets.

        Note
        Resources that are retained continue to exist and continue to incur applicable charges until you delete those resources. Snapshots that are created with this policy continue to exist and continue to incur applicable charges until you delete those snapshots. UpdateReplacePolicy retains the old physical resource or snapshot, but removes it from AWS CloudFormation's scope.

        UpdateReplacePolicy differs from the DeletionPolicy attribute in that it only applies to resources replaced during stack updates. Use DeletionPolicy for resources deleted when a stack is deleted, or when the resource definition itself is deleted from the template as part of a stack update.

        You must use one of the following options: "Delete","Retain","Snapshot"

    .PARAMETER DependsOn
        With the DependsOn attribute you can specify that the creation of a specific resource follows another. When you add a DependsOn attribute to a resource, that resource is created only after the creation of the resource specified in the DependsOn attribute.

        This parameter takes a string or list of strings representing Logical IDs of resources that must be created prior to this resource being created.


    .PARAMETER Metadata
        The Metadata attribute enables you to associate structured data with a resource. By adding a Metadata attribute to a resource, you can add data in JSON or YAML to the resource declaration. In addition, you can use intrinsic functions (such as GetAtt and Ref), parameters, and pseudo parameters within the Metadata attribute to add those interpreted values.

        This will be returned when describing the resource using AWS CLI.


    .PARAMETER UpdatePolicy
        Use the UpdatePolicy attribute to specify how AWS CloudFormation handles updates to the AWS::AutoScaling::AutoScalingGroup resource. AWS CloudFormation invokes one of three update policies depending on the type of change you make or whether a scheduled action is associated with the Auto Scaling group.

        You must use the "Add-UpdatePolicy" function or the [UpdatePolicy] class here.
    .PARAMETER Condition
        Logical ID of the condition that this resource needs to be true in order for this resource to be provisioned.

    .FUNCTIONALITY
        Vaporshell
    #>

    [OutputType([SecretsManagerResourcePolicy])]
    [cmdletbinding()]
    Param(
        [parameter(Mandatory = $true,Position = 0)]
        [ValidateLogicalId()]
        [string]
        $LogicalId,
        [parameter(Mandatory = $false)]
        [object]
        $BlockPublicPolicy,
        [parameter(Mandatory = $true)]
        [object]
        $SecretId,
        [parameter(Mandatory = $true)]
        [VSJson]
        $ResourcePolicy,
        [parameter()]
        [DeletionPolicy]
        $DeletionPolicy,
        [parameter()]
        [UpdateReplacePolicy]
        $UpdateReplacePolicy,
        [parameter(Mandatory = $false)]
        [string[]]
        $DependsOn,
        [parameter(Mandatory = $false)]
        [VSJson]
        $Metadata,
        [parameter(Mandatory = $false)]
        [UpdatePolicy]
        $UpdatePolicy,
        [parameter(Mandatory = $false)]
        [string]
        $Condition
    )
    Process {
        $obj = [SecretsManagerResourcePolicy]::new($PSBoundParameters)
        Write-Debug "$($MyInvocation.MyCommand) PSBoundParameters:`n$($PSBoundParameters | ConvertTo-Json -Depth 20 | Format-Json)"
        Write-Verbose "Resulting object from $($MyInvocation.MyCommand): `n$($obj.ToJson() | Format-Json)"
        $obj
    }
}

Export-ModuleMember -Function 'New-VSSecretsManagerResourcePolicy'

function New-VSSecretsManagerRotationSchedule {
    <#
    .SYNOPSIS
        Adds an AWS::SecretsManager::RotationSchedule resource to the template. The AWS::SecretsManager::RotationSchedule resource configures rotation for a secret. You must have already configured the secret with the details of the database or service. If you define both the secret and the database or service in an AWS CloudFormation template, then define the AWS::SecretsManager::SecretTargetAttachment: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html resource to populate the secret with the connection details of the database or service before you attempt to configure rotation.

    .DESCRIPTION
        Adds an AWS::SecretsManager::RotationSchedule resource to the template. The AWS::SecretsManager::RotationSchedule resource configures rotation for a secret. You must have already configured the secret with the details of the database or service. If you define both the secret and the database or service in an AWS CloudFormation template, then define the AWS::SecretsManager::SecretTargetAttachment: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html resource to populate the secret with the connection details of the database or service before you attempt to configure rotation.

**Important**

When you configure rotation for a secret, AWS CloudFormation automatically rotates the secret one time. Be sure you configure all your clients to retrieve the secret using Secrets Manager before configuring rotation to prevent breaking them.

    .LINK
        http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html

    .PARAMETER LogicalId
        The logical ID must be alphanumeric (A-Za-z0-9) and unique within the template. Use the logical name to reference the resource in other parts of the template. For example, if you want to map an Amazon Elastic Block Store volume to an Amazon EC2 instance, you reference the logical IDs to associate the block stores with the instance.

    .PARAMETER SecretId
        Specifies the ARN or the friendly name of the secret that you want to rotate. To reference a secret also created in this template, use the Ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html function with the secret's logical ID.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-secretid
        PrimitiveType: String
        UpdateType: Immutable

    .PARAMETER HostedRotationLambda
        + Rotating Your AWS Secrets Manager Secrets: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html in the AWS Secrets Manager User Guide

        Type: HostedRotationLambda
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-hostedrotationlambda
        UpdateType: Mutable

    .PARAMETER RotationLambdaARN
        Specifies the ARN of the Lambda function that can rotate the secret. If you don't specify this parameter, then the secret must already have the ARN of a Lambda function configured. To reference a Lambda function also created in this template, use the Ref: https://docs.aws.amazon.com/git statusAWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html function with the function's logical ID.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-rotationlambdaarn
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER RotationRules
        Specifies a structure that defines the rotation schedule for this secret.

        Type: RotationRules
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#cfn-secretsmanager-rotationschedule-rotationrules
        UpdateType: Mutable

    .PARAMETER DeletionPolicy
        With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when its stack is deleted. You specify a DeletionPolicy attribute for each resource that you want to control. If a resource has no DeletionPolicy attribute, AWS CloudFormation deletes the resource by default.

        To keep a resource when its stack is deleted, specify Retain for that resource. You can use retain for any resource. For example, you can retain a nested stack, S3 bucket, or EC2 instance so that you can continue to use or modify those resources after you delete their stacks.

        You must use one of the following options: "Delete","Retain","Snapshot"

    .PARAMETER UpdateReplacePolicy
        Use the UpdateReplacePolicy attribute to retain or (in some cases) backup the existing physical instance of a resource when it is replaced during a stack update operation.

        When you initiate a stack update, AWS CloudFormation updates resources based on differences between what you submit and the stack's current template and parameters. If you update a resource property that requires that the resource be replaced, AWS CloudFormation recreates the resource during the update. Recreating the resource generates a new physical ID. AWS CloudFormation creates the replacement resource first, and then changes references from other dependent resources to point to the replacement resource. By default, AWS CloudFormation then deletes the old resource. Using the UpdateReplacePolicy, you can specify that AWS CloudFormation retain or (in some cases) create a snapshot of the old resource.

        For resources that support snapshots, such as AWS::EC2::Volume, specify Snapshot to have AWS CloudFormation create a snapshot before deleting the old resource instance.

        You can apply the UpdateReplacePolicy attribute to any resource. UpdateReplacePolicy is only executed if you update a resource property whose update behavior is specified as Replacement, thereby causing AWS CloudFormation to replace the old resource with a new one with a new physical ID. For example, if you update the Engine property of an AWS::RDS::DBInstance resource type, AWS CloudFormation creates a new resource and replaces the current DB instance resource with the new one. The UpdateReplacePolicy attribute would then dictate whether AWS CloudFormation deleted, retained, or created a snapshot of the old DB instance. The update behavior for each property of a resource is specified in the reference topic for that resource in the AWS Resource and Property Types Reference. For more information on resource update behavior, see Update Behaviors of Stack Resources.

        The UpdateReplacePolicy attribute applies to stack updates you perform directly, as well as stack updates performed using change sets.

        Note
        Resources that are retained continue to exist and continue to incur applicable charges until you delete those resources. Snapshots that are created with this policy continue to exist and continue to incur applicable charges until you delete those snapshots. UpdateReplacePolicy retains the old physical resource or snapshot, but removes it from AWS CloudFormation's scope.

        UpdateReplacePolicy differs from the DeletionPolicy attribute in that it only applies to resources replaced during stack updates. Use DeletionPolicy for resources deleted when a stack is deleted, or when the resource definition itself is deleted from the template as part of a stack update.

        You must use one of the following options: "Delete","Retain","Snapshot"

    .PARAMETER DependsOn
        With the DependsOn attribute you can specify that the creation of a specific resource follows another. When you add a DependsOn attribute to a resource, that resource is created only after the creation of the resource specified in the DependsOn attribute.

        This parameter takes a string or list of strings representing Logical IDs of resources that must be created prior to this resource being created.


    .PARAMETER Metadata
        The Metadata attribute enables you to associate structured data with a resource. By adding a Metadata attribute to a resource, you can add data in JSON or YAML to the resource declaration. In addition, you can use intrinsic functions (such as GetAtt and Ref), parameters, and pseudo parameters within the Metadata attribute to add those interpreted values.

        This will be returned when describing the resource using AWS CLI.


    .PARAMETER UpdatePolicy
        Use the UpdatePolicy attribute to specify how AWS CloudFormation handles updates to the AWS::AutoScaling::AutoScalingGroup resource. AWS CloudFormation invokes one of three update policies depending on the type of change you make or whether a scheduled action is associated with the Auto Scaling group.

        You must use the "Add-UpdatePolicy" function or the [UpdatePolicy] class here.
    .PARAMETER Condition
        Logical ID of the condition that this resource needs to be true in order for this resource to be provisioned.

    .FUNCTIONALITY
        Vaporshell
    #>

    [OutputType([SecretsManagerRotationSchedule])]
    [cmdletbinding()]
    Param(
        [parameter(Mandatory = $true,Position = 0)]
        [ValidateLogicalId()]
        [string]
        $LogicalId,
        [parameter(Mandatory = $true)]
        [object]
        $SecretId,
        [parameter(Mandatory = $false)]
        $HostedRotationLambda,
        [parameter(Mandatory = $false)]
        [object]
        $RotationLambdaARN,
        [parameter(Mandatory = $false)]
        $RotationRules,
        [parameter()]
        [DeletionPolicy]
        $DeletionPolicy,
        [parameter()]
        [UpdateReplacePolicy]
        $UpdateReplacePolicy,
        [parameter(Mandatory = $false)]
        [string[]]
        $DependsOn,
        [parameter(Mandatory = $false)]
        [VSJson]
        $Metadata,
        [parameter(Mandatory = $false)]
        [UpdatePolicy]
        $UpdatePolicy,
        [parameter(Mandatory = $false)]
        [string]
        $Condition
    )
    Process {
        $obj = [SecretsManagerRotationSchedule]::new($PSBoundParameters)
        Write-Debug "$($MyInvocation.MyCommand) PSBoundParameters:`n$($PSBoundParameters | ConvertTo-Json -Depth 20 | Format-Json)"
        Write-Verbose "Resulting object from $($MyInvocation.MyCommand): `n$($obj.ToJson() | Format-Json)"
        $obj
    }
}

Export-ModuleMember -Function 'New-VSSecretsManagerRotationSchedule'

function New-VSSecretsManagerSecret {
    <#
    .SYNOPSIS
        Adds an AWS::SecretsManager::Secret resource to the template. The AWS::SecretsManager::Secret resource creates a secret and stores it in Secrets Manager. For more information, see Secret: https://docs.aws.amazon.com/secretsmanager/latest/userguide/terms-concepts.html#term_secret in the *AWS Secrets Manager User Guide*, and the CreateSecret API: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html in the *AWS Secrets Manager API Reference*.

    .DESCRIPTION
        Adds an AWS::SecretsManager::Secret resource to the template. The AWS::SecretsManager::Secret resource creates a secret and stores it in Secrets Manager. For more information, see Secret: https://docs.aws.amazon.com/secretsmanager/latest/userguide/terms-concepts.html#term_secret in the *AWS Secrets Manager User Guide*, and the CreateSecret API: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html in the *AWS Secrets Manager API Reference*.

To specify the SecretString encrypted value for the secret, specify either the SecretString or the GenerateSecretString property in this resource. You must specify one or the other, but you can't specify both. See the first two examples: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#aws-resource-secretsmanager-secret-hardcoded later in this topic.

**Note**

You can't generate a secret with a SecretBinary secret value using AWS CloudFormation. You can only create a SecretString text-based secret value.

**Note**

Do not create a dynamic reference using a backslash ( as the final value. AWS CloudFormation cannot resolve those references, which causes a resource failure.

After you create the basic secret, you can do any of the following:

+ Configure your secret with details of the Secrets Manager supported database or service: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html#full-rotation-support with credentials stored in this secret.

+ Attaches a resource-based permissions policy to the secret. To do this, define a AWS::SecretsManager::ResourcePolicy: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html resource type.

+ You can optionally configure a secret to rotate after a specified number of days. See AWS::SecretsManager::RotationSchedule: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html.

    .LINK
        http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html

    .PARAMETER LogicalId
        The logical ID must be alphanumeric (A-Za-z0-9) and unique within the template. Use the logical name to reference the resource in other parts of the template. For example, if you want to map an Amazon Elastic Block Store volume to an Amazon EC2 instance, you reference the logical IDs to associate the block stores with the instance.

    .PARAMETER Description
        Optional Specifies a user-provided description of the secret.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-description
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER KmsKeyId
        Optional Specifies the ARN, Key ID, or alias of the AWS KMS customer master key CMK used to encrypt the SecretString or SecretBinary values for versions of this secret. If you don't specify this value, then Secrets Manager defaults to the AWS account CMK, aws/secretsmanager. If an AWS KMS CMK with that name doesn't exist, Secrets Manager creates the CMK for you automatically the first time it encrypts a version SecretString or SecretBinary fields.
You can use the account default CMK to encrypt and decrypt only if you call this operation using credentials from the same account that owns the secret. If you use a secret from a different account, then you must create a custom CMK and specify the ARN in this field.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-kmskeyid
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER SecretString
        Optional Specifies text data that you want to encrypt and store in this new version of the secret.
Either SecretString or SecretBinary must have a value, but not both. They cannot both be empty.
If you create a secret by using the Secrets Manager console then Secrets Manager puts the protected secret text in only the SecretString parameter. The Secrets Manager console stores the information as a JSON structure of key/value pairs that the Lambda rotation function knows how to parse.
For storing multiple values, we recommend that you use a JSON text string argument and specify key/value pairs. For information on how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json in the *AWS CLI User Guide*. For example:
{"username":"bob","password":"abc123xyz456"}
If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-secretstring
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER GenerateSecretString
        A structure that specifies generating a random password by using the functionality of the GetRandomPassword API: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetRandomPassword.html. You can return that string directly to use as the secret value, or you can specify both the SecretStringTemplate and the GenerateSecretKey parameters. Secrets Manager uses the value in GenerateSecretKey parameters. Secrets Manager uses the value in GenerateSecretKey as the key name and combines it with the randomly generated password to make a JSON key-value pair. Secrets Manager then inserts the pair into the JSON structure specified in the SecretStringTemplate parameter. Secrets Manager stores the completed string as the secret value in the initial version of the secret. For more information about how to use this property, see Secrets Manager Secret GenerateSecretString: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html and the first example: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#aws-resource-secretsmanager-secret-generated in the following Examples section.
Either SecretString or GenerateSecretString must have a value, but not both. They cannot both be empty.

        Type: GenerateSecretString
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-generatesecretstring
        UpdateType: Mutable

    .PARAMETER ReplicaRegions
        + AWS::SecretsManager::SecretTargetAttachment: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html

        Type: List
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-replicaregions
        ItemType: ReplicaRegion
        UpdateType: Mutable

    .PARAMETER Tags
        The list of user-defined tags associated with the secret. Use tags to manage your AWS resources. For additional information about tags, see TagResource: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html.

        Type: List
        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-tags
        ItemType: Tag
        UpdateType: Mutable

    .PARAMETER Name
        The friendly name of the secret. You can use forward slashes in the name to represent a path hierarchy. For example, /prod/databases/dbserver1 could represent the secret for a server named dbserver1 in the folder databases in the folder prod.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html#cfn-secretsmanager-secret-name
        PrimitiveType: String
        UpdateType: Immutable

    .PARAMETER DeletionPolicy
        With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when its stack is deleted. You specify a DeletionPolicy attribute for each resource that you want to control. If a resource has no DeletionPolicy attribute, AWS CloudFormation deletes the resource by default.

        To keep a resource when its stack is deleted, specify Retain for that resource. You can use retain for any resource. For example, you can retain a nested stack, S3 bucket, or EC2 instance so that you can continue to use or modify those resources after you delete their stacks.

        You must use one of the following options: "Delete","Retain","Snapshot"

    .PARAMETER UpdateReplacePolicy
        Use the UpdateReplacePolicy attribute to retain or (in some cases) backup the existing physical instance of a resource when it is replaced during a stack update operation.

        When you initiate a stack update, AWS CloudFormation updates resources based on differences between what you submit and the stack's current template and parameters. If you update a resource property that requires that the resource be replaced, AWS CloudFormation recreates the resource during the update. Recreating the resource generates a new physical ID. AWS CloudFormation creates the replacement resource first, and then changes references from other dependent resources to point to the replacement resource. By default, AWS CloudFormation then deletes the old resource. Using the UpdateReplacePolicy, you can specify that AWS CloudFormation retain or (in some cases) create a snapshot of the old resource.

        For resources that support snapshots, such as AWS::EC2::Volume, specify Snapshot to have AWS CloudFormation create a snapshot before deleting the old resource instance.

        You can apply the UpdateReplacePolicy attribute to any resource. UpdateReplacePolicy is only executed if you update a resource property whose update behavior is specified as Replacement, thereby causing AWS CloudFormation to replace the old resource with a new one with a new physical ID. For example, if you update the Engine property of an AWS::RDS::DBInstance resource type, AWS CloudFormation creates a new resource and replaces the current DB instance resource with the new one. The UpdateReplacePolicy attribute would then dictate whether AWS CloudFormation deleted, retained, or created a snapshot of the old DB instance. The update behavior for each property of a resource is specified in the reference topic for that resource in the AWS Resource and Property Types Reference. For more information on resource update behavior, see Update Behaviors of Stack Resources.

        The UpdateReplacePolicy attribute applies to stack updates you perform directly, as well as stack updates performed using change sets.

        Note
        Resources that are retained continue to exist and continue to incur applicable charges until you delete those resources. Snapshots that are created with this policy continue to exist and continue to incur applicable charges until you delete those snapshots. UpdateReplacePolicy retains the old physical resource or snapshot, but removes it from AWS CloudFormation's scope.

        UpdateReplacePolicy differs from the DeletionPolicy attribute in that it only applies to resources replaced during stack updates. Use DeletionPolicy for resources deleted when a stack is deleted, or when the resource definition itself is deleted from the template as part of a stack update.

        You must use one of the following options: "Delete","Retain","Snapshot"

    .PARAMETER DependsOn
        With the DependsOn attribute you can specify that the creation of a specific resource follows another. When you add a DependsOn attribute to a resource, that resource is created only after the creation of the resource specified in the DependsOn attribute.

        This parameter takes a string or list of strings representing Logical IDs of resources that must be created prior to this resource being created.


    .PARAMETER Metadata
        The Metadata attribute enables you to associate structured data with a resource. By adding a Metadata attribute to a resource, you can add data in JSON or YAML to the resource declaration. In addition, you can use intrinsic functions (such as GetAtt and Ref), parameters, and pseudo parameters within the Metadata attribute to add those interpreted values.

        This will be returned when describing the resource using AWS CLI.


    .PARAMETER UpdatePolicy
        Use the UpdatePolicy attribute to specify how AWS CloudFormation handles updates to the AWS::AutoScaling::AutoScalingGroup resource. AWS CloudFormation invokes one of three update policies depending on the type of change you make or whether a scheduled action is associated with the Auto Scaling group.

        You must use the "Add-UpdatePolicy" function or the [UpdatePolicy] class here.
    .PARAMETER Condition
        Logical ID of the condition that this resource needs to be true in order for this resource to be provisioned.

    .FUNCTIONALITY
        Vaporshell
    #>

    [OutputType([SecretsManagerSecret])]
    [cmdletbinding()]
    Param(
        [parameter(Mandatory = $true,Position = 0)]
        [ValidateLogicalId()]
        [string]
        $LogicalId,
        [parameter(Mandatory = $false)]
        [object]
        $Description,
        [parameter(Mandatory = $false)]
        [object]
        $KmsKeyId,
        [parameter(Mandatory = $false)]
        [object]
        $SecretString,
        [parameter(Mandatory = $false)]
        $GenerateSecretString,
        [parameter(Mandatory = $false)]
        [object]
        $ReplicaRegions,
        [TransformTag()]
        [object]
        [parameter(Mandatory = $false)]
        $Tags,
        [parameter(Mandatory = $false)]
        [object]
        $Name,
        [parameter()]
        [DeletionPolicy]
        $DeletionPolicy,
        [parameter()]
        [UpdateReplacePolicy]
        $UpdateReplacePolicy,
        [parameter(Mandatory = $false)]
        [string[]]
        $DependsOn,
        [parameter(Mandatory = $false)]
        [VSJson]
        $Metadata,
        [parameter(Mandatory = $false)]
        [UpdatePolicy]
        $UpdatePolicy,
        [parameter(Mandatory = $false)]
        [string]
        $Condition
    )
    Process {
        $obj = [SecretsManagerSecret]::new($PSBoundParameters)
        Write-Debug "$($MyInvocation.MyCommand) PSBoundParameters:`n$($PSBoundParameters | ConvertTo-Json -Depth 20 | Format-Json)"
        Write-Verbose "Resulting object from $($MyInvocation.MyCommand): `n$($obj.ToJson() | Format-Json)"
        $obj
    }
}

Export-ModuleMember -Function 'New-VSSecretsManagerSecret'

function New-VSSecretsManagerSecretTargetAttachment {
    <#
    .SYNOPSIS
        Adds an AWS::SecretsManager::SecretTargetAttachment resource to the template. The AWS::SecretsManager::SecretTargetAttachment resource completes the final link between a Secrets Manager secret and the associated database. This is required because each has a dependency on the other. No matter which one you create first, the other doesn't exist yet. To resolve this, you must create the resources in the following order:

    .DESCRIPTION
        Adds an AWS::SecretsManager::SecretTargetAttachment resource to the template. The AWS::SecretsManager::SecretTargetAttachment resource completes the final link between a Secrets Manager secret and the associated database. This is required because each has a dependency on the other. No matter which one you create first, the other doesn't exist yet. To resolve this, you must create the resources in the following order:

1. Define the secret without referencing the service or database. You can't reference the service or database because it doesn't exist yet.

1. Next, define the service or database. Include the reference to the secret to use stored credentials to define the database master user and password.

1. Finally, define a SecretTargetAttachment resource type to finish configuring the secret with the required database engine type and the connection details of the service or database. The rotation function requires the details, if you attach one later by defining a AWS::SecretsManager::RotationSchedule: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html resource type.

    .LINK
        http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html

    .PARAMETER LogicalId
        The logical ID must be alphanumeric (A-Za-z0-9) and unique within the template. Use the logical name to reference the resource in other parts of the template. For example, if you want to map an Amazon Elastic Block Store volume to an Amazon EC2 instance, you reference the logical IDs to associate the block stores with the instance.

    .PARAMETER SecretId
        The Amazon Resource Name ARN or the friendly name of the secret that contains the credentials that you want to use with the specified service or database. To reference a secret also created in this template, use the see Ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html function with the secret's logical ID.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html#cfn-secretsmanager-secrettargetattachment-secretid
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER TargetType
        A string that defines the type of service or database associated with the secret. This value instructs AWS Secrets Manager how to update the secret with the details of the service or database. This value must be one of the following:
+ AWS::RDS::DBInstance
+ AWS::RDS::DBCluster
+ AWS::Redshift::Cluster
+ AWS::DocDB::DBInstance
+ AWS::DocDB::DBCluster

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html#cfn-secretsmanager-secrettargetattachment-targettype
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER TargetId
        The ARN of the service or database credentials stored in the specified secret.

        Documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html#cfn-secretsmanager-secrettargetattachment-targetid
        PrimitiveType: String
        UpdateType: Mutable

    .PARAMETER DeletionPolicy
        With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when its stack is deleted. You specify a DeletionPolicy attribute for each resource that you want to control. If a resource has no DeletionPolicy attribute, AWS CloudFormation deletes the resource by default.

        To keep a resource when its stack is deleted, specify Retain for that resource. You can use retain for any resource. For example, you can retain a nested stack, S3 bucket, or EC2 instance so that you can continue to use or modify those resources after you delete their stacks.

        You must use one of the following options: "Delete","Retain","Snapshot"

    .PARAMETER UpdateReplacePolicy
        Use the UpdateReplacePolicy attribute to retain or (in some cases) backup the existing physical instance of a resource when it is replaced during a stack update operation.

        When you initiate a stack update, AWS CloudFormation updates resources based on differences between what you submit and the stack's current template and parameters. If you update a resource property that requires that the resource be replaced, AWS CloudFormation recreates the resource during the update. Recreating the resource generates a new physical ID. AWS CloudFormation creates the replacement resource first, and then changes references from other dependent resources to point to the replacement resource. By default, AWS CloudFormation then deletes the old resource. Using the UpdateReplacePolicy, you can specify that AWS CloudFormation retain or (in some cases) create a snapshot of the old resource.

        For resources that support snapshots, such as AWS::EC2::Volume, specify Snapshot to have AWS CloudFormation create a snapshot before deleting the old resource instance.

        You can apply the UpdateReplacePolicy attribute to any resource. UpdateReplacePolicy is only executed if you update a resource property whose update behavior is specified as Replacement, thereby causing AWS CloudFormation to replace the old resource with a new one with a new physical ID. For example, if you update the Engine property of an AWS::RDS::DBInstance resource type, AWS CloudFormation creates a new resource and replaces the current DB instance resource with the new one. The UpdateReplacePolicy attribute would then dictate whether AWS CloudFormation deleted, retained, or created a snapshot of the old DB instance. The update behavior for each property of a resource is specified in the reference topic for that resource in the AWS Resource and Property Types Reference. For more information on resource update behavior, see Update Behaviors of Stack Resources.

        The UpdateReplacePolicy attribute applies to stack updates you perform directly, as well as stack updates performed using change sets.

        Note
        Resources that are retained continue to exist and continue to incur applicable charges until you delete those resources. Snapshots that are created with this policy continue to exist and continue to incur applicable charges until you delete those snapshots. UpdateReplacePolicy retains the old physical resource or snapshot, but removes it from AWS CloudFormation's scope.

        UpdateReplacePolicy differs from the DeletionPolicy attribute in that it only applies to resources replaced during stack updates. Use DeletionPolicy for resources deleted when a stack is deleted, or when the resource definition itself is deleted from the template as part of a stack update.

        You must use one of the following options: "Delete","Retain","Snapshot"

    .PARAMETER DependsOn
        With the DependsOn attribute you can specify that the creation of a specific resource follows another. When you add a DependsOn attribute to a resource, that resource is created only after the creation of the resource specified in the DependsOn attribute.

        This parameter takes a string or list of strings representing Logical IDs of resources that must be created prior to this resource being created.


    .PARAMETER Metadata
        The Metadata attribute enables you to associate structured data with a resource. By adding a Metadata attribute to a resource, you can add data in JSON or YAML to the resource declaration. In addition, you can use intrinsic functions (such as GetAtt and Ref), parameters, and pseudo parameters within the Metadata attribute to add those interpreted values.

        This will be returned when describing the resource using AWS CLI.


    .PARAMETER UpdatePolicy
        Use the UpdatePolicy attribute to specify how AWS CloudFormation handles updates to the AWS::AutoScaling::AutoScalingGroup resource. AWS CloudFormation invokes one of three update policies depending on the type of change you make or whether a scheduled action is associated with the Auto Scaling group.

        You must use the "Add-UpdatePolicy" function or the [UpdatePolicy] class here.
    .PARAMETER Condition
        Logical ID of the condition that this resource needs to be true in order for this resource to be provisioned.

    .FUNCTIONALITY
        Vaporshell
    #>

    [OutputType([SecretsManagerSecretTargetAttachment])]
    [cmdletbinding()]
    Param(
        [parameter(Mandatory = $true,Position = 0)]
        [ValidateLogicalId()]
        [string]
        $LogicalId,
        [parameter(Mandatory = $true)]
        [object]
        $SecretId,
        [parameter(Mandatory = $true)]
        [object]
        $TargetType,
        [parameter(Mandatory = $true)]
        [object]
        $TargetId,
        [parameter()]
        [DeletionPolicy]
        $DeletionPolicy,
        [parameter()]
        [UpdateReplacePolicy]
        $UpdateReplacePolicy,
        [parameter(Mandatory = $false)]
        [string[]]
        $DependsOn,
        [parameter(Mandatory = $false)]
        [VSJson]
        $Metadata,
        [parameter(Mandatory = $false)]
        [UpdatePolicy]
        $UpdatePolicy,
        [parameter(Mandatory = $false)]
        [string]
        $Condition
    )
    Process {
        $obj = [SecretsManagerSecretTargetAttachment]::new($PSBoundParameters)
        Write-Debug "$($MyInvocation.MyCommand) PSBoundParameters:`n$($PSBoundParameters | ConvertTo-Json -Depth 20 | Format-Json)"
        Write-Verbose "Resulting object from $($MyInvocation.MyCommand): `n$($obj.ToJson() | Format-Json)"
        $obj
    }
}

Export-ModuleMember -Function 'New-VSSecretsManagerSecretTargetAttachment'