Cloudformation-coverage-roadmap: Allow Dynamic References for Secure Values in Custom Resources
Scope of request
Currently, you can use Dynamic References for Secure Values, i.e. {{resolve:ssm-secure:IAMUserPassword:10}} in most places. However, it is not possible to use them as parameters (read: arguments) to a Custom Resource.
This is documented here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-ssm-secure-strings
Under Addition Considerations:
- Dynamic references for secure values, such as ssm-secure and secretsmanager, are not currently supported in custom resources.
Samples:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyFrontEndTest:
Type: "Custom::PingTester"
Version: "1.0"
Properties:
ServiceToken: "arn:aws:sns:us-east-1:84969EXAMPLE:CRTest"
Password: {{resolve:ssm-secure:IAMUserPassword:10}}
Outputs:
CustomResourceAttribute1:
Value:
Fn::GetAtt:
- MyFrontEndTest
- responseKey1
CustomResourceAttribute2:
Value:
Fn::GetAtt:
- MyFrontEndTest
- responseKey2
Expected Behavior:
We should be allowed to use a dynamic reference for secure values on custom resources.
Helpful links:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-ssm-secure-strings
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cfn-customresource.html
Category:
Compute, Security
fimbulvetr
All 3 comments
we don鈥檛 have any plans to invest in this currently, so for now we鈥檇 suggest migrating over to resource providers
TheDanBlanco
on 21 Jan 2020
@TheDanBlanco
Hello.
Why are there no plans to do so ?
I created my own resource provider since but then, the problem you see is, we do not have the possibility to create private resources that will have VPC access.
As per your support team, even if we had a Cloudformation VPC endpoint to provide access in both ways (such as what's required for Glue to have access to in-VPC resources), these private resources created through resource providers do not seem to be able to be set to reach resources in-VPC.
I have in the meantime created a tiny lib that will allow the functions (lambda) to parse the resolve string and behave in the way one would expect CFN to do so, but that is just one more thing for people to have to think about when packaging their applications.
EDIT:
I have written the following lib https://pypi.org/project/aws-cfn-custom-resource-resolve-parser/ which allows users to keep writing {{resolve:secretsmanager}} in the same way, so all that's needed is to pre-parse the string with it before passing it onto the rest of the lambda function.
JohnPreston
on 5 Apr 2021
@aws-cdk/aws-eks / Cluster / addManifest(id, ...manifest)
This will create a Custom Resource. When using this to add a file that contains a password it means that we cannot use secretsManager to store that password and instead have to add it into the raw config file in our code repository.
So please let this be used for Custom Resources so that we no longer have to do this.
Thanks
gburke-ppb
on 28 May 2021
Related issues
rclark
路
3Comments
rjpereira
路
4Comments
msaggar
路
3Comments
johnkoehn
路
3Comments
seansummers
路
3Comments
Most helpful comment
@aws-cdk/aws-eks / Cluster / addManifest(id, ...manifest)
This will create a Custom Resource. When using this to add a file that contains a password it means that we cannot use secretsManager to store that password and instead have to add it into the raw config file in our code repository.
So please let this be used for Custom Resources so that we no longer have to do this.
Thanks