Allow Dynamic References for Secure Values in Custom Resources

[fimbulvetr]

Scope of request

Currently, you can use Dynamic References for Secure Values, i.e. {{resolve:ssm-secure:IAMUserPassword:10}} in most places. However, it is not possible to use them as parameters (read: arguments) to a Custom Resource.

This is documented here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-ssm-secure-strings

Under Addition Considerations:

• Dynamic references for secure values, such as ssm-secure and secretsmanager, are not currently supported in custom resources.

Samples:

AWSTemplateFormatVersion: "2010-09-09"
Resources: 
  MyFrontEndTest: 
    Type: "Custom::PingTester"
    Version: "1.0"
    Properties: 
      ServiceToken: "arn:aws:sns:us-east-1:84969EXAMPLE:CRTest"
      Password: {{resolve:ssm-secure:IAMUserPassword:10}} 
Outputs: 
  CustomResourceAttribute1: 
    Value: 
      Fn::GetAtt: 
        - MyFrontEndTest
        - responseKey1
  CustomResourceAttribute2: 
    Value: 
      Fn::GetAtt: 
        - MyFrontEndTest
        - responseKey2

Expected Behavior:

We should be allowed to use a dynamic reference for secure values on custom resources.

Helpful links:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-ssm-secure-strings
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cfn-customresource.html

Category:

Compute, Security

[TheDanBlanco]

we don’t have any plans to invest in this currently, so for now we’d suggest migrating over to resource providers

[JohnPreston]

@TheDanBlanco

Hello.
Why are there no plans to do so ?

I created my own resource provider since but then, the problem you see is, we do not have the possibility to create private resources that will have VPC access.

As per your support team, even if we had a Cloudformation VPC endpoint to provide access in both ways (such as what's required for Glue to have access to in-VPC resources), these private resources created through resource providers do not seem to be able to be set to reach resources in-VPC.

I have in the meantime created a tiny lib that will allow the functions (lambda) to parse the resolve string and behave in the way one would expect CFN to do so, but that is just one more thing for people to have to think about when packaging their applications.

EDIT:
I have written the following lib https://pypi.org/project/aws-cfn-custom-resource-resolve-parser/ which allows users to keep writing {{resolve:secretsmanager}} in the same way, so all that's needed is to pre-parse the string with it before passing it onto the rest of the lambda function.

[gburke-ppb]

@aws-cdk/aws-eks / Cluster / addManifest(id, ...manifest)

This will create a Custom Resource. When using this to add a file that contains a password it means that we cannot use secretsManager to store that password and instead have to add it into the raw config file in our code repository.

So please let this be used for Custom Resources so that we no longer have to do this.

Thanks

[ckatsaras-godaddy]

I know this issue is fairly old at this point but was wondering if anyone has an update regarding this.
@gburke-ppb did you end up finding a workaround? 😄
Any information is greatly appreciated!

[SodaDev]

@ckatsaras-godaddy I had similar issue and just implemented it in my custom resource under https:/SodaDev/sns-platform-application