In Terraform can read the values from Vault (stored in AWS SSM as secure strings). However, with CDK we have to put it in SSM or secrets manager and read the value in CDK. Is there a way CDK can read from the Vault?
It should be possible using AWS Custom Resources. AWS CDK provides a way to create custom resources that respond to CloudFormation's CRUD events (https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html).
According to the AWS Custom Resource docs, "return values are defined by the custom resource provider, and are retrieved by calling Fn::GetAtt on the provider-defined attributes". So after creating a custom resource that returns your Hashicorp Vault key as an attribute, you can have another resource reference that value using Fn::GetAtt in CDK, and the value should not get publicly exposed in the CloudFormation template.
Another alternative could be to sync secret values between Hashicorp Vault and AWS SSM/SecretsManager.
Related
We are in the way to migrate from api calls to terraform to spin resources/accesses/policies in aws. I was bit struct in a place where I could not find an option to pass CallerReference to aws terraform resource aws_cloudfront_origin_access_identity.
We have this option using api: https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateCloudFrontOriginAccessIdentity.html
Do we have any custom options for passing the same in other ways?
If its not directly supported by TF, you can always use local-exec with AWS CLI to create your origin identity.
I'm unable to locate in the docs how to specify an IAM user's public SSH key in AWS CDK and can't seem to find the corresponding CloudFormation type either. Terraform has the following:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_ssh_key
How do I specify the key in either CloudFormation or CDK?
This is not supported. You would have to develop your own custom resource for that.
I'm wondering if something is possible at all, or I'm trying to build something that is not possible from the start.
Let's say within Account A there is an RDS DB Password, (can be any AWS resource ID or value) that I have stored in Secrets Manager or Parameter Store.
Now I want to use that value in AWS CDK in Account B, is this possible?
It is possible to retrieve the value based on ARN, see: https://bobbyhadz.com/blog/get-secrets-manager-values-aws-cdk#get-secrets-manager-value-by-arn---alternative but would this work cross-account?
You can attach a policy to your secret granting access to other AWS account. Check https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-share-between-accounts/
I am trying to fetch pre existing secrets from the aws-secretsmanager module on CDK, and from the documentation here, the suggestion is
If you need to use a pre-existing secret, the recommended way is to
manually provision the secret in AWS SecretsManager and use the
Secret.fromSecretArn or Secret.fromSecretAttributes method to make it
available in your CDK Application
However, both the methods demand the use of the arn to fetch the secrets. I am not sure if it is a good idea to hardcode arns and check them into the git repo. Instead is there a way to just fetch the secrets by just using the name, since we already have the account details available in the profile for cdk.
At least until this current version (1.38.0), it’s not possible. An alternative is to save the secret arn in the SSM parameter store and use the ssm key in the code.
Putting full ARNs in CFN should not be a concern. Since you are creating these secrets ahead of time, their name, account, and region will be know. If you wish, however, you could still use the CFN psuedo parameters for partition, region, and account (AWS::Partition, AWS::Region, AWS::AccountId or the CDK equivelent).
I want to create a S3 Bucket via CloudFormation template. I found there is a way to do it for EC2 instance on this link.
Do we have a way to create S3 bucket using existing IAM role via cloudformation?
It looks like what you're looking for is a service role. From AWS:
A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS CloudFormation to create, update, or delete your stack resources. By default, AWS CloudFormation uses a temporary session that it generates from your user credentials for stack operations. If you specify a service role, AWS CloudFormation uses the role's credentials.
For more information, you might want to take a look at this, specifically the permission part to find out how to use an existing IAM role for creating a Cloudformation stack.
By the way: Unfortunately the link that you've provided doesn't seem to be accessible anymore.
When deploying infrastructure using creating Cloudformation template, you can have 2 ways to do it:
Cloudformation can deploy resources using the permissions of the current user who deploys the CF template. This is the default way
Secondly (Optional), you can choose an existing role that can be attached to the CF template. Cloudformation service will use the permissions of that attached role to deploy all the required services. Given that the attached role has permissions to S3, you can create an S3 bucket as can be seen in the attached screenshot