From the CFN docs I can see that I can create an AWS::SSM::Parameter. I also see how I can create a KMS Master Key.
However the type parameter on the SSM:Parameter in the doc page does not list the secure string type.
Is there a way that I can do the following in a cloudformation template:
1) create KMS Key
2) use KMS key to encrypt a param
3) pull that param in User-Data for an EC2 instance
I will be running the CFN template from a Jenkins job with the value of the param in a jenkins password parameter. I can also set "NoEcho": true on the template's parameter so it's not echoed in the CloudFormation console.
Support for this has been added so you no longer need to use a custom resource. You have to use a dynamic reference to a secure parameter.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html
Using this feature you can use add {{resolve:ssm-secure:parameter-name:version}} to your user data within a Fn::Join CF intrinsic.
As of April 2019 secure strings are not available as a parameter type in cloudformation templates however the documentation states that CloudFormation will support the Parameter Store ‘SecureString’ type in a later release.
https://aws.amazon.com/blogs/mt/integrating-aws-cloudformation-with-aws-systems-manager-parameter-store/
There seems to be a way to use a custom resource to do this. In combination with a lambda function.
Related
In Terraform can read the values from Vault (stored in AWS SSM as secure strings). However, with CDK we have to put it in SSM or secrets manager and read the value in CDK. Is there a way CDK can read from the Vault?
It should be possible using AWS Custom Resources. AWS CDK provides a way to create custom resources that respond to CloudFormation's CRUD events (https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html).
According to the AWS Custom Resource docs, "return values are defined by the custom resource provider, and are retrieved by calling Fn::GetAtt on the provider-defined attributes". So after creating a custom resource that returns your Hashicorp Vault key as an attribute, you can have another resource reference that value using Fn::GetAtt in CDK, and the value should not get publicly exposed in the CloudFormation template.
Another alternative could be to sync secret values between Hashicorp Vault and AWS SSM/SecretsManager.
We are in the way to migrate from api calls to terraform to spin resources/accesses/policies in aws. I was bit struct in a place where I could not find an option to pass CallerReference to aws terraform resource aws_cloudfront_origin_access_identity.
We have this option using api: https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateCloudFrontOriginAccessIdentity.html
Do we have any custom options for passing the same in other ways?
If its not directly supported by TF, you can always use local-exec with AWS CLI to create your origin identity.
How do I get container id from AWS CDK Mediastore?
It is being used as below code.
const mediaStoreContainer = new mediastore.CfnContainer(this, 'mediaStoreContainer', {
containerName: 'MediaStoreContainer',
accessLoggingEnabled: true,
})
I've tried many ways, but I can't find it.
mediaStoreContainer.getAtt(mediaStoreContainer.attrEndpoint)...
Please tell me how I can get it.
unfortunately, any time you have to use a Cfn function in CDK, this indicates that that resource/service/thing is not fully hooked into the cdk libraries. these Cfn functions simply are basic parsers that output a json structure for the cloudformation template. getAtt may not even be hooked into all the attributes available to a given item, and most of the time the Cfn versions of a construct can't even be passed to other constructs that would use them (such as having a Role created and passing that role to a Lambda to use)
getAtt just mimics the yaml macro function !getAttr and so can only retrieve what is available from the cloudformation entry for that resource
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-mediastore-container.html - this page indicates its just Endpoint - i believe all you need to use is endpoint = mediaStorecontainer.getAtt("Endpoint")
I am planning to use AWS parameter store to store config for one of the project I am working on it. We are using cloud formation (or CDK) to deploy all the components. That includes parameter store as well.
I have some config which has password and other sensitive fields which I can't put to in version control. How to handle this scenario?
I would use AWS Secrets Manager to generate the secrets randomly.
#This is a Secret resource with a randomly generated password in its SecretString JSON.
MyRDSInstanceRotationSecret:
Type: AWS::SecretsManager::Secret
Properties:
Description: 'This is my rds instance secret'
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"#/\'
Tags:
-
Key: AppName
Value: MyApp
And would further export the same into AWS Parameter Store using a policy attached and later on access them using static or dyanmic reference.
The best would be to take your secrets management out of Cloudformation as suggested by #jordanm.
Take a look at AWS Secrets Manage for this use case. If you are implementing your solution in Java, see this Github URL:
https://github.com/awsdocs/aws-doc-sdk-examples/tree/master/javav2/example_code/secretsmanager
Provisioning SecureString parameter type is not possible in clouldforamtion
AWS CloudFormation doesn't support creating a SecureString parameter
type
See the following link: This
But you can reference it securely, using dynamic references which provide a compact, powerful way for you to specify external values that are stored and managed in other services, such as the Systems Manager Parameter Store, in your stack template.
Use the ssm-secure dynamic reference pattern to specify AWS Systems
Manager SecureString type parameters in your templates. For ssm-secure
dynamic references, AWS CloudFormation never stores the actual
parameter value. AWS CloudFormation accesses the parameter value
during create and update operations for stacks and change sets.
Check the following link:This
I am trying to fetch pre existing secrets from the aws-secretsmanager module on CDK, and from the documentation here, the suggestion is
If you need to use a pre-existing secret, the recommended way is to
manually provision the secret in AWS SecretsManager and use the
Secret.fromSecretArn or Secret.fromSecretAttributes method to make it
available in your CDK Application
However, both the methods demand the use of the arn to fetch the secrets. I am not sure if it is a good idea to hardcode arns and check them into the git repo. Instead is there a way to just fetch the secrets by just using the name, since we already have the account details available in the profile for cdk.
At least until this current version (1.38.0), it’s not possible. An alternative is to save the secret arn in the SSM parameter store and use the ssm key in the code.
Putting full ARNs in CFN should not be a concern. Since you are creating these secrets ahead of time, their name, account, and region will be know. If you wish, however, you could still use the CFN psuedo parameters for partition, region, and account (AWS::Partition, AWS::Region, AWS::AccountId or the CDK equivelent).