CDK and automation of inserting secure string parameters into ssm parameter store?

Question

So I found out that you can't use CloudFormation to insert a parameter that needs to be secured with a KMS Key into Secure Parameter Store. Obviously, you can use the cli, but that has huge drawbacks when it comes to doing multiple insert secure parameters within a pipeline because if one fails in the middle, the other ones to revert back as it would if it was done via CDK and Cloudformation.

So the question is, how have others incorporated this type of functionality in a CI/CD pipeline? Manually go to each environment and put it into a Secure Parameter Store?

Answer 1

I created an npm package to do this in CDK https://github.com/HarshRohila/cdk-secure-parameter-store

This uses Lambda backed Custom Resource

How does this work?

The cloudformation is not having an API to create a secure parameter store but AWS SDK does. So the idea is to use CloudFormation Custom Resource to which we can attach a lambda, that lambda is called whenever CustomResource is created/updated/deleted and the lambda can use AWS SDK to create and delete parameter store

More discussion about this issue here

Answer 2

This is a limitation. The CDK docs recommend using AWS SecretsManager as an alternative. If you are restricted to using SSM, then I think you would have to use the SDK or CLI.

Relevant links:

https://docs.aws.amazon.com/cdk/latest/guide/get_ssm_value.html https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm-readme.html

Answer 3

As of July 2022 there's a new SDK client library that allows, amongst other things, the creation of secure strings from CDK. Example:

new secretsmanager().createSecret({
  Name: 'PASSWORD',
  SecretString: this.cluster.password,
});

References: https://github.com/aws/aws-cdk/pull/21091, https://github.com/aws/aws-cdk/pull/18180