Last active
August 25, 2022 18:35
-
-
Save christopherhan/7c4eab23966ed575eb3ae15bd8a0a189 to your computer and use it in GitHub Desktop.
Custom Lambda-backed CloudFormation resource to create a SecureString in ParameterStore
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: "2010-09-09" | |
| Description: Put a SecureString parameter in SSM Parameter Store | |
| Parameters: | |
| KmsKeyId: | |
| Type: String | |
| Description: The KMS Key you want to use to encrypt the string. | |
| SSMParameterKey: | |
| Type: String | |
| Description: The Parameter Store Key | |
| SSMParameterValue: | |
| Type: String | |
| Description: The Parameter Store Value | |
| NoEcho: true | |
| Resources: | |
| PutSecureString: | |
| Type: Custom::PutSecureString | |
| DependsOn: LambdaFunction | |
| Properties: | |
| ServiceToken: !GetAtt ["LambdaFunction", "Arn"] | |
| LambdaRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Service: ["lambda.amazonaws.com"] | |
| Action: ["sts:AssumeRole"] | |
| Path: / | |
| Policies: | |
| - PolicyName: put-secure-string | |
| PolicyDocument: | |
| Statement: | |
| - Effect: Allow | |
| Action: ['ssm:PutParameter'] | |
| Resource: '*' | |
| LambdaFunction: | |
| Type: AWS::Lambda::Function | |
| Properties: | |
| Description: Create a SSM Secure String Parameter | |
| FunctionName: !Join ["-", [ !Ref 'AWS::StackName', "PutSecureString"] ] | |
| Role: !GetAtt LambdaRole.Arn | |
| Timeout: 10 | |
| Handler: index.lambda_handler | |
| Runtime: python2.7 | |
| Code: | |
| ZipFile: | | |
| import boto3 | |
| import json | |
| import cfnresponse | |
| def lambda_handler(event, context): | |
| # There is nothing to do for a delete request | |
| if event['RequestType'] == 'Delete': | |
| cfnresponse.send(event, context, cfnresponse.SUCCESS, response) | |
| # Get the values of the parameter we passed in | |
| parameter_key = event['ResourceProperties']['ParameterKey'] | |
| parameter_value = event['ResourceProperties']['ParameterValue'] | |
| kms_key_id = event['ResourceProperties']['KmsKeyId'] | |
| response = { | |
| 'StackId': event['StackId'], | |
| 'RequestId': event['RequestId'], | |
| 'LogicalResourceId': event['LogicalResourceId'], | |
| 'Status': 'SUCCESS', | |
| 'Data': {} | |
| } | |
| try: | |
| client = boto3.client('ssm') | |
| ssm_response = client.put_parameter( | |
| Name=parameter_key, | |
| Description='MongoDB Password', | |
| Value=parameter_value, | |
| Type='SecureString', | |
| KeyId=kms_key_id, | |
| Overwrite=True | |
| ) | |
| except: | |
| response['Status'] = 'FAILED' | |
| response['Reason'] = 'Error putting parameter' | |
| cfnresponse.send(event, content, cfnresponse.FAILED, response) | |
| if not 'Version' in ssm_response: | |
| response['Status'] = 'FAILED' | |
| response['Reason'] = 'Could not put SecureString parameter' | |
| cfnresponse.send(event, content, cfnresponse.FAILED, response) | |
| response['Version'] = ssm_response['Version'] | |
| response['ParameterKey'] = parameter_key | |
| cfnresponse.send(event, context, cfnresponse.FAILED, response) | |
| Outputs: | |
| ParameterVersion: | |
| Description: The parameter version | |
| Value: !GetAtt PutSecureString.Version | |
| ParameterKey: | |
| Description: The parameter Key | |
| Value: !GetAtt PutSecureString.ParameterKey |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment