Add support for storing stack outputs in a ConfigMap

awslabs / aws-cloudformation-controller-for-flux

AWS CloudFormation template sync controller for Flux

MIT No Attribution

53 stars 2 forks source link

Add support for storing stack outputs in a ConfigMap #10

Open clareliguori opened 1 year ago

clareliguori commented 1 year ago

CloudFormation stack outputs can be useful for returning generated information like VPC IDs, RDS database connection URLs, etc that might be needed by applications running in the Kubernetes cluster. Add support for retrieving stack outputs for the CFN stacks provisioned by the CFN controller and saving them as a Kubernetes ConfigMap.

Examples from other projects:

ACK: https://aws-controllers-k8s.github.io/community/docs/user-docs/field-export/
Flux Terraform controller: https://docs.gitops.weave.works/docs/terraform/using-terraform-cr/provision-resources-and-write-output-data/

mikestef9 commented 1 year ago

Another useful feature would be native support for exporting outputs to ParameterStore and SecretsManager. I see a common workflow for using this controller to be in a management cluster, separate from a cluster where the application might be running. In that case, you need a config store living outside any one cluster.

clareliguori commented 1 year ago

Another useful feature would be native support for exporting outputs to ParameterStore and SecretsManager. I see a common workflow for using this controller to be in a management cluster, separate from a cluster where the application might be running. In that case, you need a config store living outside any one cluster.

This might be more natural to do inside the CloudFormation template, rather than in the CFN controller. For example, this shows a template that creates a Redshift cluster and stores the cluster credentials in Secrets Manager: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html#aws-resource-secretsmanager-secrettargetattachment--examples--Creating_a_Redshift_cluster

mikestef9 commented 1 year ago

Ya that actually makes a lot more sense than doing it in the controller.

artem-nefedov commented 7 months ago

Make sense to also support outputs to Secret, and possibly make it default (as tf-controller and Crossplane do), since outputs can contain sensitive info.

clareliguori commented 7 months ago

Outputs generally should not contain sensitive info, as they are not redacted at all in CloudFormation's APIs or console.

See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html

CloudFormation doesn't redact or obfuscate any information you include in the Outputs section. We strongly recommend you don't use this section to output sensitive information, such as passwords or secrets.