Open clareliguori opened 1 year ago
Another useful feature would be native support for exporting outputs to ParameterStore and SecretsManager. I see a common workflow for using this controller to be in a management cluster, separate from a cluster where the application might be running. In that case, you need a config store living outside any one cluster.
Another useful feature would be native support for exporting outputs to ParameterStore and SecretsManager. I see a common workflow for using this controller to be in a management cluster, separate from a cluster where the application might be running. In that case, you need a config store living outside any one cluster.
This might be more natural to do inside the CloudFormation template, rather than in the CFN controller. For example, this shows a template that creates a Redshift cluster and stores the cluster credentials in Secrets Manager: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html#aws-resource-secretsmanager-secrettargetattachment--examples--Creating_a_Redshift_cluster
Ya that actually makes a lot more sense than doing it in the controller.
Make sense to also support outputs to Secret, and possibly make it default (as tf-controller and Crossplane do), since outputs can contain sensitive info.
Outputs generally should not contain sensitive info, as they are not redacted at all in CloudFormation's APIs or console.
See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html
CloudFormation doesn't redact or obfuscate any information you include in the Outputs section. We strongly recommend you don't use this section to output sensitive information, such as passwords or secrets.
CloudFormation stack outputs can be useful for returning generated information like VPC IDs, RDS database connection URLs, etc that might be needed by applications running in the Kubernetes cluster. Add support for retrieving stack outputs for the CFN stacks provisioned by the CFN controller and saving them as a Kubernetes ConfigMap.
Examples from other projects: