awslabs / aws-cloudformation-controller-for-flux

AWS CloudFormation template sync controller for Flux
MIT No Attribution
53 stars 2 forks source link

Add support for stack parameters from ConfigMaps #4

Open clareliguori opened 1 year ago

clareliguori commented 1 year ago

Enable users to add parameters to their CFN templates, then provide parameter values in the spec for the CloudFormationStack object from Kubernetes ConfigMaps.

artem-nefedov commented 9 months ago

Inputs from Secrets should probably be supported as well, considering that sensitive data should never be stored in any k8s object besides Secret.

clareliguori commented 9 months ago

Generally CloudFormation parameter values should not be sensitive data. As a best practice, CloudFormation recommends using dynamic parameters that pull sensitive values directly from Secrets Manager or Systems Manager Parameter Store, to reduce the likelihood that this sensitive info will be accidentally exposed (for example, forgetting to set the NoEcho flag on a parameter in your template). https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html

With the AWS provider for the Secrets Store CSI Driver, you can store a sensitive value in Secrets Manager and then have it available to both your Kubernetes cluster as a Secret object and also to your CloudFormation template. https://github.com/aws/secrets-store-csi-driver-provider-aws