Open clareliguori opened 1 year ago
Inputs from Secrets should probably be supported as well, considering that sensitive data should never be stored in any k8s object besides Secret.
Generally CloudFormation parameter values should not be sensitive data. As a best practice, CloudFormation recommends using dynamic parameters that pull sensitive values directly from Secrets Manager or Systems Manager Parameter Store, to reduce the likelihood that this sensitive info will be accidentally exposed (for example, forgetting to set the NoEcho flag on a parameter in your template). https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html
With the AWS provider for the Secrets Store CSI Driver, you can store a sensitive value in Secrets Manager and then have it available to both your Kubernetes cluster as a Secret object and also to your CloudFormation template. https://github.com/aws/secrets-store-csi-driver-provider-aws
Enable users to add parameters to their CFN templates, then provide parameter values in the spec for the CloudFormationStack object from Kubernetes ConfigMaps.