udondan
commented
4 years ago Besides the Typescript code, this would mean publishing packages to Maven, PyPI, NuGet and NPM. So it would involve quite some work on your end, if it ends in here. 🙂
Closed udondan closed 4 years ago
udondan
commented
4 years ago Besides the Typescript code, this would mean publishing packages to Maven, PyPI, NuGet and NPM. So it would involve quite some work on your end, if it ends in here. 🙂
udondan
commented
4 years ago The more I think about it.... I think it actually makes more sense in a separate repo. It needs it's own tests, build pipeline, package pushing etc...
mvanholsteijn
commented
4 years ago A Custom provider is basically a lambda, so I am not quite sure what porting to CDK would entail. Can you enlighten me a bit?
mvanholsteijn
commented
4 years ago Sounds like a lot of duplication. Would it not be handier if i published the provider into the aws serverless application repo?
Cheers, Mark
On Sat, 14 Dec 2019, 21:04 Daniel Schroeder, notifications@github.com wrote:
Closed #30 https://github.com/binxio/cfn-secret-provider/issues/30.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/binxio/cfn-secret-provider/issues/30?email_source=notifications&email_token=AAEMY2ZR75R5GSA6RHGJFU3QYU347A5CNFSM4J237DO2YY3PNVWWK3TUL52HS4DFWZEXG43VMVCXMZLOORHG65DJMZUWGYLUNFXW5KTDN5WW2ZLOORPWSZGOVPP7MAI#event-2883581441, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEMY25P7LRUMOD7NG77HPLQYU347ANCNFSM4J237DOQ .
udondan
commented
4 years ago Hi Mark,
I don't mean to replace the lambda. Just porting the contents of the cloudformation directory to CDK.
I don't know how the serverless repo can help. I have no experience with the serverless framework. So I really don't know. :) For now I'll just use the lambda zip from your public bucket.
Thanks, Daniel
udondan
commented
4 years ago Hey Mark,
my CDK implementation now is located here: https://github.com/udondan/cdk-secrets with packages for NodeJS, Python and .Net.
Here is an example how to create an RSA key and a key pair.
Needs some automated testing. The DSA key somehow is not working, RSA and all the other custom resources do. So it needs a little more love but generally is working. :-)
Cheers, Daniel
efenderbosch
commented
4 years ago If anyone else stumbles upon this issue looking for a CDK implementation, it is fairly easy to do:
val bucket = Bucket.fromBucketName(this, "BinxioPublicBucket", "binxio-public-$region")
val privateKeyParameterName = "/$envName/jwt/private.key"
val lambdaPolicyStatement = PolicyStatement.Builder.create()
.effect(Effect.ALLOW)
.actions(listOf("ssm:PutParameter", "ssm:GetParameter", "ssm:DeleteParameter"))
.resources(listOf("arn:aws:ssm:$region:$account:parameter$privateKeyParameterName"))
.build()
val function = Function.Builder.create(this, "BinxioSecretProviderLambda")
.code(Code.fromBucket(bucket, "lambdas/cfn-secret-provider-1.1.1.zip"))
.handler("secrets.handler")
.runtime(Runtime.PYTHON_3_7)
.timeout(Duration.seconds(5))
.initialPolicy(listOf(lambdaPolicyStatement))
.vpc(vpc)
.build()
val jwtPrivateKey = CfnResource.Builder.create(this, "JwtPrivateKey")
.type("Custom::RSAKey")
.properties(
mapOf(
"Name" to privateKeyParameterName,
"ServiceToken" to function.functionArn
)
)
.build()
val publicKeyRef = jwtPrivateKey.getAtt("PublicKey")
CfnResource.Builder.create(this, "JwtPublicKey")
.type("AWS::SSM::Parameter")
.properties(
mapOf(
"Name" to "/$envName/jwt/public.key",
"Type" to "String",
"Value" to publicKeyRef
)
)
.build()Kotlin code, but should be fairly easy to translate.
Deploys this Lambda as a nested stack.
udondan
commented
4 years ago Speaking of fairly easy 🙂
I'm currently working on porting this to AWS CDK. I'm writing this Typescript.
Would you be interested in having this in this repo or should I keep it separate? I'm fine with both options, but think it makes more sense if everything is kept together.
On the other hand I don't know how comfortable you are with having Typescript and CDK code in here.