search

cloudcomponents / cdk-constructs

A collection of higher-level reusable cdk constructs
MIT License
625 stars 104 forks source link

Stripe Webhook does not work with secrets vended by SecretsManager #84

Closed Stvad closed 3 years ago

Stvad commented 3 years ago

What I'm trying to do:

...
const secretKey = SecretValue.secretsManager(stripeKeySecretName)
...

new StripeWebhook(this, 'StripeWebhook', {
            secretKey: secretKey.toString(),
            url: api.url,
            events,
            logLevel: 'debug',
        })

That is to read stripe secret key value from SecretsManager vs providing it in code which is problematic.
I get the following error when trying to deploy this:

6:44:59 PM | CREATE_FAILED        | Custom::StripeWebhook       | StripeWebhookCustomResource8D1A2FEA
Failed to create resource. Invalid API Key provided: {{resolv********************************************************
*************************************************::}}

Expected outcome:

The key can be resolved from secrets manager.

Ideally I think this interface would actually accept the SecretValue instead of a string (and you can build that either directly from text or from SecretsManager/SSM/etc

hupe1980 commented 3 years ago

It's been on my to-do list for a long time. But unfortunately cloudformation doesn't support that yet:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html Dynamic references for secure values, such as ssm-secure and secretsmanager, are not currently supported in custom resources.

One possible solution would be pass the ARN as a parameter and read the secret in the lambda

Stvad commented 3 years ago

One possible solution would be pass the ARN as a parameter and read the secret in the lambda

I think that'd be the best approach given current limitations.

a very basic level support can be just resolving secret into env variables in lambda (which is not idea but cfn-supported)