Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CustomResources: Allow usage across accounts #180

Closed
1 of 2 tasks
pgarbe opened this issue Jun 10, 2020 · 2 comments
Closed
1 of 2 tasks

CustomResources: Allow usage across accounts #180

pgarbe opened this issue Jun 10, 2020 · 2 comments
Labels
effort/small Minimal effort required for implementation status/stale The RFC did not get any significant enough progress or tracking and has become stale.

Comments

@pgarbe
Copy link

pgarbe commented Jun 10, 2020

Allow CustomResources to be used across accounts. This needs an additional SNS topic as it makes it easier to set up permissions correctly. Also, the message from SNS topic must be unwrapped in order to work with existing CustomResource provider.

Use Case

My use-case is to provide CloudFormation custom resources for external SaaS solutions. I know that there are also custom types, but it still leaves the problem how to handle secrets (like api keys) properly. The set up I have in mind is to have the custom resource provider in a single account which also knows the secrets. Other accounts in the organization should be allowed to create custom resources in their own stacks using the provider in the shared account.

Another use-case might be the Rout53 example described here

Proposed Solution

  • Adding a SNS topic in front of the CustomResourceProvider lambda
  • Change the existing CustomResourceProvider lambda to handle also messages from SNS (or introduce another lamba to unwrap the message)
  • Make it optional, as the serviceToken changes

Other

Similar solution with plain cfn:
https://aws.amazon.com/blogs/mt/multi-account-strategy-using-aws-cloudformation-custom-resources-to-create-amazon-route-53-resources-in-another-account/

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@eladb
Copy link
Contributor

eladb commented Jun 22, 2020

@pgarbe thanks for the proposal. I am transferring this issue to the RFC repo. Please consider submitting an RFC for this as it requires a bit or design work.

@eladb eladb transferred this issue from aws/aws-cdk Jun 22, 2020
@eladb eladb added effort/small Minimal effort required for implementation status/proposed Newly proposed RFC labels Jun 22, 2020
@eladb eladb removed their assignment Feb 25, 2021
@mrgrain
Copy link
Contributor

mrgrain commented Oct 27, 2023

Marking this RFCs as stale since there has been little recent activity and it is not currently close to getting accepted as-is. We appreciate the effort that has gone into this proposal. Marking an RFCs as stale is not a one-way door. If you have made substantial changes to the proposal, please open a new issue/RFC. You might also consider raising a PR to aws/aws-cdk directly or self-publishing to Construct Hub.

@mrgrain mrgrain closed this as not planned Won't fix, can't repro, duplicate, stale Oct 27, 2023
@mrgrain mrgrain added status/stale The RFC did not get any significant enough progress or tracking and has become stale. and removed status/proposed Newly proposed RFC labels Oct 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
effort/small Minimal effort required for implementation status/stale The RFC did not get any significant enough progress or tracking and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mrgrain @eladb @pgarbe