[custom-resources] Allow passing a Secret value as a parameter to `AwsCustomResource`

[blimmer]

It would be convenient to be able to pass a secret {{resolve}} token as a parameter to the AwsCustomResource class and have it resolved at runtime to the actual secret value.

Use Case

I created a custom resource that looked like this:

const systemUser = new cognito.CfnUserPoolUser(this, "CognitoSystemUser", {
  username: 'myUser',
  userPoolId: 'myUserPoolId',
});
const cognitoUserSecret = new secrets.Secret(this, "CognitoSystemUserSecret", {
  secretName: `auth/internal/MySystemUser`,
  generateSecretString: {
    secretStringTemplate: JSON.stringify({
      Username: user.username,
      UserPoolId: user.userPoolId,
      ClientId: 'myclientid',
    }),
    generateStringKey: "Password",
  },
});
const customResource = new cr.AwsCustomResource(this, "CognitoSystemUserPasswordSetter", {
  onCreate: {
    service: "CognitoIdentityServiceProvider",
    action: "adminSetUserPassword",
    parameters: {
      Username: systemUser.username,
      UserPoolId: systemUser.userPoolId,
      Password: cognitoUserSecret.secretValueFromJson("Password").toString(),
      Permanent: true,
    },
    physicalResourceId: cr.PhysicalResourceId.of(`${systemUser.username}-password-confirmation`),
  },
  policy: cr.AwsCustomResourcePolicy.fromStatements([
    new iam.PolicyStatement({
      sid: "AllowSetPasswordForUser",
      effect: iam.Effect.ALLOW,
      actions: ["cognito-idp:AdminSetUserPassword"],
      resources: [
        cdk.Arn.format(
          {
            region: "us-west-2",
            service: "cognito-idp",
            resource: "userpool",
            sep: "/",
            resourceName: systemUser.userPoolId,
          },
          this,
        ),
      ],
    }),
  ]),
});
cognitoUserSecret.grantRead(customResource);

This almost works, but it does not actually resolve the password to its value in Secrets Manager. In my case, it set the actual password to the literal string {{resolve:secretsmanager:arn:aws:secretsmanager:us-west-2:123456789:secret:auth/internal/MySystemUser-ABCDEF:SecretString:Password::}}.

Proposed Solution

It would be great if the custom resource code looked for {{resolve:secretsmanager}}-style references in the parameters passed to AwsCustomResource and resolved them to their underlying value.

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[jogold]

Indeed this is currently not supported in custom resources. This would require additional logic in the Lambda function implementing the AwsCustomResource.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html

Dynamic references for secure values, such as ssm-secure and secretsmanager, are not currently supported in custom resources.

[rix0rrr]

That is disappointing. One would have hoped that CloudFormation did this automatically

[markussiebert]

if you see this in the context of eks, i think this would be a nice feature. Creating rds outside the ecs cluster with secrets from the secretsmanager and passing them to a helm chart ... it would be great if this would be supported!

[A-Mckinlay]

Is there any timeline for this being implemented?

[Dzhuneyt]

I have a similar use case where I want to pass a SecretValue not to a CustomResource, but to a Lambda as an Environment Variable.

I guess the principle is pretty much the same.

Pseudo-code to demonstrate:

const esDomain = new elasticsearch.Domain();

const lambda = new lambda.Function();
lambda.addEnvironment('elasticsearch_password', esDomain.masterUserPassword);

Right now this is not supported since masterUserPassword is of type cdk.SecretValue and the Lambda environment variables don't support (and resolve) such values.