CDK port
Closed this issue ยท 8 comments
I'm currently working on porting this to AWS CDK. I'm writing this Typescript.
Would you be interested in having this in this repo or should I keep it separate? I'm fine with both options, but think it makes more sense if everything is kept together.
On the other hand I don't know how comfortable you are with having Typescript and CDK code in here.
Besides the Typescript code, this would mean publishing packages to Maven, PyPI, NuGet and NPM. So it would involve quite some work on your end, if it ends in here. ๐
The more I think about it.... I think it actually makes more sense in a separate repo. It needs it's own tests, build pipeline, package pushing etc...
A Custom provider is basically a lambda, so I am not quite sure what porting to CDK would entail. Can you enlighten me a bit?
Hi Mark,
I don't mean to replace the lambda. Just porting the contents of the cloudformation directory to CDK.
I don't know how the serverless repo can help. I have no experience with the serverless framework. So I really don't know. :) For now I'll just use the lambda zip from your public bucket.
Thanks,
Daniel
Hey Mark,
my CDK implementation now is located here: https://github.com/udondan/cdk-secrets with packages for NodeJS, Python and .Net.
Here is an example how to create an RSA key and a key pair.
Needs some automated testing. The DSA key somehow is not working, RSA and all the other custom resources do. So it needs a little more love but generally is working. :-)
Cheers,
Daniel
If anyone else stumbles upon this issue looking for a CDK implementation, it is fairly easy to do:
val bucket = Bucket.fromBucketName(this, "BinxioPublicBucket", "binxio-public-$region")
val privateKeyParameterName = "/$envName/jwt/private.key"
val lambdaPolicyStatement = PolicyStatement.Builder.create()
.effect(Effect.ALLOW)
.actions(listOf("ssm:PutParameter", "ssm:GetParameter", "ssm:DeleteParameter"))
.resources(listOf("arn:aws:ssm:$region:$account:parameter$privateKeyParameterName"))
.build()
val function = Function.Builder.create(this, "BinxioSecretProviderLambda")
.code(Code.fromBucket(bucket, "lambdas/cfn-secret-provider-1.1.1.zip"))
.handler("secrets.handler")
.runtime(Runtime.PYTHON_3_7)
.timeout(Duration.seconds(5))
.initialPolicy(listOf(lambdaPolicyStatement))
.vpc(vpc)
.build()
val jwtPrivateKey = CfnResource.Builder.create(this, "JwtPrivateKey")
.type("Custom::RSAKey")
.properties(
mapOf(
"Name" to privateKeyParameterName,
"ServiceToken" to function.functionArn
)
)
.build()
val publicKeyRef = jwtPrivateKey.getAtt("PublicKey")
CfnResource.Builder.create(this, "JwtPublicKey")
.type("AWS::SSM::Parameter")
.properties(
mapOf(
"Name" to "/$envName/jwt/public.key",
"Type" to "String",
"Value" to publicKeyRef
)
)
.build()Kotlin code, but should be fairly easy to translate.
Deploys this Lambda as a nested stack.
Speaking of fairly easy ๐