CustomResources: Allow usage across accounts
pgarbe opened this issue · comments
Allow CustomResources to be used across accounts. This needs an additional SNS topic as it makes it easier to set up permissions correctly. Also, the message from SNS topic must be unwrapped in order to work with existing CustomResource provider.
Use Case
My use-case is to provide CloudFormation custom resources for external SaaS solutions. I know that there are also custom types, but it still leaves the problem how to handle secrets (like api keys) properly. The set up I have in mind is to have the custom resource provider in a single account which also knows the secrets. Other accounts in the organization should be allowed to create custom resources in their own stacks using the provider in the shared account.
Another use-case might be the Rout53 example described here
Proposed Solution
- Adding a SNS topic in front of the CustomResourceProvider lambda
- Change the existing CustomResourceProvider lambda to handle also messages from SNS (or introduce another lamba to unwrap the message)
- Make it optional, as the
serviceToken
changes
Other
Similar solution with plain cfn:
https://aws.amazon.com/blogs/mt/multi-account-strategy-using-aws-cloudformation-custom-resources-to-create-amazon-route-53-resources-in-another-account/
-
👋 I may be able to implement this feature request -
⚠️ This feature might incur a breaking change
This is a
@pgarbe thanks for the proposal. I am transferring this issue to the RFC repo. Please consider submitting an RFC for this as it requires a bit or design work.