Yep, that's what I use as well. It works, but I don't really love that I have to create an IAM role and a Lambda function just to create an encrypted secret.

Pre-built custom resources (like the one linked) are under not all that common. The fact that there's one that exists for this particular situation I would ascribe more to luck, then a generous amount of public material.

Not being able to create a secure string parameter was the first problem I ran into with CloudFormation. That’s how I happened to know that a custom resource for it existed.

But, creating a custom resource is relatively easy. I’ve had to create a few for things that are really “custom” to our environment.

I used these as templates —-

https://github.com/stelligent/cloudformation-custom-resource...

One issue that really seemed like an oversight is that you can’t add a event subscription to an existing S3 bucket. I had to write a custom resource to do it.

> Not being able to create a secure string parameter was the first problem I ran into with CloudFormation.

How about 'NoEcho' type of CFN parameters?

What do you mean?

CloudFormation supports the "NoEcho" option specifically to allow password-type parameters, which are not inspectable. How is that not a secure string parameter?

I realize this response is late.

The term “parameters” is unfortunately overloaded.

CloudFormation parameters are used within CF. We were referring to parameters in Parameter Store.

https://docs.aws.amazon.com/systems-manager/latest/userguide...

But then, how do you get the secret value from CF to parameter store? If you put the value of the parameter in your template, then it is stored unencrypted in your template that is probably in source control.

For that, I use a combination of NoEcho in CF and use that user entered value as a !Ref when creating the parameter store. Run the template manually one time and then you can have it default to the existing value.

But you need a custom resource to create a secure string type.