cfn-resource-provider 1.0.6

A base class for AWS CloudFormation Custom Resource Providers.

This ResourceProvider base class makes it very simple to implement a Custom CloudFormation Resource.

First, you inherit from the base class and specify a JSON schema which defines the resource properties you require:

from cfn_resource_provider import ResourceProvider

class SecretProvider(ResourceProvider):
    def __init__(self):
            super(SecretProvider, self).__init__()
            self.request_schema =  {
                "type": "object",
                "required": ["Name"],
                "properties": {
                    "Name": {"type": "string",
                             "minLength": 1,
                             "pattern": "[a-zA-Z0-9_/]+",
                             "description": "the name of the value in the parameters store"},
                    "Description": {"type": "string",
                                    "default": "",
                                    "description": "the description of the value in the parameter store"},
                    "Alphabet": {"type": "string",
                                 "default": "abcdfghijklmnopqrstuvwyxzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_",
                                 "description": "the characters from which to generate the secret"},
                    "ReturnSecret": {"type": "boolean",
                                     "default": False,
                                     "description": "return secret as attribute 'Secret'"},
                    "KeyAlias": {"type": "string",
                                 "default": "alias/aws/ssm",
                                 "description": "KMS key to use to encrypt the value"},
                    "Length": {"type": "integer",
                               "minimum": 1, "maximum": 512,
                               "default": 30,
                               "description": "length of the secret"}
                }
            }

The JSON schema allows you to specify the expected properties, constraints and default values. After that, you only need to implement the methods create, update and delete:

class SecretProvider(ResourceProvider):
    ...
    def create(self):
        try:
            value = "".join(choice(self.get('Alphabet') for x in range(0, self.get('Length')))
            self.ssm.put_parameter(Name=self.get('Name'), KeyId=self.get('KeyAlias'),
                                   Type='SecureString', Overwrite=False, Value=value)
            self.set_attribute('Arn', self.arn)
            if self.get('ReturnSecret'):
                self.set_attribute('Secret', value)

            self.physical_resource_id = self.arn
        except ClientError as e:
            self.physical_resource_id = 'could-not-create'
            self.fail(str(e))

    def create(self):
        ....

    def delete(self):
        ....

In these methods, you can safely access all the properties defined in your JSON schema. The methods are only called after validation of the request against your schema.

• to return values which can be accessed by Fn::GetAtt, you can call the method set_attribute.

• to return a resource id for your resource, you can set the property physical_resource_id.

• to indicate a failed request, you can call the method fail.

• to indicate a succesful request, you can call the method success.

Finally, at the end of your module implement the AWS Lambda handle function:

provider = SecretProvider()
def handle(request, context):
    provider.handle(request, context)

Processing boolean and integer properties

AWS CloudFormation passes all properties in string format, eg ‘true’, ‘false’, ‘123’. This does not go down well with the json schema validator. Therefore, before the validator is called, it calls the method convert_property_types. Use this method to do the conversion of the non string properties:

def convert_property_types(self):
     try:
         if 'Length' in self.properties and isinstance(self.properties['Length'], (str, unicode,)):
             self.properties['Length'] = int(self.properties['Length'])
         if 'ReturnSecret' in self.properties and isinstance(self.properties['ReturnSecret'], (str, unicode,)):
             self.properties['ReturnSecret'] = (self.properties['ReturnSecret'] == 'true')
     except ValueError as e:
         log.error('failed to convert property types %s', e)

it is ok if you cannot convert the values: the validator will report the error for you :-)

Alternatively, you may use the heuristic_convert_property_types method:

def convert_property_types(self):
     self.heuristic_convert_property_types(self.properties)

it will convert all integer strings to int type, and ‘true’ and ‘false’ strings to a boolean type. Recurses through your dictionary.