Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CloudFormation Custom Resources cannot be invoked cross-region or cross-account #17

Open
tomwwright opened this issue Oct 9, 2020 · 1 comment
Open

CloudFormation Custom Resources cannot be invoked cross-region or cross-account #17

tomwwright opened this issue Oct 9, 2020 · 1 comment
Labels
module/core type/debt Technical debt that needs to be addressed in the future

Comments

@tomwwright
Copy link
Owner

Lamba-backed Custom Resource must be invoked from stacks in the same region

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html

This is a limitation when trying to use Stack Sets to deploy to many regions at the same time that are integrated with a Custom Resource.

This issue is compounded by #15 and #16 as other limitations exist for deploying a Custom Resource packaged with SAM

Solution here is to create a small Lambda that can be deployed via inline code that is able to "proxy" a Custom Resource invocation to another Lambda Custom Resource cross-region
@tomwwright tomwwright added module/core type/feature Feature or functionality that is well-formed and can be implemented and closed labels Oct 9, 2020
tomwwright added a commit that referenced this issue Oct 11, 2020
@tomwwright
#17 Custom Resource Proxy SAM project, also renderable as template wi…
58320fc 
…th inline code Lambda with AWS CDK
tomwwright added a commit that referenced this issue Oct 11, 2020
@tomwwright
#17 Implement CustomResourceProxy as Stack Set with template rendered…
4d22846 
… by !Command resolver
@tomwwright tomwwright changed the title CloudFormation Custom Resources cannot be invoked cross-region CloudFormation Custom Resources cannot be invoked cross-region or cross-account Oct 14, 2020
@tomwwright
Copy link
Owner Author

Lambda-backed CloudFormation Custom Resources also cannot be invoked (securely) cross-account without specifying specific Account IDs in AWS::Lambda::Permission resources. While Lambda functions are governed by a resource policy, managing this resource policy can only be done via the AddPermission API action that doesn't have support for IAM Conditions

https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html

Solution here would be to introduce an SNS topic to the Custom Resource stack and attach a more expressive resource policy to that

tomwwright added a commit that referenced this issue Oct 15, 2020
@tomwwright
#17 Add SNS Support for Custom Resource Proxy for better cross-accoun…
aa9f11f 
…t support
@tomwwright tomwwright added type/debt Technical debt that needs to be addressed in the future and removed type/feature Feature or functionality that is well-formed and can be implemented and closed labels Oct 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
module/core type/debt Technical debt that needs to be addressed in the future
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tomwwright