ssm: deploy-time random string generator for Parameter store

[tmokmss]

Describe the feature

This is a feature request for Systems Manager Parameter store construct StringParameter to generate a random string on deploy-time.

Secrets Manager construct (Secret) already has this feature and it is useful for generating secrets such as a database password. However, the drawback of Secret Manager is its cost; it costs $0.40/month per secret. Parameter store is a lot cheaper; it incurrs no additional charge for storing a parameter.

If we can reliably and deterministically generate a cryptographically-secure random string for a parameter store, it will be a handy way to store secrets.

Use Case

Generate and store an API key or encryption key for an app deployed by CDK.

Proposed Solution

To avoid from any breaking changes, we add a new construct e.g. GeneratedStringParameter

Generally speaking, each parameter is used to store a single parameter, not an object like JSON, so we only need a simpler API than Secrets Manager. Something like the below should suffice:

new GeneratedStringParameter(scope, 'id', {
  parameterName: 'foo',
  generateOption: {
      excludeCharacters: 'asdf',
      excludeLowercase: true,
      excludeNumbers: true,
      excludePunctuation: true,
      excludeUppercase: true,
      includeSpace: false,
      length: 46,
      requireEachIncludedType: true
  }
});

The generateOption follows the existing SecretStringGenerator except the template feature, which should meet most use cases. 

Besides that, the construct should inherit all the props from StringParameterProps except stringValue, which will be filled by a random generated string.

Inside the construct, we add a custom resource to generate a string and a StringParameter construct:

class GeneratedStringParameter {
  constructor(scope, id, props) {
    const generator = new CustomResource(this, 'Generator', {
      serviceToken:...,
      resourceType: 'Custom:RandomStringGenerator',
      properties: {...props.generateOption},
    });

    new StringParameter(this, 'Resource', {
      ...props,
      stringValue: generator.getAttString('generated'),
    });
  }
}

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.149.0

Environment details (OS name and version, etc.)

macOS

[khushail]

Hi @tmokmss , thanks for proposing this and volunteering to contribute. Since this is a proposed construct, one needs to submit an RFC and get the approval and review for the design, from the core team. However this whole contribution process is currently under review and being reassessed. Please feel free to check this ReadMe on L2 construct submission..