But, creating a custom resource is relatively easy. I’ve had to create a few for things that are really “custom” to our environment.
I used these as templates —-
One issue that really seemed like an oversight is that you can’t add a event subscription to an existing S3 bucket. I had to write a custom resource to do it.
How about 'NoEcho' type of CFN parameters?
The term “parameters” is unfortunately overloaded.
CloudFormation parameters are used within CF. We were referring to parameters in Parameter Store.
But then, how do you get the secret value from CF to parameter store? If you put the value of the parameter in your template, then it is stored unencrypted in your template that is probably in source control.
For that, I use a combination of NoEcho in CF and use that user entered value as a !Ref when creating the parameter store. Run the template manually one time and then you can have it default to the existing value.
But you need a custom resource to create a secure string type.