Skip to content
/ cf-heroku-keys Public

Manage AWS keys for Heroku apps as a CloudFormation custom resource

0 stars 0 forks Branches Tags Activity
Star

eleostech/cf-heroku-keys

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
lib
lib
 
 
.gitignore
.gitignore
 
 
.ruby-version
.ruby-version
 
 
Gemfile
Gemfile
 
 
README.md
README.md
 
 
event.json
event.json
 
 
sample.env.json
sample.env.json
 
 
template.yaml
template.yaml
 
 

Repository files navigation

cf-heroku-keys

This custom CloudFormation resource allows AWS keys generated and managed by a CloudFormation stack to be automatically plugged into the config of an app running in Heroku. When the keys are created, updated, or deleted, this Lambda function calls the Heroku API to update or remove the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.

Use by templates

To use this custom resource to update a particular Heroku app's keys, add the following to your stack's Resources section:

Resources:
  SomeUser:
    Type: "AWS::IAM::User"
    Properties:
      Policies:
        # Define your inline IAM policies or roles

  SomeKeys:
    Type: "AWS::IAM::AccessKey"
    Properties:
      Serial: 1 # Increment to roll keys
      UserName: !Ref SomeUser

  HerokuKeys:
    Type: 'Custom::HerokuKeys'
    Properties:
      ServiceToken: arn:aws:lambda:us-east-1:571593187444:function:cf-heroku-keys-CFHerokuKeysFunction-1WXJ5DBEZYEY0
      AppName: your-heroku-app-name
      Key: !Ref SomeKeys
      Secret: !GetAtt SomeKeys.SecretAccessKey

Hacking

Requirements

  • AWS CLI installed
  • pip install --user aws-sam-cli
  • On Debian: sudo apt install python-backports.ssl-match-hostname python-backports.functools-lru-cache
  • Ruby version matching .ruby-version installed
  • Docker installed
  • cp sample.env.json env.json and plug in your Heroku API key (which you can generate as in Deployment below, or steal from ~/.netrc if you're in a rush.)

Invoking function locally using a local sample payload

sam local invoke --env-vars env.json --event event.json

Packaging and deployment

Deployment

Create an OAuth token over on Heroku. I recommend doing this as a programmatic account so it isn't interrupted if you lock or otherwise disable your own Heroku account.

heroku authorizations:create \
  --description "AWS CloudFormation cf-heroku-keys app" \
  --scope write-protected

Package the app:

sam package --template-file template.yaml \
  --s3-bucket eleos-build-archives \
  --output-template-file packaged.yaml

Use the CloudFormation web UI to deploy packaged.yaml, setting the HerokuApiKey parameter to be the UUID-like token (NOT the ID) issued by the authorizations:create step above.

The CloudFormation stack produces an Output that you should use as the ServiceToken when defining the custom resource in other stack templates.

About

Manage AWS keys for Heroku apps as a CloudFormation custom resource

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

8 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages