robertsosinski/create-encrypted-ssm-parameter.js

## create-encrypted-ssm-parameter.js
const aws = require("aws-sdk");
const https = require("https");
const url = require("url");

// Sends a response to the pre-signed S3 URL
function sendResponse(event, context, callback, responseStatus, responseData) {
  const responseBody = JSON.stringify({
    Status: responseStatus,
    Reason: `See the details in CloudWatch Log Stream: ${context.logStreamName}`,
    PhysicalResourceId: event.ResourceProperties.Name,
    StackId: event.StackId,
    RequestId: event.RequestId,
    LogicalResourceId: event.LogicalResourceId,
    Data: responseData
  });

  console.log("RESPONSE BODY:\n", responseBody);

  const parsedUrl = url.parse(event.ResponseURL);
  const options = {
    hostname: parsedUrl.hostname,
    port: 443,
    path: parsedUrl.path,
    method: "PUT",
    headers: {
      "Content-Type": "",
      "Content-Length": responseBody.length
    }
  };

  const req = https.request(options, (res) => {
    console.log("STATUS:", res.statusCode);
    console.log("HEADERS:", JSON.stringify(res.headers));
    callback(null, "Successfully sent stack response!");
  });

  req.on("error", (err) => {
    console.log("sendResponse Error:\n", err);
    callback(err);
  });

  req.write(responseBody);
  req.end();
}

exports.handler = (event, context, callback) => {
  console.log("event", event, "context", context);

  const ssm = new aws.SSM({regoin: event.ResourceProperties.Region});

  // Put Parameter for Create and Update Event
  if (event.RequestType === "Create" || event.RequestType === "Update") {

    let params = {
      Name: event.ResourceProperties.Name,
      Type: "SecureString",
      Value: event.ResourceProperties.Value,
      Description: event.ResourceProperties.Description,
      KeyId: event.ResourceProperties.KeyId,
      Tier: "Standard",
      Overwrite: true
    };

    ssm.putParameter(params, (err, data) => {
      if (err) {
        console.log("ERROR:", err);
        return sendResponse(event, context, callback, "FAILED");
      }

      console.log("putParameter", data);

      sendResponse(event, context, callback, "SUCCESS", {"Message": "Resource update successful!"});
    });

  // Delete Parameter for Delete Event
  } else if (event.RequestType === "Delete") {

    let params = {
      Name: event.ResourceProperties.Name
    };

    ssm.deleteParameter(params, (err, data) => {
      if (err) {
        console.log("ERROR:", err);
        return sendResponse(event, context, callback, "FAILED");
      }

      console.log("deleteParameter", data);

      sendResponse(event, context, callback, "SUCCESS", {"Message": "Resource deletion successful!"});
    });

  // Throw Failure if Event is anything else
  } else {

    console.log("ERROR");
    sendResponse(event, context, callback, "FAILED");

  }
};

## encrypted-ssm-parameter.yaml
Parameters:
  ParamName:
    Description: SSM Param Name
    Type: String

  ParamValue:
    Description: SSM Param Value
    Type: String

  ParamDescription:
    Description: SSM Param Description
    Type: String

  ParamKeyId:
    Description: KMS CMK ID for encrypting the SSM Param
    Type: String

Resources:
  CustomResource:
    Type: Custom::EncryptedSSMParameter
    Properties:
      ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:create-encrypted-ssm-parameter"
      Name: !Ref ParamName
      Value: !Ref ParamValue
      Description: !Ref ParamDescription
      KeyId: !Ref ParamKeyId
	const aws = require("aws-sdk");
	const https = require("https");
	const url = require("url");

	// Sends a response to the pre-signed S3 URL
	function sendResponse(event, context, callback, responseStatus, responseData) {
	const responseBody = JSON.stringify({
	Status: responseStatus,
	Reason: `See the details in CloudWatch Log Stream: ${context.logStreamName}`,
	PhysicalResourceId: event.ResourceProperties.Name,
	StackId: event.StackId,
	RequestId: event.RequestId,
	LogicalResourceId: event.LogicalResourceId,
	Data: responseData
	});

	console.log("RESPONSE BODY:\n", responseBody);

	const parsedUrl = url.parse(event.ResponseURL);
	const options = {
	hostname: parsedUrl.hostname,
	port: 443,
	path: parsedUrl.path,
	method: "PUT",
	headers: {
	"Content-Type": "",
	"Content-Length": responseBody.length
	}
	};

	const req = https.request(options, (res) => {
	console.log("STATUS:", res.statusCode);
	console.log("HEADERS:", JSON.stringify(res.headers));
	callback(null, "Successfully sent stack response!");
	});

	req.on("error", (err) => {
	console.log("sendResponse Error:\n", err);
	callback(err);
	});

	req.write(responseBody);
	req.end();
	}

	exports.handler = (event, context, callback) => {
	console.log("event", event, "context", context);

	const ssm = new aws.SSM({regoin: event.ResourceProperties.Region});

	// Put Parameter for Create and Update Event
	if (event.RequestType === "Create" \|\| event.RequestType === "Update") {

	let params = {
	Name: event.ResourceProperties.Name,
	Type: "SecureString",
	Value: event.ResourceProperties.Value,
	Description: event.ResourceProperties.Description,
	KeyId: event.ResourceProperties.KeyId,
	Tier: "Standard",
	Overwrite: true
	};

	ssm.putParameter(params, (err, data) => {
	if (err) {
	console.log("ERROR:", err);
	return sendResponse(event, context, callback, "FAILED");
	}

	console.log("putParameter", data);

	sendResponse(event, context, callback, "SUCCESS", {"Message": "Resource update successful!"});
	});

	// Delete Parameter for Delete Event
	} else if (event.RequestType === "Delete") {

	let params = {
	Name: event.ResourceProperties.Name
	};

	ssm.deleteParameter(params, (err, data) => {
	if (err) {
	console.log("ERROR:", err);
	return sendResponse(event, context, callback, "FAILED");
	}

	console.log("deleteParameter", data);

	sendResponse(event, context, callback, "SUCCESS", {"Message": "Resource deletion successful!"});
	});

	// Throw Failure if Event is anything else
	} else {

	console.log("ERROR");
	sendResponse(event, context, callback, "FAILED");

	}
	};
	Parameters:
	ParamName:
	Description: SSM Param Name
	Type: String

	ParamValue:
	Description: SSM Param Value
	Type: String

	ParamDescription:
	Description: SSM Param Description
	Type: String

	ParamKeyId:
	Description: KMS CMK ID for encrypting the SSM Param
	Type: String

	Resources:
	CustomResource:
	Type: Custom::EncryptedSSMParameter
	Properties:
	ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:create-encrypted-ssm-parameter"
	Name: !Ref ParamName
	Value: !Ref ParamValue
	Description: !Ref ParamDescription
	KeyId: !Ref ParamKeyId