CustomResources: Allow usage across accounts

[pgarbe]

Allow CustomResources to be used across accounts. This needs an additional SNS topic as it makes it easier to set up permissions correctly. Also, the message from SNS topic must be unwrapped in order to work with existing CustomResource provider.

Use Case

My use-case is to provide CloudFormation custom resources for external SaaS solutions. I know that there are also custom types, but it still leaves the problem how to handle secrets (like api keys) properly. The set up I have in mind is to have the custom resource provider in a single account which also knows the secrets. Other accounts in the organization should be allowed to create custom resources in their own stacks using the provider in the shared account.

Another use-case might be the Rout53 example described here

Proposed Solution

• Adding a SNS topic in front of the CustomResourceProvider lambda
• Change the existing CustomResourceProvider lambda to handle also messages from SNS (or introduce another lamba to unwrap the message)
• Make it optional, as the serviceToken changes

Other

Similar solution with plain cfn:
https://aws.amazon.com/blogs/mt/multi-account-strategy-using-aws-cloudformation-custom-resources-to-create-amazon-route-53-resources-in-another-account/

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[eladb]

@pgarbe thanks for the proposal. I am transferring this issue to the RFC repo. Please consider submitting an RFC for this as it requires a bit or design work.

[mrgrain]

Marking this RFCs as stale since there has been little recent activity and it is not currently close to getting accepted as-is. We appreciate the effort that has gone into this proposal. Marking an RFCs as stale is not a one-way door. If you have made substantial changes to the proposal, please open a new issue/RFC. You might also consider raising a PR to aws/aws-cdk directly or self-publishing to Construct Hub.