AWS SAM CloudFormation SSM Parameter secure string not supported workaround

It’s surprisingly difficult to use AWS SSM Parameter secure strings in CloudFormation templates.

If you try and have CloudFormation fetch the value of the SSM Parameter as a AWS::SSM::Parameter::Value<String> type, you’ll get this error:

An error occurred (ValidationError) when calling the CreateStack operation:
Parameters [/foobar/foo_param] referenced by template have types not supported
by CloudFormation.

If you try and have a CloudFormation parameter of type AWS::SSM::Parameter::Value<SecureString>, you’ll get this error:

An error occurred (ValidationError) when calling the CreateStack operation:
Template format error: Unrecognized parameter type: SecureString

If you try and use the special resolve function in the CloudFormation template, like this:

Foobar: '{{resolve:ssm-secure:foobar-param:1}}'

You’ll get an error like this:

An error occurred (ValidationError) when calling the CreateStack operation:
SSM Secure reference is not supported in:
[AWS::Lambda::Function/Properties/Environment/Variables]

So it seems you’re a bit stuck if you want to use an SSM Parameter secure string in a SAM CloudFormation template.

Here’s a workaround that uses bash and the aws cli to fetch the SSM Parameter secure string values and pass them in as CloudFormation parameters during the SAM deployment:

sam validate --lint

sam build --use-container 

sam deploy \
  --no-confirm-changeset \
  --no-fail-on-empty-changeset \
  --stack-name foobar-sam-stack \
  --image-repository 111122223333.dkr.ecr.eu-west-2.amazonaws.com/foobar-sam-lambda-function \
  --parameter-overrides \
    $(cat ./deployment/development.params) \
    "FoobarParameterOne=$(aws ssm get-parameter --with-decryption --name '/foobar/one/FOOBAR' | jq -r '.Parameter.Value')" \
    "FoobarParameterTwo=$(aws ssm get-parameter --with-decryption --name '/foobar/two/FOOBAR' | jq -r '.Parameter.Value')"

The $(cat ./deployment/development.params) lets you have non-sensitive CloudFormation parameters in a file, which can be more convenient.

The sensitive values from the SSM Parameter secure strings are fetched using the aws ssm get-parameter command and passed in to the sam deploy command.

View post: AWS SAM CloudFormation SSM Parameter secure string not supported workaround
notestoself.dev

Don't want to receive these emails? Unsubscribe.