Problem Statement
Have you ever tried creating a SecureString SSM parameter using CloudFormation, only to find out it’s not directly supported? In this blog post, we’ll explore a workaround to this limitation and make use of AWS Custom Resource functionality to achieve the desired outcome.
There is an open issue since Aug 2019 to address this functionality. This is what AWS has mentioned on the AWS::SSM::Parameter page.
In this blog we will discuss two important aspects of the end to end solution:
- Creating new SecureString parameters using a Custom Resource lambda function.
- Securely updating the values of these parameters.
Solution
As an alternative, we would have to make use of AWS Custom resource functionality.
Parameter Store
CloudFormation resource for SecureString parameter:
sampleStringParam: |
If you notice difference in the value of Type property between SecureString vs String parameters.
We employ “Custom:Lambda,” signalling that this is not a native AWS resource but a custom one we’re about to create.
Also, pay special attention to the “ServiceToken,” which accepts a Lambda ARN as its value. This Lambda can either be an existing one or created as part of our CloudFormation template.
Lambda Function
Now, let’s discuss the Lambda resource itself. This Lambda resource holds the logic to receive input JSON and dynamically create, update, or delete a SecureString parameter using the powerful Boto3 method, “ssm.put_parameter”.
Here is the lambda resource:
Lambda: import json |
CloudFormation Stack
Resources it creates:
Update SecureString Params
Option1 – AWS Console
Navigate to the AWS console to manually update the parameters might not be an ideal solution, especially when dealing with a large number of parameters.
Option2 – Use Script
Make use of below python script to update SecureString parameters. Ensure to add *.csv file in .gitignore
“”” |
Sample test-params.csv file |
Conclusion
While CloudFormation may have its limitations, leveraging AWS Custom Resource functionality empowers us to overcome these obstacles.
By strategically employing Lambda functions and Boto3, we can seamlessly manage SecureString SSM parameters, providing a robust solution to a longstanding challenge.
In conclusion, this approach not only addresses the existing issue but also opens up possibilities for handling other scenarios where CloudFormation might fall short.
Find this code in my GitHub repo here.