Hello 🙂 , In our last post, we discussed how to create SSM parameter using CloudFormation template. In this post, we will show you how to use the SSM parameter that we created in last post in a CloudFormation template.
Please note that, even if you create your SSM parameter manually, It doesn’t matter. You can still use the parameter in a CloudFormation template the same way as explained in this post.
Why use SSM parameter in CloudFormation?
You might think that, CloudFormation already allows you to use parameters. You can either hard code them as default value or pass them dynamically.
Then, why do we even need SSM?
Well, you are absolutely right. However, ability to store parameters centrally at a place and using them in the template is something which is missing in above approach.
That’s where the integration between CloudFormation and SSM parameter helps.
In short, It provides below benefits-
- Makes our template reusable/generic
- Storing all parameters centrally in SSM and using in stack makes the infrastructure management across environment hasslefree.
- Can help in separating infrastructure configuration from infrastructure code
Permission
Well, as always I am sharing the permission required to get an SSM parameter.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
ssm:getParameter
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}Above policy is very permissive. So If you are following least privilege principle of security, use below policy instead.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
ssm:getParameter
],
"Resource": [
"arn:aws:ssm:eu-west-1:123456789012:parameter/WebsiteBucket"
],
"Effect": "Allow"
}
]
}Have you noticed that we have provided the Arn of exact ssm parameter. You can provide multiple arn as well if you want to access more then one parameter.
Format of Arn : arn:partition:service:region:account-id:resourcetype/resource
In case of ssm it will be below. you just need to replace accountId, region and parameter name as per your requirement.
arn:aws:ssm:region:account-id:parameter/WebsiteBucketHow to use SSM Parameter in CloudFormation?
Finally, We are back to original point 🙂
To be honest, I found two different ways to use SSM parameter in cloudformation template.
- Dynamic reference
- Using parameter section
Stay with me to know which among the two is the right way to use ssm parameter in CloudFormation, how and why?
Dynamic Reference
The very first time when I had to use an SSM parameter in a CloudFormation template. I searched in our very own friend Google and got this article from aws.
AS a result, I ended up using dynamic reference like-
'{{resolve:ssm:parameter-name:version}}'or to be more specific
WebsiteS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: '{{resolve:ssm:WebsiteBucket:1}}'Is this the right way to use?
Now that’s a good question. (I don’t use this way anymore 😛 )
You might already know that ,every time you edit your SSM parameter, version increments by 1.
However, In a CloudFormation template there is no way to specify latest as the version. Which means you should always know the exact version of parameter you want to reference.
Which doesn’t make sense in the time of automation as per me. I have read somewhere that there is a feature request for this functionality. Let’s see…
Using Parameter Section of template
AWS CloudFormation allows you to use the parameter section of your template to define parameters from systems manager parameter store such as-
AWSTemplateFormatVersion: 2010-09-09
Description: Template to show SSM parameter uses
Parameters:
BucketName:
Type: AWS::SSM::Parameter::Value<String>
Default: 'WebsiteBucket'
Description: Bucket Name from SSM that host website
Resources:
WebsiteS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Ref BucketNameWhat happens when we use parameter like above ?
- As soon as you define a parameter type to be one of SSM parameter types, CloudFormation will actually retrieve the value of that key from systems manager parameter store and use it.
- If you are referencing an SSM parameter in your template which doesn’t exist, you will get a validation error
- If there are multiple occurrences of parameter, simply you can reference it everywhere you need
Tell me one thing, have you noticed that, there is no version involved here.
That means, anytime when you are doing any stack operation, CloudFormation will fetch the current value at the time of operation and use it.
If the value of parameter changes in parameter store and you want your stack to use updated value, Simply update your stack and it will use the updated parameter value.
SSM parameter types that you can use.
Lastly let’s see the different SSM parameter types that is allowed in your template.
AWS::SSM::Parameter::Name
(retrieves only name)
AWS::SSM::Parameter::Value<String>
(Gets the value)
AWS::SSM::Parameter::Value<List<String>>
(List of value)
AWS::SSM::Parameter::Value<Any AWS type>Conclusion:
Finally, let’s sum up what we did in this post.
You learnt to use SSM parameter in your CloudFormation template.
Additionally, you saw the permission required to access an SSM parameter. Finally you also learnt which among the two discussed approach is better and why.
If you find any issue while using ssm parameter in your CloudFormation template, please leave a comment below. I would be happy to help.
I hope you liked reading my post. Don’t forget to motivate me by-
- Adding a comment below on what you liked and what can be improved.
- Follow us on
- Subscribe to our newsletter to get notified each time we post new content
- Share this post with your friends
Suggested Read:
- Basics Of Cyber Security for Beginners
- Create DynamoDB table using CloudFormation
- Provision ACM certificate using CloudFormation
- Most common cyber attacks in 2020
- Create S3 bucket using CloudFormation
- This is why S3 bucket names are unique globally
- Create API Gateway Custom Domain using CloudFormation
- Things You Should Know about AWS SQS Dead Letter Queue
- Basics of Serverless Computing
- Hello and Welcome to CloudKatha(First Post)
6 thoughts on “Using SSM Parameter in CloudFormation: Here is the right way”
I actually use the ‘{{resolve:ssm-secure:parameter-name}}’ – no version number (for regular parameters) all the time.
For regular parameters, you don’t need the version number. But for you do for secure strings.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html
`version
An integer that specifies the version of the parameter to use. If you do not specify the exact version, CloudFormation uses the latest version of the parameter whenever you create or update the stack. For more information, see Working with parameter versions in the AWS Systems Manager User Guide
Optional.`
what comes back is not the resolved value but the parameter name which is input as the ‘default’ value for the template parameter.
Hi Scott, Thanks for your comment. As first step of debugging ,can you please check if lambda arn is stored correctly . You can check the value in SSM console
Thanks, I have had some success using your approach with some parameters such as retrieving vpc subnet or vpc api endpoints in api or lambda resource configuration; however, in the same template I am having trouble resolving the value of a lambda layer Arn I have stored in ssm as a string value, the same way as the other parameters that do resolve properly. Any ideas?
Hi, I would like to determine if an Ssm parameter is set, eg vpcid ,
If it set, I would like to setup vpc flow log, if not set, I won’t do anything. Do you think if it is possible to achieve this via cfn?
Hello Brian. Yes you can do that using Conditions. Have a look at them here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html