This was a nifty little trick I just learnt from my colleague James the other day that is definitely worth sharing more widely. While CloudFormation does not support
AWS::SSM::Parameters resources, you can can fudge it with this one weird trick; but first the "why"!
I'm a big fan of the The Twelve-Factor App, and in particular I think the approach it outlines for configuration management is especially important in the cloud, regardless of the type of application (e.g. server, container, or serverless) you're working with:
Store config in the environment
In AWS one way to store you config in a way that's easy to retrieve by your application is with Systems Manager Parameter Store. Parameter Store is able to store data in a hierarchical format, and has support for multiple ways to store strings: String, String List, and Secure String.
Unfortunately, the support for Secure Strings is not great; you can't use it as a CloudFormation input parameter like you can Strings and String Lists, and you can't create Secure String resources via CloudFormation.
One Weird Trick
What you can do however, is create a
String parameter, override it with a
SecureString, and have CloudFormation manage the lifecycle of the resource (i.e. delete it when the stack is deleted, etc).
Here's an example for those following along a home...
The following template creates a
String parameter that will be managed by CloudFormation:
--- AWSTemplateFormatVersion: 2010-09-09 Description: CloudFormation managed SecureString Parameters Parameters: ParameterValue: Type: String Resources: Parameter: Type: AWS::SSM::Parameter Properties: Name: /my/secure/string Type: String Value: !Ref ParameterValue
Update the Parameter
Once you've created the CloudFormation stack with your usual preferred method, update the parameter - overriding it - with your
aws ssm put-parameter \ --overwrite \ --name /my/secure/string \ --type SecureString \ --value 'SuperSecret'
Now you have a
SecureString parameter that is managed by CloudFormation!
The only property on a
AWS::SSM::Parameter resource that requires replacement is
Name, which means that updates won't reset or change the parameter - you'll only create a new parameter. Deleting the stack will delete the parameter resource as normal.