Reference SSM Parameters in a CDK Stack
AWS Systems Manager Parameter Store (SSM) provides you with a secure way to store config variables for your applications. SSM can store plaintext parameters or KMS encrypted secure strings.
SSM parameter store is used to store and retrieve configuration parameters and secrets.
Before we move onto importing SSM parameters in a CDK stack, let's create a few parameters using the AWS CLI (you can also use the AWS console) :
aws ssm put-parameter \
--name "email" \
--value "thabo@test.com" \
--type "String"aws ssm put-parameter \
--name "db-password" \
--value "verysecure123" \
--type "SecureString"aws ssm put-parameter \
--name "environments" \
--value "dev, test, prod" \
--type StringListIf we take a look at the SSM Parameter Store console, we can see that the 3 parameters were created successfully:
Get Values of Existing SSM Parameters in AWS CDK
Let's create and deploy a sample CDK project then reference the SSM parameters we have created.
mkdir reference-ssm-params-in-cdk
cd reference-ssm-params-in-cdk
cdk init --language typescriptThe command will generate many files and install the necessary dependencies. At the root level of the CDK project , you should find the lib folder with the file called reference-ssm-params-in-cdk-stack.ts. Let's update the file as follows:
import { Stack, StackProps, CfnOutput } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as ssm from 'aws-cdk-lib/aws-ssm';
export class ReferenceSsmParamsInCdkStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const importedEmail = ssm.StringParameter.fromStringParameterAttributes(
this, 'imported-Email', {
parameterName: 'email',
version: 1
});
const importedPassword = ssm.StringParameter.fromSecureStringParameterAttributes(
this, 'imported-Password', {
parameterName: 'db-password',
version: 1
});
const importedEnvs = ssm.StringParameter.fromStringParameterAttributes(
this, 'imported-Envs', {
parameterName: 'environments',
version: 1
});
new CfnOutput(this, 'imported-Email-Value', {
value: importedEmail.stringValue,
});
new CfnOutput(this, 'imported-Password-Param', {
value: importedPassword.parameterName,
});
new CfnOutput(this, 'imported-Envs-Value', {
value: importedEnvs.stringValue,
});
}
}Let's go over what we did in the code above
- Import the non-secure parameters using the
fromStringParameterAttributesstatic method. - Import the secure string using the
fromStringParameterAttributesstatic method. - Added some outputs, that we'll redirect to a file at deployment time
The AWS CDK supports retrieving both plain and secure values. You may request a specific version of either kind of value. For plain values only, you may omit the version from your request to receive the latest version. You must always specify the version when requesting the value of a secure attribute.
Deploy the stack to get the outputs
Let's run the deploy command and redirect the specified Outputs to a file on the local file system:
cdk deploy \
--outputs-file ./cdk-outputs.json
After a successful deployment the contents of our cdk-outputs.json file look like:
{
"ReferenceSsmParamsInCdkStack": {
"importedPasswordParam": "db-password",
"importedEmailValue": "thabo@test.com",
"importedEnvsValue": "dev, test, prod"
}
}Note: At synthesis time only plain Systems Manager strings may be retrieved, not secure strings. It is not possible to request a specific version; the latest version is always returned.
This was just scratching the surface when working with SSM Parameters in CDK. If you are having issues please check the reference-ssm-params-in-cdk repo on GitHub.
Summary
To delete the stack and the SSM parameters we created earlier, issue the following commands:
cdk destroy
aws ssm delete-parameter \
--name "email"
aws ssm delete-parameter \
--name "db-password"
aws ssm delete-parameter \
--name "environments"