Using SSM Parameters in AWS CDK - Complete Guide

avatar

Borislav Hadzhiev

Fri Apr 15 20223 min read

Updated - Fri Apr 15 2022

Table of Contents #

  1. Creating SSM Parameters in AWS CDK
  2. Get Values of Existing SSM Parameters in AWS CDK

Creating SSM Parameters in AWS CDK #

SSM parameter store is used to store and retrieve configuration parameters and secrets.

In order to create an SSM parameter in CDK, we have to instantiate the StringParameter or StringListParameter classes.

The code for this article is available on GitHub

Let's look at an example of creating a string and string list parameters in CDK:

lib/cdk-starter-stack.ts
import * as ssm from 'aws-cdk-lib/aws-ssm'; import * as cdk from 'aws-cdk-lib'; export class CdkStarterStack extends cdk.Stack { constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { super(scope, id, props); const emailParam = new ssm.StringParameter(this, 'alerts-email-param', { parameterName: '/my-site/alerts-email-dev', stringValue: 'dev-email@example.com', description: 'the email used for alerting for dev', type: ssm.ParameterType.STRING, tier: ssm.ParameterTier.STANDARD, allowedPattern: '.*', }); const environmentsParam = new ssm.StringListParameter( this, 'environments-param', { parameterName: '/my-site/environments', stringListValue: ['dev', 'test', 'prod'], tier: ssm.ParameterTier.ADVANCED, }, ); } }

Let's go over what we did in the code snippet.

  1. We created a string parameter, passing it the following configuration properties:
NameDescription
parameterNamethe name of the SSM parameter. SSM supports hierarchies for parameter names, i.e. /my-site/dev/db-password
stringValuethe value of the SSM parameter
descriptiona short description of the parameter
typethe type of the SSM parameter, by default set to STRING.
tierthe tier of the SSM parameter, i.e. STANDARD, ADVANCED or INTELLIGENT_TIERING. In short, ADVANCED parameters let us store values of up to 8KB, compared to 4KB with STANDARD parameters
allowedPatternspecify a regular expression that validates the provided parameter value
  1. we created a string list parameter of type ADVANCED
We can't create Secure String parameters in CDK because they wouldn't really be secure if we hardcode the value. We can only create string parameters and string-list parameters directly.
If we need to manage a secret value, like a database password, we need to use the Secrets Manager service.

Let's run the deploy command and provision the SSM parameters:

shell
npx aws-cdk deploy

If we take a look at the SSM Parameter store console, we can see that the parameters were created successfully:

ssm parameters created

Before we move onto importing SSM parameters in a CDK stack, let's create a secure string parameter using the CLI, so we can import it in the next section:

shell
aws ssm put-parameter \ --name "/my-site/db-password" \ --value "dogsandcats123" \ --type "SecureString"

Now I have the following 3 parameters created in my account:

ssm parameters created 2

Get Values of Existing SSM Parameters in AWS CDK #

In order to get the value of non-secure SSM parameters in CDK, we have to use the fromStringParameterAttributes static method on the StringParameter class.

To get the value of secure SSM parameters in CDK, we have to use the fromSecureStringParameterAttributes static method on the StringParameter class.

The code for this article is available on GitHub
lib/cdk-starter-stack.ts
import * as ssm from 'aws-cdk-lib/aws-ssm'; import * as cdk from 'aws-cdk-lib'; export class CdkStarterStack extends cdk.Stack { constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { super(scope, id, props); // ... rest const importedParam = ssm.StringParameter.fromSecureStringParameterAttributes( this, 'imported-param-3', {parameterName: '/my-app/dev/db-password', version: 1}, ); new cdk.CfnOutput(this, 'imported-param-3-value', { value: importedParam.parameterName, }); } }

We imported our secure string using the fromStringParameterAttributes static method. This time we didn't have to pass the simpleName prop because we've hard coded the name and CDK can tell that the parameter name includes / characters.

Note that when importing secure string parameters, we have to include the version number.

Note that we can't set secure strings as Outputs or lambda environment variables.

Let's run the deploy command and redirect the specified Outputs to a file on the local file system:

shell
npx aws-cdk deploy \ --outputs-file ./cdk-outputs.json

After a successful deployment, the contents of our cdk-outputs.json file look like:

cdk-outputs.json
{ "cdk-stack": { "importedparam3value": "/my-app/dev/db-password" } }

Clean up #

To delete the stack and the secure SSM parameter we created earlier, issue the following commands:

shell
npx aws-cdk destroy aws ssm delete-parameter \ --name "/my-site/db-password"

Further Reading #

Use the search field on my Home Page to filter through my more than 1,000 articles.