Using SSM Parameters in AWS CDK - Complete Guide

avatar

Borislav Hadzhiev

Mon May 10 20214 min read

Table of Contents #

  1. Creating SSM Parameters in AWS CDK
  2. Get Values of Existing SSM Parameters in AWS CDK

Creating SSM Parameters in AWS CDK #

SSM parameter store is used to store and retrieve configuration parameters and secrets.

In order to create an SSM parameter in CDK, we have to instantiate the StringParameter or StringListParameter classes.

The code for this article is available on GitHub

Let's look at an example of creating a string and a string list parameters in CDK:

lib/cdk-starter-stack.ts
import * as ssm from '@aws-cdk/aws-ssm'; import * as cdk from '@aws-cdk/core'; export class CdkStarterStack extends cdk.Stack { constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { super(scope, id, props); const emailParam = new ssm.StringParameter(this, 'alerts-email-param', { parameterName: '/my-site/alerts-email-dev', stringValue: 'dev-email@example.com', description: 'the email used for alerting for dev', type: ssm.ParameterType.STRING, tier: ssm.ParameterTier.STANDARD, allowedPattern: '.*', }); const environmentsParam = new ssm.StringListParameter( this, 'environments-param', { parameterName: '/my-site/environments', stringListValue: ['dev', 'test', 'prod'], tier: ssm.ParameterTier.ADVANCED, }, ); } }

Let's go over what we did in the code snippet.

  1. we created a string parameter, passing in the following configuration properties:
NameDescription
parameterNamethe name of the SSM parameter. SSM supports hierarchies for parameter names, i.e. /my-site/dev/db-password
stringValuethe value of the SSM parameter
descriptiona short description of the parameter
typethe type of the SSM parameter, by default set to STRING.
tierthe tier of the SSM parameter, i.e. STANDARD, ADVANCED or INTELLIGENT_TIERING. In short, ADVANCED parameters let us store values of up to 8KB, compared to 4KB with STANDARD parameters
allowedPatternspecify a regular expression, that validates the provided parameter value
  1. we created a string list parameter of type ADVANCED
We can't create Secure String parameters in CDK, because they wouldn't really be secure if we hard code the value. We can only create string parameters and string-list parameters directly.
If we need to manage a secret value, like a database password, we need to use the Secrets Manager service.

Let's execute a deployment and provision the SSM parameters:

shell
npx cdk deploy

If we take a look at the SSM Parameter store console, we can see that the parameters were created successfully:

ssm parameters created

Before we move onto importing SSM parameters in a CDK stack, let's create a secure string parameter using the CLI, so we can import it in the next section:

shell
aws ssm put-parameter \ --name "/my-site/db-password" \ --value "dogsandcats123" \ --type "SecureString"

Now I have the following 3 parameters created in my account:

ssm parameters created 2

Get Values of Existing SSM Parameters in AWS CDK #

In order to get the value of non-secure SSM parameters in CDK, we have to use the fromStringParameterAttributes static method on the StringParameter class.

To get the value of secure SSM parameters in CDK, we have to use the fromSecureStringParameterAttributes static method on the StringParameter class.

The code for this article is available on GitHub

Let's look at an example of using both:

lib/cdk-starter-stack.ts
import * as ssm from '@aws-cdk/aws-ssm'; import * as cdk from '@aws-cdk/core'; export class CdkStarterStack extends cdk.Stack { constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { super(scope, id, props); // ... rest // ๐Ÿ‘‡ import string parameter const importedParam1 = ssm.StringParameter.fromStringParameterAttributes( this, 'imported-param-1', { parameterName: emailParam.parameterName, simpleName: false, }, ); // ๐Ÿ‘‡ import string LIST parameter const importedParam2 = ssm.StringParameter.fromStringParameterAttributes( this, 'imported-param-2', { parameterName: environmentsParam.parameterName, simpleName: false, }, ); // ๐Ÿ‘‡ import SECURE string parameter const importedParam3 = ssm.StringParameter.fromSecureStringParameterAttributes( this, 'imported-param-3', {parameterName: '/my-app/dev/db-password', version: 1}, ); new cdk.CfnOutput(this, 'imported-param-1-value', { value: importedParam1.stringValue, }); new cdk.CfnOutput(this, 'imported-param-2-value', { value: importedParam2.stringValue, }); new cdk.CfnOutput(this, 'imported-param-3-value', { value: importedParam3.parameterName, }); } }

Let's go over what we did in the code snippet.

  1. we imported our non-secure parameters using the static fromStringParameterAttributes method. The simpleName prop indicates whether our parameter name includes / characters (hierarchies).

    We only have to specify the simpleName prop when the parameter name is a token (encoded value that is not resolved at synthesis time).

  2. we imported our secure string using the fromStringParameterAttributes static method. This time we didn't have to pass the simpleName prop, because we've hard coded the name and CDK can tell that the parameter name includes / characters.

    Note that when importing secure string parameters, we have to include the version number.

  3. we added some outputs, that we'll redirect to a file at deployment time

Note that we can't set secure strings as Outputs or lambda environment variables.

Let's execute a deployment and redirect the specified Outputs to a file on the local file system:

shell
npx cdk deploy \ --outputs-file ./cdk-outputs.json

After a successful deployment the contents of our cdk-outputs.json file look like:

cdk-outputs.json
{ "cdk-stack": { "importedparam1value": "dev-email@example.com", "importedparam3value": "/my-app/dev/db-password", "importedparam2value": "dev,test,prod" } }

Clean up #

To delete the stack and the secure SSM parameter we created earlier, execute the following commands:

shell
npx cdk destroy aws ssm delete-parameter \ --name "/my-site/db-password"

Further Reading #

Add me on LinkedIn

I'm a Web Developer with TypeScript, React.js, Node.js and AWS experience.

Let's connect on LinkedIn

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee