Ross Coundon
12/24/2021, 7:34 AMconst kmsKey = Key.fromKeyArn(this, 'kmsKey', process.env.KMS_KEY_ARN);
const someParam = ssm.StringParameter.fromSecureStringParameterAttributes(this, 'theParam', {
parameterName: process.env.THE_PARAM_PATH,
encryptionKey: kmsKey,
version: parseInt(process.env.THE_PARAM_VERSION),
});
// define some functions
kmsKey.grantDecrypt(theFunction);
fsmCredsParam.grantRead(theFunction);
(In actual fact, rather than storing the version in a separate env var, we store it like /some/path/to/param:2 and split it around the colon.)
However, the problem with this is that the developer needs to update the env vars each time the parameter is changed to reflect the new parameter version which is a manual step that can (and does) get forgotten. The version is mandatory and you can't specify a wildcard.
Is there a slicker way of doing this?Frank
Frank
Ross Coundon
12/24/2021, 8:07 AMFrank
Frank
Frank
sst build
, inspect the CFN template in .build/cdk.out
, look for something like {{resolve:ssm-secure:ParamName:Version}}
Frank
{{resolve:ssm-secure:ParamName:}}
Ross Coundon
12/24/2021, 8:10 AMFrank
{{resolve:ssm-secure:…}}
, I can share more detail. But he general concept is if u get a hold of the construct, u can do this:
const cfnResource = constructX.node.defaultChild as core.CfnResource;
cfnResource.addOverride("Properties.xxxx.xxxx", "{{resolve:ssm-secure:ParamName:}}")
Ross Coundon
12/24/2021, 8:14 AMFrank
sst build
run first and see if it is using {{resolve:ssm-secure:…}}
Frank
resolve:ssm-secure
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-ssm-secure-stringsRoss Coundon
12/24/2021, 8:16 AMRoss Coundon
12/27/2021, 8:39 PM