cfparams will fetch the parameter named /example/db/password, and use the resulting value for DatabasePassword. AWS credentials, region etc are sourced from the environment / instance role / etc in the standard AWS SDK ways.
This PR includes high-churn refactor; viewing just the ParameterStore-specific commit will show the implementation more clearly.
The YAML syntax DatabasePassword: !ParameterStore /example/db/password makes use of a YAML feature called tags (specifically, "local tags"), where !ParameterStore is the tag telling the parser the value is a custom type. None of the popular Go YAML parsers support tags, but https://github.com/sanathkr/go-yaml/commit/ed9d249f429b3f5a69f80a7abef6bfce81fef894 forks the defacto standard https://github.com/go-yaml/yaml and adds support. Apparently custom tags will be supported in v3 of github.com/go-yaml/yaml at which point cfparams can switch back.
Note that if a CloudFormation parameter is a secret, it should be declared as NoEcho: true in the template. cfparams could perhaps be adapted to warn when a Parameter Store SecureString is passed to a parameter that isn't NoEcho. I'll save that for another PR.
Add support for YAML parameter files looking up values from AWS SSM Parameter Store.
cfparamswill fetch the parameter named/example/db/password, and use the resulting value forDatabasePassword. AWS credentials, region etc are sourced from the environment / instance role / etc in the standard AWS SDK ways.This PR includes high-churn refactor; viewing just the ParameterStore-specific commit will show the implementation more clearly.
The YAML syntax
DatabasePassword: !ParameterStore /example/db/passwordmakes use of a YAML feature called tags (specifically, "local tags"), where!ParameterStoreis the tag telling the parser the value is a custom type. None of the popular Go YAML parsers support tags, but https://github.com/sanathkr/go-yaml/commit/ed9d249f429b3f5a69f80a7abef6bfce81fef894 forks the defacto standard https://github.com/go-yaml/yaml and adds support. Apparently custom tags will be supported in v3 of github.com/go-yaml/yaml at which point cfparams can switch back.Note that if a CloudFormation parameter is a secret, it should be declared as
NoEcho: truein the template.cfparamscould perhaps be adapted to warn when a Parameter Store SecureString is passed to a parameter that isn'tNoEcho. I'll save that for another PR.