cfparams will fetch the parameter named /example/db/password, and use the resulting value for DatabasePassword. AWS credentials, region etc are sourced from the environment / instance role / etc in the standard AWS SDK ways.
This PR includes high-churn refactor; viewing just the ParameterStore-specific commit will show the implementation more clearly.
The YAML syntax DatabasePassword: !ParameterStore /example/db/password makes use of a YAML feature called tags (specifically, "local tags"), where !ParameterStore is the tag telling the parser the value is a custom type. None of the popular Go YAML parsers support tags, but https://github.com/sanathkr/go-yaml/commit/ed9d249f429b3f5a69f80a7abef6bfce81fef894 forks the defacto standard https://github.com/go-yaml/yaml and adds support. Apparently custom tags will be supported in v3 of github.com/go-yaml/yaml at which point cfparams can switch back.
Note that if a CloudFormation parameter is a secret, it should be declared as NoEcho: true in the template. cfparams could perhaps be adapted to warn when a Parameter Store SecureString is passed to a parameter that isn't NoEcho. I'll save that for another PR.
Add support for YAML parameter files looking up values from AWS SSM Parameter Store.
cfparams
will fetch the parameter named/example/db/password
, and use the resulting value forDatabasePassword
. AWS credentials, region etc are sourced from the environment / instance role / etc in the standard AWS SDK ways.This PR includes high-churn refactor; viewing just the ParameterStore-specific commit will show the implementation more clearly.
The YAML syntax
DatabasePassword: !ParameterStore /example/db/password
makes use of a YAML feature called tags (specifically, "local tags"), where!ParameterStore
is the tag telling the parser the value is a custom type. None of the popular Go YAML parsers support tags, but https://github.com/sanathkr/go-yaml/commit/ed9d249f429b3f5a69f80a7abef6bfce81fef894 forks the defacto standard https://github.com/go-yaml/yaml and adds support. Apparently custom tags will be supported in v3 of github.com/go-yaml/yaml at which point cfparams can switch back.Note that if a CloudFormation parameter is a secret, it should be declared as
NoEcho: true
in the template.cfparams
could perhaps be adapted to warn when a Parameter Store SecureString is passed to a parameter that isn'tNoEcho
. I'll save that for another PR.