This repository shows how modules are configured for deployment.
The basic parameter types for CloudFormation templates are String
, Number
, CommaDelimitedList
, and List<Number>
. In addition, CloudFormation has a dozen AWS-specific parameter types. For example, the type AWS::EC2::VPC::Id
must correspond to an existing VPC.
Finally, there a few SSM parameter types that interact with the Parameter Store. However, these parameter types are not recommended. Instead, either use a parameter file, which can resolve values from the Parameter Store and other locations, or use dynamic references (e.g. {{resolve:ssm:S3AccessControl:2}}
) instead as the parameter value.
The Parameter
declaration is used to define module parameters.
- Parameter: TopicDisplayName
Description: Display Name
Section: Sample Parameters Settings
Label: Display name of SNS topic
Type: String
Scope: stack
The Section
property is used to group parameters together into section of the same name. The Label
property is an additional hint that is shown for the expected value. The Description
property is shown when the value is scoped to either public
or stack
.
cd BasicParameterType
lash deploy
The Resource-as-Parameter declaration makes it possible to either pass in an existing resource via ARN, or, when no value is provided, the resource is instantiated instead.
Resource-as-Parameter types requires an AWS type name as Type
value and a Properties
section. If no properties are required for the AWS resource, use Properties: { }
to have an empty properties specification.
- Parameter: MyTopic
Type: AWS::SNS::Topic
Properties:
DisplayName: MyTopicDisplayName
NOTES:
- The LambdaSharp compiler automatically converts
!Ref MyTopic
to a conditional expression that either selects the input parameter value or the ARN (when available) of the AWS resource using!GetAtt
. If the AWS resources does not have an ARN attribute, the default return value of the resource is used instead. - It is not possible to use a Resource-as-Parameter in the
!GetAtt
function.
Sensitive information should be passed in using the Secret
parameter type. These parameter values automatically have the NoEcho
property enabled to not show their value in the UI, CLI, or API. Secret parameter values must be encoded using a KMS key. Furthermore, the CloudFormation stack must be granted kms:Decrypt
permission to the KMS key. This is achieved by specifying the KMS key in the module using the Secrets
declaration or by passing the KMS key in the Secrets
parameter. The latter is the preferred method.
Lambda functions automatically decrypt the secret values on startup once and then cache the result in memory. This ensure that the decrypted secret value is not visible in the Lambda configuration in the AWS Console.
For resources that need a password or access token, append the ::Plaintext
suffix to the parameter name to dynamically decrypt the secret value during the CloudFormation stack execution.
- Parameter: MySecretParameter
Type: Secret
- Variable:
Value: !Ref MySecretParameter::Plaintext
Parameter value can be specified in a YAML parameter file. Values can either be specified explicitly or they can be looked up from other sources like a JSON configuration file, the Parameter Store, or environment variables.
# set SNS topic name
TopicDisplayName: !GetConfig
- !Sub [ "env-${Target}.json", { Target: !GetEnv "TARGET_ENV" } ]
- TopicSettings.DisplayName
# grant access to required KMS keys
Secrets:
- alias/MySecretKey
The following parameter functions are available in the YAML file.
!GetConfig [ json-file-path, json-path-expression ]
- Opens the JSON file at
json-file-path
and read the value a thejson-path-expression
.
- Opens the JSON file at
!GetEnv environment-variable
- Read the value of an environment variable.
!GetParam parameter-store-path
-OR-!GetParam [ parameter-store-path ]
- Read a value from the parameter store. If the value is a
SecureString
, it will be decrypted.
- Read a value from the parameter store. If the value is a
!GetParam [ parameter-store-path, encryption-key-id ]
- Read a value from the parameter store. If the value is a
SecureString
, it will be decrypted. Re-encrypt the value using the KMS key identified byencryption-key-id
.
- Read a value from the parameter store. If the value is a
!Sub format-string
-OR-!Sub [ format-string, arguments ]
- Build a new parameter value from other values.
!Ref
can be used to resolve the following builtin-variableDeployment::BucketName
Deployment::Tier
Deployment::TierLowercase
Deployment::TierPrefix
Deployment::TierPrefixLowercase