6

So I've configured my lambda function's .yaml file like so:

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: An AWS Serverless Specification template describing your function.
Resources:
  NewUser:
    Type: 'AWS::Serverless::Function'
    Properties:
      Handler: NewUser/index.handler
      Runtime: nodejs8.10
      Environment:
        Variables:
          database_encrypt: ${ssm:databaseEncrypt}
          database_password: ${ssm:databasePassword}
          database_server: '8.8.8.8'
          database_user: ${ssm:databaseUser}
          database_version: ${ssm:databaseVersion}
      Description: ''
      MemorySize: 128
      Timeout: 15
      Role: 'arn:aws:iam::663404525923:role/LambdaRole'
      Events:
        LambdaMicroservice:
          Type: Api
          Properties:
            Path: /User/NewUser
            Method: ANY

and my lambda function looks like this:

var config = {  
  user: process.env.database_user,  
  password: process.env.database_password,  
  server: process.env.database_server,
  database: process.env.database_version,
  options: {encrypt: true}  
};

class UserService {

    constructor(){
        console.log(config);
        console.log("test test test");
        this.connectionPool = new sql.connect(config);
    }
}

and I can access the hard-coded database_server value just fine, but the ${ssm: [myParam] } command is interpreted as a string instead of following the path and accessing the value stored in SSM Parameter Store.

Most of the examples I see have long complicated paths to point to their SSM Params but as I am just trying to show that it is possible to access the SSM Params at all in this manner I'm trying to keep it as simple as possible. I am also assuming that the ${ssm: [] } command is just not escaping at all because I would expect an undefined value to be returned if no SSM Param was found at the defined path.

Brandon Miller
  • 327
  • 1
  • 4
  • 11
  • Just a heads up, thats not a Serverless Framework template, its an AWS SAM template... If you were reading the Serverless docs, then reading the SAM docs may help. – hephalump Oct 23 '19 at 22:56
  • so tbh I'm not sure what the difference between Serverless Framework and SAM is? We are supposed to be moving to serverless so maybe we are lowercase-s serverless and not Serverless™? – Brandon Miller Oct 23 '19 at 23:00
  • Does SAM prevent me from doing what I am trying to do entirely? – Brandon Miller Oct 23 '19 at 23:01
  • Both are open source frameworks for building serverless applications. SAM stands for ”Serverless Application Model”, which is Amazon specific, and you can read more about here https://aws.amazon.com/serverless/sam/. Serverless Framework is platform independent, and supports many different providers; you can read more about it at https://serverless.com – hephalump Oct 23 '19 at 23:26
  • So if ${ssm: [paramName] } is the Serverless™ way to do it, what is the command to access the SSM Parameters using SAM? – Brandon Miller Oct 23 '19 at 23:51
  • The correct syntax in Serverless is ${ssm:/path/to/param}. You can find examples for how to use SSM Parameters with SAM in the AWSLABS SAM Github Repo here: https://github.com/awslabs/serverless-application-model/tree/master/examples/apps – hephalump Oct 24 '19 at 00:32

1 Answers1

3

SAM is a superset of CloudFormation, so the CloudFormation commands should work

      Environment:
        Variables:
          database_encrypt: '{{resolve:ssm-secure:databaseEncrypt:1}}' 
          database_password: '{{resolve:ssm-secure:databasePassword:1}}'

see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html

Seth E
  • 957
  • 3
  • 17
  • It seems SSM Secure reference is not supported for AWS::Lambda::Function or am I missing something? – niklr May 26 '20 at 06:33
  • 1
    Correct, *secure* parameters are not supported by CloudFormation - Perhapos consider Secrets manager instead? https://aws.amazon.com/blogs/aws/aws-secrets-manager-store-distribute-and-rotate-credentials-securely/ – Seth E May 27 '20 at 17:01