3

I am using CDK to deploy AWS resources but need to get some values from the parameter store from a different region. I can see this API in CDK's reference page to read a parameter:

ssm.StringParameter.fromStringParameterAttributes

But it doesn't support passing region. How can I make it work across region?

Efren
  • 4,003
  • 4
  • 33
  • 75
Joey Yi Zhao
  • 37,514
  • 71
  • 268
  • 523

4 Answers4

4

You can find an implementation here:

import { Construct } from 'constructs';
import { AwsCustomResource, AwsCustomResourcePolicy, AwsSdkCall, PhysicalResourceId } from 'aws-cdk-lib/custom-resources';

interface SSMParameterReaderProps {
  readonly parameterName: string;
  readonly region: string;
}

export class SSMParameterReader extends AwsCustomResource {
  constructor(scope: Construct, name: string, props: SSMParameterReaderProps) {
    const { parameterName, region } = props;

    super(scope, name, {
      onUpdate: {
        action: 'getParameter',
        service: 'SSM',
        parameters: {
          Name: parameterName,
        },
        region,
        physicalResourceId: PhysicalResourceId.of(name),
      },
      policy: AwsCustomResourcePolicy.fromSdkCalls({
        resources: AwsCustomResourcePolicy.ANY_RESOURCE,
      }),
    });
  }

  public getParameterValue(): string {
    return this.getResponseFieldReference('Parameter.Value').toString();
  }
}

Source: https://github.com/Idea-Pool/aws-static-site/blob/main/lib/ssm-parameter-reader.ts

(Based on CloudFormation Cross-Region Reference)

László Szikszai
  • 51
  • 3
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/32024673) – michaeak Jun 20 '22 at 21:27
  • Reference example for [python cdk](https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.custom_resources/README.html#get-the-latest-version-of-a-secure-ssm-parameter), it is for a SecureString but same as answer, can use to build own construct. – Efren Oct 19 '22 at 03:48
1

This article explains what you are looking for

How to read parameter store from a different region in CDK?

Summary: Create an AWS custom resource that takes in the parameterName and the regionName as props and returns the value.

Mohammad Faisal
  • 2,265
  • 1
  • 10
  • 16
1

Here is the python's version, the code will work assuming the certificate and the parameter store which has the certificate arn are already created in us-east-1

from aws_cdk import (
    aws_certificatemanager as acm
)
import aws_cdk.custom_resources as cr

retrieving_arn = cr.AwsCustomResource(self, "RetrievingARN",
            on_update=cr.AwsSdkCall( # will also be called for a CREATE event
                service="SSM",
                action="getParameter",
                parameters={
                    "Name": "acm-certificate-arn"
                },
                region="us-east-1",
                physical_resource_id=cr.PhysicalResourceId.of("retrieving-certificate-arn-cross-region")),
            policy=cr.AwsCustomResourcePolicy.from_sdk_calls(
                resources=cr.AwsCustomResourcePolicy.ANY_RESOURCE
            )
        )
        
    

the_certificate_arn = retrieving_arn.get_response_field("Parameter.Value")

actual_certificate = acm.Certificate.from_certificate_arn(
            self, "RetrievingCertificate", certificate_arn=the_certificate_arn 
        )
Jack Rogers
  • 565
  • 7
  • 19
0

It is not currently possible to access SSM Parameters in a different region.

You would have to set up some process to replicate the parameter across the needed regions and keep them in sync.

You could also get the value using a custom resource backed by a lambda.

gshpychka
  • 8,523
  • 1
  • 11
  • 31