Cloudformation-coverage-roadmap: ssm-secure dynamic reference resource type coverage

Created on 18 Oct 2019  路  10Comments  路  Source: aws-cloudformation/cloudformation-coverage-roadmap

AWS::ElasticBeanstalk::Environment-Properties-OptionSettings[namespace==`aws:elasticbeanstalk:application:environment`].Value (environment variables values) should support Dynamic References to AWS Systems Manager Parameter Store Secure Strings.

Currently, Dynamic References to AWS Systems Manager Parameter Store Secure Strings are only supported in a limited set of places. It would be nice if they were supported in Beanstalk environment variable values (which are specified in CloudFormation at AWS::ElasticBeanstalk::Environment-Properties-OptionSettings[namespace==`aws:elasticbeanstalk:application:environment`].Value).

This should would allow the Beanstalk application to see an environment variable named `with valuesupersecret` when defined by this CloudFormation template fragment:

AWSTemplateFormatVersion: '2010-09-09'
Resoures:
  BeanstalkEnvironment:
    Type: AWS::ElasticBeanstalk::Environment
    Properties:
      OptionSettings:
        -
          Namespace: "aws:elasticbeanstalk:application:environment"
          OptionName: SPRING_DATASOURCE_PASSWORD
          Value: !Sub "{{resolve:ssm-secure-env:/my/parameter:42}}"

6. Category (required) - Will help with tagging and be easier to find by other users to +1

Use the categories as displayed in the AWS Management Console (simplified):

  1. Compute (Elastic Beanstalk)
enhancement
Source
picture candrews
👍24

Most helpful comment

I would love for something like this to be possible as well! It would be great if a .ebextensions config file could look like

option_settings:
  aws:elasticbeanstalk:application:environment:
    DB_USER: '{{resolve:secretsmanager:secretId:SecretString:DB_USER}}'
    DB_PWD: '{{resolve:secretsmanager:secretId:SecretString:DB_PWD}}'
picture alex-all3dp on 18 May 2020
👍15

All 10 comments

It's possible to hack something like this using an ebextension today, but it really should be easier and supported directly in AWS.

candrews picture candrews on 18 Oct 2019

For information, this feature is already partially implemented into Beanstalk.
It is working with non-secure parameters which specify the version:

i.e.:
{{resolve:ssm:DB_PASSWORD:1}}

I tested with platform :
Tomcat 8.5 with Java 8 running on 64bit Amazon Linux/3.3.0

Other options are not working (but pattern is recognized)

Secure reference, i.e. {{resolve:ssm-secure:DB_PASSWORD:1}} shows error:

Service:AmazonCloudFormation, Message:SSM Secure reference is not supported in: [AWS::CloudFormation::WaitConditionHandle/Metadata/AWS::ElasticBeanstalk::Ext/Parameters/EnvironmentVariables,AWS::AutoScaling::AutoScalingGroup/Metadata/AWS::ElasticBeanstalk::Ext/_ContainerConfigFileContent/optionsettings/aws:elasticbeanstalk:application:environment]

References without version, i.e. {{resolve:ssm-secure:DB_PASSWORD}} shows error:

Service:AmazonCloudFormation, Message:Incorrect format is used in the following SSM reference: [{{resolve:ssm-secure:DB_PASSWORD}}]

eballetbaz picture eballetbaz on 14 Nov 2019
👍3

Thanks @candrews but the formatting in your linked article has lost line breaks and indents. Would you mind pasting it again?

paulmwatson picture paulmwatson on 20 Mar 2020

Thanks @candrews but the formatting in your linked article has lost line breaks and indents. Would you mind pasting it again?

Woops! I've fixed the article's formatting.

candrews picture candrews on 20 Mar 2020
👍1

Is there any new on whether this will work?

amsinha2 picture amsinha2 on 9 Apr 2020

I would love for something like this to be possible as well! It would be great if a .ebextensions config file could look like

option_settings:
  aws:elasticbeanstalk:application:environment:
    DB_USER: '{{resolve:secretsmanager:secretId:SecretString:DB_USER}}'
    DB_PWD: '{{resolve:secretsmanager:secretId:SecretString:DB_PWD}}'
alex-all3dp picture alex-all3dp on 18 May 2020
👍15

going to generalize this issue due to similar requests

secretsmanager dynamic references are not limited to a hand maintained list of approved property types, so I see no reason why ssm-securedynamic references should be

PatMyron picture PatMyron on 22 Jun 2020
👍4

@PatMyron What you said is exactly what we are looking for. This would be extremely helpful.

Juberstine picture Juberstine on 18 Aug 2020

why do you need to do :1 in {{resolve:ssm:DB_PASSWORD:1}}

shorif2000 picture shorif2000 on 25 Sep 2020

why do you need to do :1 in {{resolve:ssm:DB_PASSWORD:1}}

@shorif2000 It's the version. As per cloud formation documentation it's mandatory to indicate the version (at least for now).

I can confirm that as of this date:

  • {{resolve:ssm:<name>:<version>}} works
  • {{resolve:ssm-secure:<name>:<version>}} fails with:

Service:AmazonCloudFormation, Message: SSM Secure reference is not supported in:
[AWS::CloudFormation::WaitConditionHandle/Metadata/AWS::ElasticBeanstalk::Ext/Parameters/EnvironmentVariables,AWS::AutoScaling::AutoScalingGroup/Metadata/AWS::ElasticBeanstalk::Ext/_ContainerConfigFileContent/optionsettings/aws:elasticbeanstalk:application:environment]

I tested both as Environment Variables set directly in Elastic Beanstalk Console UI.

pmoleri picture pmoleri on 4 Mar 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

seansummers picture seansummers  路  3Comments
JohnPreston picture JohnPreston  路  3Comments
msaggar picture msaggar  路  3Comments
TheDanBlanco picture TheDanBlanco  路  3Comments
kjpgit picture kjpgit  路  4Comments