-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_ssm: StringListParameter.ValueForTypedListParameter to support shared parameters #29292
aws_ssm: StringListParameter.ValueForTypedListParameter to support shared parameters #29292
Comments
Self-assigned for now. I'll investigate and try to provide some working samples here. |
Thanks @pahud . I may be able to use SecretManager rather than Parameter Store. From what I can tell, a secret can be created and can have read permission granted to other accounts. I can then use Alternatively, since I'm using Octopus Deploy, any outputs from a CloudFormation template are made available in Powershell. I could write a script to retrieve the value and then use the AWS CLI to create the required I'm actively working on this so will post any progress. |
CloudFormation docs suggest that it might not be possible to dynamically resolve a parameter using an ARN.
|
I got const parameterValue = ssm.StringParameter.valueFromLookup(this, Arn.format({
account: host_account_id,
partition: 'aws',
region: this.region,
resource: 'parameter',
resourceName: 'parameter_name',
service: 'ssm',
})); But I found it clunky to use because I had to do a synth before I used the value anywhere for it to seed the It would be nice if |
Here's my use case for this feature. We're in an AWS Organization with a central account that builds AMIs, those AMIs are published to our many accounts, and the ARNs for the current versions of the AMIs are populated in SSM parameters that are shared to all accounts. I would like to call |
Please check this working sample. Let me know if it works for you.(It does for me) |
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
AWS [introduced](https://aws.amazon.com/about-aws/whats-new/2024/02/aws-systems-manager-parameter-store-cross-account-sharing/) SSM Parameter Store cross-account sharing in Feb 2024. Under the hood, the sharing account has to create an AWS RAM ResourceShare for the principal of the consuming account and the consuming account has to accept the sharing invite. The only approach to access that sharing parameter is through CfnParameter. Dynamic Reference is NOT supported. This PR adds `StringParameter.fromStringParameterArn()` method so we can use the API like ```ts const remoteParameterArn = 'arn:aws:ssm:us-east-1:123456789012:parameter/dummyName'; const sharedParam = StringParameter.fromStringParameterArn(scope, id, remoteParameterArn); new cdk.CfnOutput(this, 'ParamValue', { value: sharedParam.stringValue }); ``` Note: 1. The only option to consume sharing parameters in CFN is template parameter. `StringParameter.fromStringParameterArn()` would synthesize CfnParameter like: ```yaml SharedParameter: Description: a shared golden AMI from centralised accounts Type: "AWS::SSM::Parameter::Value<String>" Default: "arn:aws:ssm:us-east-1:123456789012:parameter/sharedParameterName" ``` And the `Default` value has to be a static string. It can't be an unresolved token. 2. For full use case(sharing, accepting and consuming), check out `integ.parameter-store-string-sharing.ts` for more details. ### Issue # (if applicable) Closes #29292 ### Reason for this change ### Description of changes ### Description of how you validated changes Debugger ```json { "version": "0.2.0", "configurations": [ { "type": "node", "request": "launch", "name": "Jest", "program": "${workspaceFolder}/node_modules/jest/bin/jest.js", "cwd": "${workspaceFolder}/packages/aws-cdk-lib", "args": [ "--verbose", "-i", "--no-cache", "test/parameter.test.ts", ], "console": "integratedTerminal", "internalConsoleOptions": "neverOpen", "skipFiles": [ "<node_internals>/**" ], "outFiles": [ "${workspaceFolder}/**/*.(m|c|)js", "!**/node_modules/**" ], } ] } ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
AWS [introduced](https://aws.amazon.com/about-aws/whats-new/2024/02/aws-systems-manager-parameter-store-cross-account-sharing/) SSM Parameter Store cross-account sharing in Feb 2024. Under the hood, the sharing account has to create an AWS RAM ResourceShare for the principal of the consuming account and the consuming account has to accept the sharing invite. The only approach to access that sharing parameter is through CfnParameter. Dynamic Reference is NOT supported. This PR adds `StringParameter.fromStringParameterArn()` method so we can use the API like ```ts const remoteParameterArn = 'arn:aws:ssm:us-east-1:123456789012:parameter/dummyName'; const sharedParam = StringParameter.fromStringParameterArn(scope, id, remoteParameterArn); new cdk.CfnOutput(this, 'ParamValue', { value: sharedParam.stringValue }); ``` Note: 1. The only option to consume sharing parameters in CFN is template parameter. `StringParameter.fromStringParameterArn()` would synthesize CfnParameter like: ```yaml SharedParameter: Description: a shared golden AMI from centralised accounts Type: "AWS::SSM::Parameter::Value<String>" Default: "arn:aws:ssm:us-east-1:123456789012:parameter/sharedParameterName" ``` And the `Default` value has to be a static string. It can't be an unresolved token. 2. For full use case(sharing, accepting and consuming), check out `integ.parameter-store-string-sharing.ts` for more details. ### Issue # (if applicable) Closes #29292 ### Reason for this change ### Description of changes ### Description of how you validated changes Debugger ```json { "version": "0.2.0", "configurations": [ { "type": "node", "request": "launch", "name": "Jest", "program": "${workspaceFolder}/node_modules/jest/bin/jest.js", "cwd": "${workspaceFolder}/packages/aws-cdk-lib", "args": [ "--verbose", "-i", "--no-cache", "test/parameter.test.ts", ], "console": "integratedTerminal", "internalConsoleOptions": "neverOpen", "skipFiles": [ "<node_internals>/**" ], "outFiles": [ "${workspaceFolder}/**/*.(m|c|)js", "!**/node_modules/**" ], } ] } ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the feature
Now that parameter sharing between accounts is a feature, the CDK constructs should support ARN parameter names so that a shared parameter from a different account can be retrieved.
Use Case
I'm attempting to create the required Route53 resources in a multi-account organization. The DNS architecture we're using is:
domain-account
: contains the registered domain and a hosted zone.workload-account
: contains workloads and has a sub-domain of the main domain indomain-account
In order for the CDK to create the required resources, I'm trying to use the following stacks:
WorkloadAccountStack
- this stack creates a hosted zone, e.g. dev.domain.com, and creates aStringListParameter
with a value of the NS entry of the new hosted zone. The parameter name is_dns_DevNameServers
and is in the ADVANCED tier. Additionally, aCfnResourceShare
is created to share the parameter with thedomain-account
.DomainAccountStack
- this stack creates aNS
record in thedomain.com
hosted zone. To do this, the stack must get the value of the_dns_DevNameServers
parameter from theworkload-account
.AWS docs state that accessing a parameter is done by passing the ARN as the parameter name.
In 2.130 of CDK, I'm using the following code:
When attempting to deploy the stack, I get the following error:
I believe this is due to using
COLON_RESOURCE_NAME
as theArnFormat
. I would like to useSLASH_RESOURCE_NAME
, however, when using that, thesynth
process throws an error:Proposed Solution
At this stage I'm not sure where to start with a solution for this problem.
Other Information
No response
Acknowledgements
CDK version used
2.130
Environment details (OS name and version, etc.)
Windows 11
The text was updated successfully, but these errors were encountered: