将安全 SSM 参数传递给嵌套的 CloudFormation 堆栈
[英]Pass secure SSM parameter to a nested CloudFormation stack
问题描述
I have a nested CloudFormation stack template that describes database and it's related resources.
我有一个描述数据库及其相关资源的嵌套 CloudFormation 堆栈模板。 I need to create multiple databases for various environments (eg stage , qa , prod ).我需要为各种环境(例如stage 、 qa 、 prod )创建多个数据库。
I store database password for each environment in SSM parameter store as secure strings, eg:我将每个环境的数据库密码存储在 SSM 参数存储中作为安全字符串,例如:
-
/acme/stage/DB_PASSWORD -
/acme/qa/DB_PASSWORD -
/acme/prod/DB_PASSWORD
I've tried to resolve the SSM parameter in parent template and pass it to a nested stack, but it looks like it's not working.我试图解析父模板中的 SSM 参数并将其传递给嵌套堆栈,但它看起来不起作用。
# parent.template
StageDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: "…/database.template"
Parameters:
DatabasePassword: '{{resolve:ssm-secure:/acme/stage/DB_PASSWORD:1}}'
QaDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: "…/database.template"
Parameters:
DatabasePassword: '{{resolve:ssm-secure:/acme/qa/DB_PASSWORD:1}}'
ProdDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: "…/database.template"
Parameters:
DatabasePassword: '{{resolve:ssm-secure:/acme/prod/DB_PASSWORD:1}}'
# database.template
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
DatabasePassword:
Type: String
Resources:
Database:
Type: AWS::RDS::DBInstance
Properties:
MasterUserPassword: !Ref DatabasePassword
This approach gives me an error:这种方法给了我一个错误:
An error occurred (ValidationError) when calling the CreateStack operation: SSM Secure reference is not supported in: [AWS::CloudFormation::Stack/Properties/Parameters/DatabasePassword]
According to the docs , it is also possible to define password parameter as a special AWS::SSM::Parameter::Value<String> type, but it is stated, that:根据docs ,也可以将密码参数定义为特殊的AWS::SSM::Parameter::Value<String>类型,但声明如下:
AWS CloudFormation does not support defining template parameters as SecureString Systems Manager parameter types.
I've actually tried to use it, but it gives me an error:我实际上尝试过使用它,但它给了我一个错误:
Parameters [/acme/stage/DB_PASSWORD] referenced by template have types not supported by CloudFormation.
SO, how do I actually pass secure database password to a database resource in this scenario?那么,在这种情况下,我如何实际将安全数据库密码传递给数据库资源? I want to use a single CloudFormation template to manage all three databases and their related resources.我想使用一个 CloudFormation 模板来管理所有三个数据库及其相关资源。
2 个解决方案
解决方案1
2 2019-11-30 19:31:51
Try:尝试:
'{{resolve:ssm-secure:/acme/stage/DB_PASSWORD:1}}'
Ie with apostrophs.即带撇号。 See YAML examples in the documentation :请参阅文档中的 YAML 示例:
MyS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
AccessControl: '{{resolve:ssm:S3AccessControl:2}}'
解决方案2
1 已采纳 2019-12-02 23:01:27
The only way to pass a secure SSM parameter to a nested stack I've found is to pass it as a string, instead of trying to use more sensible AWS::SSM::Parameter::Value<String> and then resolving the secure value in a nested stack by building the dynamic reference with !Sub function.将安全 SSM 参数传递给我发现的嵌套堆栈的唯一方法是将其作为字符串传递,而不是尝试使用更合理的AWS::SSM::Parameter::Value<String>然后解析安全通过使用!Sub函数构建动态引用,嵌套堆栈中的值。
Here's a working example:这是一个工作示例:
# parent.template
StageDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
Parameters:
DatabasePasswordSsmKey: "/acme/stage/DB_PASSWORD:1"
ProdDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
Parameters:
DatabasePasswordSsmKey: "/acme/prod/DB_PASSWORD:1"
# database.template
Parameters:
DatabasePasswordSsmKey:
Description: SSM property key for database password
Type: String
Database:
Type: AWS::RDS::DBInstance
Properties:
MasterUserPassword: !Sub "{{resolve:ssm-secure:${DatabasePasswordSsmKey}}}"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.