将安全 SSM 参数传递到嵌套的 CloudFormation 堆栈
Pass secure SSM parameter to a nested CloudFormation stack
我有一个嵌套的 CloudFormation 堆栈模板,用于描述数据库及其相关资源。我需要为各种环境创建多个数据库(例如 stage、qa、prod)。
我将每个环境的数据库密码作为安全字符串存储在 SSM 参数存储中,例如:
/acme/stage/DB_PASSWORD/acme/qa/DB_PASSWORD/acme/prod/DB_PASSWORD
我尝试解析父模板中的 SSM 参数并将其传递给嵌套堆栈,但它似乎不起作用。
# parent.template
StageDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: "…/database.template"
Parameters:
DatabasePassword: '{{resolve:ssm-secure:/acme/stage/DB_PASSWORD:1}}'
QaDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: "…/database.template"
Parameters:
DatabasePassword: '{{resolve:ssm-secure:/acme/qa/DB_PASSWORD:1}}'
ProdDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: "…/database.template"
Parameters:
DatabasePassword: '{{resolve:ssm-secure:/acme/prod/DB_PASSWORD:1}}'
# database.template
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
DatabasePassword:
Type: String
Resources:
Database:
Type: AWS::RDS::DBInstance
Properties:
MasterUserPassword: !Ref DatabasePassword
这种方法给我一个错误:
An error occurred (ValidationError) when calling the CreateStack operation: SSM Secure reference is not supported in: [AWS::CloudFormation::Stack/Properties/Parameters/DatabasePassword]
根据the docs,也可以将密码参数定义为特殊的AWS::SSM::Parameter::Value<String>类型,但声明:
AWS CloudFormation does not support defining template parameters as SecureString Systems Manager parameter types.
我确实尝试过使用它,但它给了我一个错误:
Parameters [/acme/stage/DB_PASSWORD] referenced by template have types not supported by CloudFormation.
那么,在这种情况下,我如何实际将安全数据库密码传递给数据库资源?我想使用一个 CloudFormation 模板来管理所有三个数据库及其相关资源。
尝试:
'{{resolve:ssm-secure:/acme/stage/DB_PASSWORD:1}}'
即带撇号。见 YAML examples in the documentation:
MyS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
AccessControl: '{{resolve:ssm:S3AccessControl:2}}'
我发现将安全 SSM 参数传递给嵌套堆栈的唯一方法是将其作为字符串传递,而不是尝试使用更合理的 AWS::SSM::Parameter::Value<String> 然后在通过使用 !Sub 函数构建动态引用来嵌套堆栈。
这是一个工作示例:
# parent.template
StageDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
Parameters:
DatabasePasswordSsmKey: "/acme/stage/DB_PASSWORD:1"
ProdDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
Parameters:
DatabasePasswordSsmKey: "/acme/prod/DB_PASSWORD:1"
# database.template
Parameters:
DatabasePasswordSsmKey:
Description: SSM property key for database password
Type: String
Database:
Type: AWS::RDS::DBInstance
Properties:
MasterUserPassword: !Sub "{{resolve:ssm-secure:${DatabasePasswordSsmKey}}}"
我有一个嵌套的 CloudFormation 堆栈模板,用于描述数据库及其相关资源。我需要为各种环境创建多个数据库(例如 stage、qa、prod)。
我将每个环境的数据库密码作为安全字符串存储在 SSM 参数存储中,例如:
/acme/stage/DB_PASSWORD/acme/qa/DB_PASSWORD/acme/prod/DB_PASSWORD
我尝试解析父模板中的 SSM 参数并将其传递给嵌套堆栈,但它似乎不起作用。
# parent.template
StageDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: "…/database.template"
Parameters:
DatabasePassword: '{{resolve:ssm-secure:/acme/stage/DB_PASSWORD:1}}'
QaDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: "…/database.template"
Parameters:
DatabasePassword: '{{resolve:ssm-secure:/acme/qa/DB_PASSWORD:1}}'
ProdDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: "…/database.template"
Parameters:
DatabasePassword: '{{resolve:ssm-secure:/acme/prod/DB_PASSWORD:1}}'
# database.template
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
DatabasePassword:
Type: String
Resources:
Database:
Type: AWS::RDS::DBInstance
Properties:
MasterUserPassword: !Ref DatabasePassword
这种方法给我一个错误:
An error occurred (ValidationError) when calling the CreateStack operation: SSM Secure reference is not supported in: [AWS::CloudFormation::Stack/Properties/Parameters/DatabasePassword]
根据the docs,也可以将密码参数定义为特殊的AWS::SSM::Parameter::Value<String>类型,但声明:
AWS CloudFormation does not support defining template parameters as SecureString Systems Manager parameter types.
我确实尝试过使用它,但它给了我一个错误:
Parameters [/acme/stage/DB_PASSWORD] referenced by template have types not supported by CloudFormation.
那么,在这种情况下,我如何实际将安全数据库密码传递给数据库资源?我想使用一个 CloudFormation 模板来管理所有三个数据库及其相关资源。
尝试:
'{{resolve:ssm-secure:/acme/stage/DB_PASSWORD:1}}'
即带撇号。见 YAML examples in the documentation:
MyS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
AccessControl: '{{resolve:ssm:S3AccessControl:2}}'
我发现将安全 SSM 参数传递给嵌套堆栈的唯一方法是将其作为字符串传递,而不是尝试使用更合理的 AWS::SSM::Parameter::Value<String> 然后在通过使用 !Sub 函数构建动态引用来嵌套堆栈。
这是一个工作示例:
# parent.template
StageDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
Parameters:
DatabasePasswordSsmKey: "/acme/stage/DB_PASSWORD:1"
ProdDatabaseStack:
Type: AWS::CloudFormation::Stack
Properties:
Parameters:
DatabasePasswordSsmKey: "/acme/prod/DB_PASSWORD:1"
# database.template
Parameters:
DatabasePasswordSsmKey:
Description: SSM property key for database password
Type: String
Database:
Type: AWS::RDS::DBInstance
Properties:
MasterUserPassword: !Sub "{{resolve:ssm-secure:${DatabasePasswordSsmKey}}}"