AWS Systems Manager Construct Library

This module is part of the AWS Cloud Development Kit project.

Using existing SSM Parameters in your CDK app

You can reference existing SSM Parameter Store values that you want to use in your CDK app by using ssm.StringParameter.fromStringParameterAttributes:

parameter_version = Token.as_number({"Ref": "MyParameter"})

# Retrieve the latest value of the non-secret parameter
# with name "/My/String/Parameter".
string_value = ssm.StringParameter.from_string_parameter_attributes(self, "MyValue",
    parameter_name="/My/Public/Parameter"
).string_value
string_value_version_from_token = ssm.StringParameter.from_string_parameter_attributes(self, "MyValueVersionFromToken",
    parameter_name="/My/Public/Parameter",
    # parameter version from token
    version=parameter_version
).string_value

# Retrieve a specific version of the secret (SecureString) parameter.
# 'version' is always required.
secret_value = ssm.StringParameter.from_secure_string_parameter_attributes(self, "MySecureValue",
    parameter_name="/My/Secret/Parameter",
    version=5
)
secret_value_version_from_token = ssm.StringParameter.from_secure_string_parameter_attributes(self, "MySecureValueVersionFromToken",
    parameter_name="/My/Secret/Parameter",
    # parameter version from token
    version=parameter_version
)

You can also reference an existing SSM Parameter Store value that matches an AWS specific parameter type:

ssm.StringParameter.value_for_typed_string_parameter_v2(self, "/My/Public/Parameter", ssm.ParameterValueType.AWS_EC2_IMAGE_ID)

To do the same for a SSM Parameter Store value that is stored as a list:

ssm.StringListParameter.value_for_typed_list_parameter(self, "/My/Public/Parameter", ssm.ParameterValueType.AWS_EC2_IMAGE_ID)

Lookup existing parameters

You can also use an existing parameter by looking up the parameter from the AWS environment. This method uses AWS API calls to lookup the value from SSM during synthesis.

string_value = ssm.StringParameter.value_from_lookup(self, "/My/Public/Parameter")

When using valueFromLookup an initial value of ‘dummy-value-for-${parameterName}’ (dummy-value-for-/My/Public/Parameter in the above example) is returned prior to the lookup being performed. This can lead to errors if you are using this value in places that require a certain format. For example if you have stored the ARN for a SNS topic in a SSM Parameter which you want to lookup and provide to Topic.fromTopicArn()

arn_lookup = ssm.StringParameter.value_from_lookup(self, "/my/topic/arn")
sns.Topic.from_topic_arn(self, "Topic", arn_lookup)

Initially arnLookup will be equal to dummy-value-for-/my/topic/arn which will cause Topic.fromTopicArn to throw an error indicating that the value is not in arn format.

For these use cases you need to handle the dummy-value in your code. For example:

arn_lookup = ssm.StringParameter.value_from_lookup(self, "/my/topic/arn")
# arn_lookup_value: str
if arn_lookup.includes("dummy-value"):
    arn_lookup_value = self.format_arn(
        service="sns",
        resource="topic",
        resource_name=arn_lookup
    )
else:
    arn_lookup_value = arn_lookup

sns.Topic.from_topic_arn(self, "Topic", arn_lookup_value)

Alternatively, if the property supports tokens you can convert the parameter value into a token to be resolved after the lookup has been completed.

arn_lookup = ssm.StringParameter.value_from_lookup(self, "/my/role/arn")
iam.Role.from_role_arn(self, "role", Lazy.string({"produce": () => arnLookup}))

Creating new SSM Parameters in your CDK app

You can create either ssm.StringParameter or ssm.StringListParameters in a CDK app. These are public (not secret) values. Parameters of type SecureString cannot be created directly from a CDK application; if you want to provision secrets automatically, use Secrets Manager Secrets (see the aws-cdk-lib/aws-secretsmanager package).

ssm.StringParameter(self, "Parameter",
    allowed_pattern=".*",
    description="The value Foo",
    parameter_name="FooParameter",
    string_value="Foo",
    tier=ssm.ParameterTier.ADVANCED
)

# Grant read access to some Role
# role: iam.IRole
# Create a new SSM Parameter holding a String
param = ssm.StringParameter(self, "StringParameter",
    # description: 'Some user-friendly description',
    # name: 'ParameterName',
    string_value="Initial parameter value"
)
param.grant_read(role)

# Create a new SSM Parameter holding a StringList
list_parameter = ssm.StringListParameter(self, "StringListParameter",
    # description: 'Some user-friendly description',
    # name: 'ParameterName',
    string_list_value=["Initial parameter value A", "Initial parameter value B"]
)

When specifying an allowedPattern, the values provided as string literals are validated against the pattern and an exception is raised if a value provided does not comply.