Comments (9)
I also tried the approach outlined in Appendix A: Using alfred helper in the CloudFormation parameter files.
I see the same issue there - parameter substitution code in /source/manifest/cfn_params_handler.py
tries to access SSM parameters in the master account/region, not in account/region where stack instance should be deployed.
The only way that works for me is a fallback to CloudFormation default parameter values in the template (with the obvious disadvantage that I have to modify the template):
---
AWSTemplateFormatVersion: '2010-09-09'
Description: Dev Template to test overrideparams
Parameters:
VpcId:
Type: 'AWS::SSM::Parameter::Value<String>'
Default: '/org/member/VpcId'
In this case CloudFormation retrieves the parameters during deployment time from the region where stack instance is deployed.
from aws-control-tower-customizations.
Hello @kolomied,
The alfred functionality does store the SSM parameter key/value pair in the master account. Since you are deploying this in multiple regions alfred function may not help you with your use case.
I agree with your approach to store the VPC id in the local account and region using AWS::SSM::Parameter resource in the stack 1 and use CFN parameter type "'AWS::SSM::Parameter::Value'" in the stack 2 to obtain the value from the local account and region.
from aws-control-tower-customizations.
@groverlalit Thank you for the response.
Could you also share the intended use case for ssm_parameters
manifest property - it is not clear from the documentation when it can be useful.
from aws-control-tower-customizations.
I am also confused by the documentation as they reference the ability to store outputs using ssm_parameters
section but then Appendix A does not cite using this feature at all. I would think Appendix A would showcase how the alfred retriever would work with the ssm_parameters
section. Are these two things compatible?
from aws-control-tower-customizations.
@jdonboch @kolomied
Thanks for the feedback.
We understand that Appendix A in the developer guide currently does not refer to the ssm_parameters section of the manifest to the alfred helper but to a generic SSM parameter resource. We have updated our backlog to update the documentation.
To answer your question, yes they are compatible. As we know that a new parameter store key value pair can be created by following methods:
- ssm_parameters (in manifest.yaml)
- ssm parameter resource embedded in the the CFN template
- adding parameter store key value using AWS Console, AWS CLI or AWS SDK.
As long as the SSM parameter exists in the region in the Org master account where the solution is deployed, the alfred helper can read it and replace the parameter value in the parameters.json file.
Hope this helps.
from aws-control-tower-customizations.
@groverlalit could you explain what the developer guide is trying to tell us in the note that says
Note: The SSM parameter key name may contain a value other than output. For example, if the name is /org/environment-name, the value may production.
Could you give a full example of how to get from a template with outputs to another template that uses that output as a parameter?
from aws-control-tower-customizations.
@zoellner
Using the example configuration deployed with the solution (S3 or CodeCommit).
If you need the application id from stackset-1 to be passed as parameter to the stackset-2.
Snipper of manifest.yaml (note: incorrect indentation)
# Control Tower Custom CloudFormation Resources
cloudformation_resources:
- name: stackset-1
template_file: templates/create-ssm-parameter-keys-1.template
parameter_file: parameters/create-ssm-parameter-keys-1.json
deploy_method: stack_set
deploy_to_account: # :type: list
- <ACCOUNT_NAME> # and/or
- <ACCOUNT_NUMBER>
ssm_parameters:
- name: /org/member/test-ssm/app-id
<< Puts the value
value: $[output_ApplicationId]
regions:
- <REGION_NAME>
- name: stackset-2
template_file: templates/create-ssm-parameter-keys-2.template
parameter_file: parameters/create-ssm-parameter-keys-2.json
deploy_method: stack_set
deploy_to_ou: # :type: list
- <OU_NAME>
deploy_to_account: # :type: list
- <ACCOUNT_NAME> # and/or
- <ACCOUNT_NUMBER>
regions: # :type: list
- <REGION_NAME>
You can modify the example-configuration/parameters/create-ssm-parameter-keys-2.json file as follows.
[
{
"ParameterKey": "ApplicationId",
"ParameterValue": "$[alfred_ssm_/org/member/test-ssm/app-id]"
<< Gets the value
}
...cut...
Hope this helps. Thanks.
from aws-control-tower-customizations.
I tried using ssm_parameters in a manner described above and also here:
ssm_parameters:
- name: "/test/cfct_output/test1"
value: "123"
and the Build stage of the CfCT pipeline failed with:
ERROR - ["Key 'ssm_parameters' was not defined. Path: '/resources/0'"]
Environment
- CfCT v2.1.0
- 8076f8f
from aws-control-tower-customizations.
I think this issue should remain open, as the existing documentation on Alfred is either incomplete or incorrect, and following it does not lead to a working solution.
It's also worth pointing out that, in manifest v2, the ssm_parameters
field needs to be renamed to export_outputs
.
from aws-control-tower-customizations.
Related Issues (20)
- CAPABILITY_NAMED_IAM Error
- It is desirable that not only createManagedAccount, but also the CFCT pipeline starts even when a moveAccount action occurs HOT 4
- Slowness in deploying stacksets for organization with 800+ accounts HOT 2
- Frequent ConcurrentModificationException on running SCP updates HOT 7
- Service Catalog portolfios/products management
- Stacksets concurrency
- Remove stacksets from an account in reverse order HOT 2
- Support for Israel(Tel Aviv) Region "il-central-1" HOT 1
- Update CHANGELOG HOT 1
- build-s3-dist.sh fails with pip error HOT 3
- Solution fails [StepFunctions.1] Security Hub control HOT 3
- control-tower-customizations relies on outdated libraries & runtimes and looks abandoned HOT 4
- Running test or build fails HOT 1
- CloudFormation Lambda S3 Error HOT 1
- FeatureRequest: Add External SourceControls - e.g. Github, Gitlab, bitbucket.... HOT 1
- Would like logging added to the stepfunction HOT 1
- IndexError: list index out of range in CustomControlTowerStateMachineLambda lambda function HOT 1
- Python 3.8 End-Of-Life HOT 4
- Enable "Server Access Logging" on the CloudTrail S3 bucket or have an option to enable it
- Inspector high severity findings on this solution's Lambdas
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-control-tower-customizations.