Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS::ElasticBeanstalk::Environment-Properties-OptionSettings[namespace==`aws:elasticbeanstalk:application:environment`].Value should support Dynamic References to AWS Systems Manager Parameter Store Secure Strings #227

Open
candrews opened this issue Oct 18, 2019 · 2 comments

Comments

@candrews
Copy link

@candrews candrews commented Oct 18, 2019

AWS::ElasticBeanstalk::Environment-Properties-OptionSettings[namespace==`aws:elasticbeanstalk:application:environment`].Value (environment variables values) should support Dynamic References to AWS Systems Manager Parameter Store Secure Strings.

Currently, Dynamic References to AWS Systems Manager Parameter Store Secure Strings are only supported in a limited set of places. It would be nice if they were supported in Beanstalk environment variable values (which are specified in CloudFormation at AWS::ElasticBeanstalk::Environment-Properties-OptionSettings[namespace==`aws:elasticbeanstalk:application:environment`].Value).

This should would allow the Beanstalk application to see an environment variable named `` with value supersecret when defined by this CloudFormation template fragment:

---
AWSTemplateFormatVersion: '2010-09-09'
Resoures:
  BeanstalkEnvironment:
    Type: AWS::ElasticBeanstalk::Environment
    Properties:
      OptionSettings:
        -
          Namespace: "aws:elasticbeanstalk:application:environment"
          OptionName: SPRING_DATASOURCE_PASSWORD
          Value: !Sub "{{resolve:ssm-secure-env:/my/parameter:42}}"

6. Category (required) - Will help with tagging and be easier to find by other users to +1

Use the categories as displayed in the AWS Management Console (simplified):

  1. Compute (Elastic Beanstalk)
@candrews

This comment has been minimized.

Copy link
Author

@candrews candrews commented Oct 18, 2019

It's possible to hack something like this using an ebextension today, but it really should be easier and supported directly in AWS.

@eballetbaz

This comment has been minimized.

Copy link

@eballetbaz eballetbaz commented Nov 14, 2019

For information, this feature is already partially implemented into Beanstalk.
It is working with non-secure parameters which specify the version:

i.e.:
{{resolve:ssm:DB_PASSWORD:1}}

I tested with platform :
Tomcat 8.5 with Java 8 running on 64bit Amazon Linux/3.3.0

Other options are not working (but pattern is recognized)

Secure reference, i.e. {{resolve:ssm-secure:DB_PASSWORD:1}} shows error:

Service:AmazonCloudFormation, Message:SSM Secure reference is not supported in: [AWS::CloudFormation::WaitConditionHandle/Metadata/AWS::ElasticBeanstalk::Ext/Parameters/EnvironmentVariables,AWS::AutoScaling::AutoScalingGroup/Metadata/AWS::ElasticBeanstalk::Ext/_ContainerConfigFileContent/optionsettings/aws:elasticbeanstalk:application:environment]

References without version, i.e. {{resolve:ssm-secure:DB_PASSWORD}} shows error:

Service:AmazonCloudFormation, Message:Incorrect format is used in the following SSM reference: [{{resolve:ssm-secure:DB_PASSWORD}}]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.