Parameter Store tags cannot be updated without losing the saved value #26033
Replies: 2 comments 1 reply
-
There isn't any bug here, CloudFormation is working as intended. Why are you defining this parameter in CloudFormation to begin with? |
Beta Was this translation helpful? Give feedback.
-
So let's say I have an application that needs to connect to a third party API. Somehow I have to get the API credentials passed to the app. I could hard-code these in the CDK stack and just pass them to Lambda or ECS as environment variables, which works fine, except then when I commit the CDK stack to git, I will end up with the actual credentials in the git repo which isn't great (for one, I can't then make the git repo public because it contains my private credentials). So instead, in the stack I create two Parameter Store entries, one for the API username and one for the password. I deploy the stack to our test, staging and production AWS accounts, which gives me two Parameter Store entries in each account. I can then go in and manually set the appropriate API credentials (which are different for each account - the test account connects to the vendor's test API, production to their production API, etc.) There are only two entries in this example but it's not uncommon for our code to have 10 or more entries for various APIs, external databases, etc. so this avoids having to manually create hundreds of Parameter Store entries across all the accounts for all our deployments. This way the same code can be deployed to each account and it can retrieve the same Parameter Store entries by name, but each AWS account will get a different set of credentials and everything works perfectly. Except when we later deploy an update to our stack, the Parameter Store entries will randomly get set back to the default value (in my case "TODO") instead of being left alone. Is Parameter Store not designed for this use case? I guess am a little confused why other things that store user data, like an S3 bucket or RDS database, do not get wiped and reset upon deploy, but Parameter Store does. If Parameter Store values get reset when they 'drift', why not S3 buckets as well? Alternatively, if Parameter Store is designed to always reflect the CDK stack and not allow manual updates, then what is its purpose? If the value is meant to be hard-coded into the CDK stack, then why use Parameter Store at all over an environment variable passed to the code? I thought the whole point of Parameter Store was to avoid having to hard-code credentials into the stack. |
Beta Was this translation helpful? Give feedback.
-
Summarising the discussion from #25949:
(reproduction steps at the above issue link)
From @peterwoodworth:
My issue is that the
stringValue
is mandatory, so you cannot omit it. And it gets committed to git so you can't put the actual password in that you want to store. This means any change you make to your stack risks wiping out your Parameter Store values and causing the deployed service to fail, e.g. because it can no longer retrieve the password it needs.Perhaps this is a bug in CloudFormation? Would it be better for it to be addressed by CloudFormation rather than by CDK?
Beta Was this translation helpful? Give feedback.
All reactions