# Lesson 4: Managing Secrets and Configurations with AWS SSM Parameter Store

### Introduction to AWS SSM Parameter Store

Welcome back! In our previous lessons, we explored the AWS Secrets Manager using the AWS SDK (Boto3) for Python. Today, we will delve into another vital component of AWS's secrets management ecosystem — the AWS Systems Manager Parameter Store, or SSM Parameter Store for short.

SSM Parameter Store is a service that provides secure, hierarchical storage for configuration data and secrets management. It helps you manage data like passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as text strings or encrypted data. By using Parameter Store, you can separate your secret and configuration data from your code. For more detailed information, refer to the official AWS Systems Manager Parameter Store documentation.

To communicate with the SSM Parameter Store, we will be using our trusty assistant, the AWS SDK for Python — Boto3, brushing up on what we have learned in previous lessons.

### Types of Parameters

SSM Parameter Store supports three parameter types: String, SecureString, and StringList.

- **String**: This type is used to represent plain text data. For example, it can store URLs, usernames, or any other configuration data represented as plain text.

- **SecureString**: This type is used to represent sensitive data such as passwords, API keys, database connection strings, etc. SecureString parameters are encrypted with AWS Key Management Service for increased security.

- **StringList**: This type is used to store a comma-separated list of values. For example, it can store a list of IP addresses or resource ARNs. Note that StringList cannot be encrypted.

### Creating Parameters in AWS SSM Parameter Store

Let's start with something basic — creating parameters. Here's how to create plain text ("String") and encrypted ("SecureString") parameters using the Boto3 client:

```python
ssm = boto3.client('ssm')

# Create a plain text parameter for application's API URL
ssm.put_parameter(
    Name='/app_config/api_url',
    Value='https://api.myapp.com',
    Type='String',
)

# Create an encrypted parameter for application's API key
ssm.put_parameter(
    Name='/app_config/api_key',
    Value='my_encrypted_api_key',
    Type='SecureString',
)
```

Here, we initialize the Boto3 SSM client and use the `put_parameter()` function to create two parameters, one plain text and one encrypted.

### Reading and Updating Parameters

Reading parameters is as straightforward as creating them. We use the `get_parameter()` function, specifying the parameter name and whether we want to decrypt encrypted values. Here's how to fetch the API URL we just stored:

```python
response = ssm.get_parameter(
    Name='/app_config/api_url',
    WithDecryption=False
)
print('API URL:', response['Parameter']['Value'])
```

In this example, the `get_parameter()` function retrieves the specified parameter and its associated information. The function returns a dictionary containing a 'Parameter' key, which itself is a dictionary containing various attributes of the parameter, including its 'Value'.

Updating parameters is also pretty straightforward. Suppose our API URL has changed and needs to be updated. In that case, we use the same `put_parameter()` function but with an additional parameter — `Overwrite=True`:

```python
# Update the API URL parameter
ssm.put_parameter(
    Name='/app_config/api_url',
    Value='https://api.newurl.com',
    Type='String',
    Overwrite=True,
)

### Organizing Parameters with Hierarchies

One of the best features of the SSM Parameter Store is its support for hierarchical storage. It allows us to create a hierarchy of parameters for an application's config, retrieve parameters from a specific path, and even assign granular access permissions at different levels of the hierarchy. Let's see this in action:

# Create a parameter hierarchy for application's database config
ssm.put_parameter(
    Name='/app_config/database/host',
    Value='db.myapp.com',
    Type='String',
)
ssm.put_parameter(
    Name='/app_config/database/user',
    Value='mydbuser',
    Type='String',
)
ssm.put_parameter(
    Name='/app_config/database/password',
    Value='mydbpassword',
    Type='SecureString',
)

# List all parameters in '/app_config/database' hierarchy
response = ssm.get_parameters_by_path(
    Path='/app_config/database',
    WithDecryption=False
)
for param in response['Parameters']:
    print('Name:', param['Name'], 'Value:', '[SECURE]' if param['Type'] == 'SecureString' else param['Value'])
```

The `get_parameters_by_path` method allows us to retrieve all parameters within a specified hierarchy. By specifying the Path argument, you tell AWS to return all parameters that start with this path. The `WithDecryption` flag indicates whether SecureString values should be decrypted when retrieved. This method is particularly useful for managing and accessing groups of parameters efficiently, enabling you to fetch multiple related configuration values in a single API call.

### Managing Tags for Parameters

Tagging helps organize your AWS resources and makes it easier to allocate costs and optimize resource spending. Tags in AWS are simply labels consisting of a user-defined key and value pair. AWS SSM Parameter Store supports tagging of parameters, and you can programmatically manage tags using Boto3, including both adding and deleting tags:

```python
# Tag the encrypted API key parameter
ssm.add_tags_to_resource(
    ResourceType='Parameter',
    ResourceId='/app_config/api_key',
    Tags=[{'Key': 'Environment', 'Value': 'Prod'}]
)

# Delete a tag from the API key parameter
ssm.remove_tags_from_resource(
    ResourceType='Parameter',
    ResourceId='/app_config/api_key',
    TagKeys=['Environment']
)
```

In the first part, you add a tag to the encrypted API key parameter. Then, if the need arises to remove a tag from a parameter, perhaps because the environment it relates to has changed or the parameter is being repurposed, the `remove_tags_from_resource` method allows you to specify which tags to delete using the `TagKeys` list.

### Deleting Parameters from Parameter Store

Lastly, we need to know how to clean up after ourselves. The AWS SDK for Python provides neat ways to delete parameters, individually or in batches:

```python
# Delete the API URL parameter
ssm.delete_parameter(Name='/app_config/api_url')

# Delete parameters in the database hierarchy
ssm.delete_parameters(Names=[
    '/app_config/database/host',
    '/app_config/database/user',
    '/app_config/database/password'
])
```
### Summary and Practice

Congratulations, you've learned a broad range of operations involving the AWS SSM Parameter Store! While this marks the end of this specific lesson, remember that real mastery will come through hands-on practice with CodeSignal’s interactive coding exercises.

In the next hands-on session, you will practice how to create, update, read, tag, and delete parameters in the SSM Parameter Store. Additionally, you'll work with hierarchical parameter storage, providing you with a well-rounded grasp of AWS secrets management.

## Running AWS SSM Parameter Store Operations

Ready for the first practice task? Perfect! Your task is to run a Python script that interacts with the AWS Systems Manager (SSM) Parameter Store. The script creates several parameters, updates one parameter, reads the updated parameter, and adds a tag to another. The script concludes by creating a parameter hierarchy, reading the parameters under this hierarchy, and then deleting all the parameters. Please take a look at the script and execute it to become familiar with the fundamental functionalities of the AWS SSM Parameter Store.

Important Note: Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

```python
import boto3

# Initialize the boto3 SSM client
ssm = boto3.client('ssm')

# Create a plain text parameter for application's API URL
ssm.put_parameter(
    Name='/app_config/api_url',
    Value='https://api.myapp.com',
    Type='String',
)

# Create an encrypted parameter for application's API key
ssm.put_parameter(
    Name='/app_config/api_key',
    Value='my_encrypted_api_key',
    Type='SecureString',
)

# Update the API URL parameter
ssm.put_parameter(
    Name='/app_config/api_url',
    Value='https://api.newurl.com',
    Type='String',
    Overwrite=True,
)

# Read the API URL parameter
response = ssm.get_parameter(
    Name='/app_config/api_url',
    WithDecryption=False
)
print('API URL:', response['Parameter']['Value'])

# Tag the encrypted API key parameter
ssm.add_tags_to_resource(
    ResourceType='Parameter',
    ResourceId='/app_config/api_key',
    Tags=[{'Key': 'Environment', 'Value': 'Prod'}]
)

# Create a parameter hierarchy for application's database config
ssm.put_parameter(
    Name='/app_config/database/host',
    Value='db.myapp.com',
    Type='String',
)

ssm.put_parameter(
    Name='/app_config/database/user',
    Value='mydbuser',
    Type='String',
)

ssm.put_parameter(
    Name='/app_config/database/password',
    Value='mydbpassword',
    Type='SecureString',
)

# List all parameters in '/app_config/database' hierarchy
response = ssm.get_parameters_by_path(
    Path='/app_config/database',
    WithDecryption=False
)
for param in response['Parameters']:
    print('Name:', param['Name'], 'Value:', '[SECURE]' if param['Type'] == 'SecureString' else param['Value'])

# Delete the API URL parameter
ssm.delete_parameter(Name='/app_config/api_url')

# Delete parameters in the database hierarchy
ssm.delete_parameters(Names=[
    '/app_config/database/host', 
    '/app_config/database/user', 
    '/app_config/database/password'
])
```

I can't execute the script directly as it interacts with AWS resources. However, I can guide you through the process of running it in your own environment. Here’s a step-by-step breakdown of what the script does and how to run it:

### Step-by-Step Breakdown

1. **Initialize the Boto3 SSM Client**: The script starts by creating a client for the AWS Systems Manager using Boto3.

2. **Create Parameters**:
   - It creates a plain text parameter for the application's API URL.
   - It creates an encrypted parameter for the application's API key.

3. **Update a Parameter**: The script updates the API URL parameter with a new value.

4. **Read a Parameter**: It retrieves the updated API URL and prints it.

5. **Tag a Parameter**: The script adds a tag to the encrypted API key parameter.

6. **Create a Parameter Hierarchy**: It creates a hierarchy of parameters for the application's database configuration.

7. **List Parameters in the Hierarchy**: The script retrieves and prints all parameters under the specified hierarchy.

8. **Delete Parameters**: Finally, it deletes the API URL parameter and all parameters in the database hierarchy.

### How to Run the Script

1. **Set Up Your Environment**:
   - Ensure you have Python and Boto3 installed. You can install Boto3 using pip:
     ```bash
     pip install boto3
     ```

2. **Configure AWS Credentials**:
   - Make sure your AWS credentials are configured. You can do this by setting up the `~/.aws/credentials` file or using environment variables.

3. **Run the Script**:
   - Copy the provided script into a Python file (e.g., `ssm_script.py`).
   - Run the script using Python:
     ```bash
     python ssm_script.py
     ```

4. **Resetting the Environment**:
   - If you need to revert to the initial state after running the script, use the reset button in your AWS simulator. Remember that this will erase any code changes, so copy your code to the clipboard if needed.

### Important Notes

- Ensure you have the necessary permissions to interact with the SSM Parameter Store in your AWS account.
- Be cautious when running scripts that modify resources, especially in a production environment.

If you have any questions or need further assistance, feel free to ask!

## Creating and Fetching AWS SSM Parameters

Welcome to this task on managing AWS SSM Parameters! Your job is to modify the provided Python script to retrieve and print the values of the /app_config/api_url and /app_config/api_key parameters using the get_parameter method. Be sure to utilize the WithDecryption parameter correctly when fetching these values.

Important Note: Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

```python
import boto3

# Initialize the boto3 SSM client
ssm = boto3.client('ssm')

# Create a plain text parameter for application's API URL
ssm.put_parameter(
    Name='/app_config/api_url',
    Value='https://api.myapp.com',
    Type='String',
)

# Create an encrypted parameter for application's API key
ssm.put_parameter(
    Name='/app_config/api_key',
    Value='my_encrypted_api_key',
    Type='SecureString',
)

# TODO: Retrieve and print the values of the '/app_config/api_url' and '/app_config/api_key' parameters

```

To modify the provided Python script to retrieve and print the values of the `/app_config/api_url` and `/app_config/api_key` parameters, you can use the `get_parameter` method. Make sure to set the `WithDecryption` parameter to `True` when fetching the encrypted API key. Here’s the updated script:

```python
import boto3

# Initialize the boto3 SSM client
ssm = boto3.client('ssm')

# Create a plain text parameter for application's API URL
ssm.put_parameter(
    Name='/app_config/api_url',
    Value='https://api.myapp.com',
    Type='String',
)

# Create an encrypted parameter for application's API key
ssm.put_parameter(
    Name='/app_config/api_key',
    Value='my_encrypted_api_key',
    Type='SecureString',
)

# Retrieve and print the values of the '/app_config/api_url' and '/app_config/api_key' parameters
# Fetch the API URL
url_response = ssm.get_parameter(
    Name='/app_config/api_url',
    WithDecryption=False  # No decryption needed for plain text
)
print('API URL:', url_response['Parameter']['Value'])

# Fetch the API key
key_response = ssm.get_parameter(
    Name='/app_config/api_key',
    WithDecryption=True  # Decrypt the value for SecureString
)
print('API Key:', key_response['Parameter']['Value'])
```

### Explanation of Changes

1. **Retrieve API URL**: The script uses `get_parameter` to fetch the `/app_config/api_url` parameter without decryption since it's a plain text parameter.

2. **Retrieve API Key**: The script uses `get_parameter` to fetch the `/app_config/api_key` parameter with `WithDecryption=True` to ensure the encrypted value is decrypted before printing.

### How to Run the Updated Script

1. **Set Up Your Environment**: Ensure you have Python and Boto3 installed, and your AWS credentials are configured.

2. **Run the Script**: Copy the updated script into a Python file (e.g., `ssm_retrieve_script.py`) and run it using:
   ```bash
   python ssm_retrieve_script.py
   ```

3. **Resetting the Environment**: If needed, use the reset button in your AWS simulator to revert to the initial state.

Feel free to ask if you have any questions or need further assistance!

## Modifying and Verifying SSM Parameter Values

## Managing Parameters with AWS SSM Overwrite Feature

## Deleting Single and Multiple Parameters in AWS

## Mastering AWS SSM Parameter Store Operations