6

I'm trying to access secrets created in secrets manager(https://aws.amazon.com/secrets-manager/) via SSM (Systems Manager- https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html ) i.e. AWS Parameter store, and store it in a custom YAML variable in serverless.yml file? I am trying to implement cloud formation through serverless framework(https://serverless.com/), and I am trying to implement a nested if statement in cloud formation for implementing the above using the code below.

 stage: &stage 'dev' #Hardcoded for now
 rdsMasterPassword:
 !If
  - !Equals [*stage,"prod"]
  - ${ssm:/aws/reference/secretsmanager/cred-prod~true:rdsMasterPassword}
  - !If 
      - !Equals [*stage,"staging"]
      - ${ssm:/aws/reference/secretsmanager/cred-staging~true:rdsMasterPassword}
      - ${ssm:/aws/reference/secretsmanager/cred-dev~true:rdsMasterPassword}

I have tried Cloud formation instrinsic functions Fn::If for this but facing this errror : Fn::If requires a list argument with the first element being a condition

Gurpreet Singh Drish
  • 159
  • 2
  • 14
  • 1
    AWS uses the YAML format. [YML](https://fdik.org/yml/) is not the same as [YAML](https://yaml.org/spec/1.2/spec.html) and the recommended extension for YAML files has been `.yaml` at least since Sep 2006. – Anthon May 27 '19 at 05:10
  • Serverless framework uses YML, from what I read through its documentation. I am not using AWS SAM format, but the serverless.yml autocreated by serverless framework cli. – Gurpreet Singh Drish May 27 '19 at 05:24
  • What you present there is data in YAM format. YML is XML based and looks completely different. Please provide a link that supports your claim, or remove the tag [tag:yaml]. – Anthon May 27 '19 at 05:57
  • Check this out: https://serverless.com/framework/docs/providers/aws/guide/serverless.yml/ – Gurpreet Singh Drish May 27 '19 at 06:13
  • That is all YAML format. And AWS is outdated in that they still have not implemented a recommendation made on the YAML website **in 2006**, to use `.yaml` as a file extension for YAML *format* files. However to name YAML (format) files (whether with the recommended `.yaml` extension, with `.yml` or any other extension) a [YML](https://fdik.org/yml/) is not outdated, is like calling Java source code Python because someone put it a file with a `.py` extension. If you can't correct the file extension please at least use the right file format terminology. – Anthon May 27 '19 at 07:05

2 Answers2

1

Just want to point out that if you're looking to load different SSM paths based on environment, you can achieve this many ways, outlined here

I've had a pleasant time loading through json files, for example

-- serverless-staging.json --
{
  "ssm_path": "/path/to/staging/ssm/parameter"
}

-- serverless-prod.json --
{
  "ssm_path": "/path/to/prod/ssm/parameter"
}

-- serverless.yml --
...
stage: ${opt:stage, 'dev'}
environment:
  SSM_PATH: ${file(serverless-${self:provider.stage}.json):ssm_path}
... etc etc

Hope this helps whoever else lands here from a search

cssiamamess
  • 116
  • 1
  • 4
1

Due to a restriction in YAML, it is not possible to use the shortcut syntax for a sequence of intrinsic functions.

See the "Important" section in the docs for reference.

Try this:

stage: &stage 'dev' #Hardcoded for now
rdsMasterPassword:
  Fn::If:
    - Fn::Equals: [*stage, "prod"]
    - ${ssm:/aws/reference/secretsmanager/cred-prod~true:rdsMasterPassword}
    - Fn::If: 
      - Fn::Equals: [*stage, "staging"]
      - ${ssm:/aws/reference/secretsmanager/cred-staging~true:rdsMasterPassword}
      - ${ssm:/aws/reference/secretsmanager/cred-dev~true:rdsMasterPassword}
Morodin
  • 121
  • 1
  • 11