In CloudFormation, we can pass a bunch of parameters or external JSON file as option via AWS CLI.
I know sls has the env variable feature but I realised that the end result which is the stack template has no parameters and all the var values are embeded as part of the template “body” (they can be viewed in the AWS web console). Therefore, we cannot hide certain sensitive data or utilize noecho feature in CloudFormation… for e.g. RDS instance creation require master username and password as input params.
Perhaps anyone know workaround for this scenario?
1 Like
I was able to use params by adding a parameters section to the resources section. Apparently serverless will let you define anything that can go in a cloudformation template, not just resources.
resources:
Parameters:
LambdaSecurityGroup:
Default: "sg-xxxxxxxx"
Type: AWS::EC2::SecurityGroup::Id
LambdaSubnets:
Default: "subnet-xxxxxxx,subnet-xxxxxxx"
Type: List<AWS::EC2::Subnet::Id>
Resources:
ApiGatewayCustomDomainMapping:
Type: "AWS::ApiGateway::BasePathMapping"
Properties:
BasePath: ......
Make sure you specify defaults, that is what serverless will use when you do a serverless deploy. My use case is that I want to be able override the default values when I use the generated cloudformation template directly e.g. in production.
Here is how I referenced the params:
provider:
name: aws
region: us-west-2
runtime: nodejs6.10
memorySize: 1024
vpc:
securityGroupIds:
- Ref: LambdaSecurityGroup
subnetIds:
Ref: LambdaSubnets
2 Likes
Update: FYI, this doesn’t work when you try to do serverless deploy function for a specific function (it seems the Cloudfromation resolution doesn’t happen) but it still works for a full serverless deploy
1 Like
Thanks for the info!
My guess, the sls deploy function work directly with Lambda bypassing CloudFormation but I could be wrong.
About my usecase (securing the secrets), it might be a difficult situation with serverless as I wouldn’t want to set for e.g. the db credentials under the default value of the Parameters. It will be visible and easily accesible under the AWS console. Although sls command allows custom CLI option/param and I can use these input properties in the YML - for e.g. putting them into the Parameters section as you’ve suggested and with no-echo enabled.
However, CloudFormation Parameters section only allow default values to be set and sls has no proper Parameters integration with the stack. This would mean, I still need to set the values into the defaults which will eventually be visible under the AWS console. The sls doesn’t seem to be able to inject or supply them directly into stack like aws CLI.
More info : http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html
I’ve found that this plugin will solve the issue of not having passwords in your templates:
Just follow the examples on this page, then you can add:
custom:
cf-parameters:
password: foobar
...
resources:
Resources:
...
MyDb:
Type: "AWS::RDS::DBInstance"
Properties:
...
MasterUserPassword:
Ref: password
to your template, deploy, then unset the variable and you can commit it to your repo. From now on, every deploy will use the existing param. If you need to change the password, edit the above (but don’t commit), then remove the value after deploy.
It mentions you can use the environment variable as well, which makes the above process easier, but I did not test it.
Now serverless supports stackParameters to pass parameters to cloudformation templates