Parameters#
AWS#
- Things like AMI Id, Instance Id, Vpc Id etc.
SSM#
- AWS Doc
- Refer to a parameter (not secure string) saved in SSM parameter store
- Use parameter by name, don’t need to specify version
- Use cross account parameter by providing full arn.
Dynamic#
- AWS doc
- Refer to parameters dynamically in templates. Useful to obscure secrets.
- No drift detection
{{resolve:ssm-secure:parameter-name:version}} or {{resolve:ssm:parameter-name:version}}- Can’t use secure string parameter for all resources. Very limited support, see this
- Can’t use cross-account parameters
- Can’t use public parameters or parameter labels
- Can’t use for custom resources
{{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}- Can use for ALL resources, well, almost.
- Can’t use for custom resources
- When changing a referred secret, cloudformation still makes a
list call to the old secret. Template update will fail if the old secret is marked for deletion ahead of cloudformation run.
Questions#
- What is stack sets?
- How do you deploy cross-region cross-account?
- How do you customize parameter values for different regions and/or accounts?
- What is termination protection?
- What is deletion policy attribute? What resources support it? What are the valid vales? Snapshot/retain
- What is a stack policy? What is the use-case?
- What is a change-set?
- can use ssm appconfig?
- can use ssm parameter store? cloudformation does not support creating secrets parameter, supply parameter values in a separate file, like terraform tfvars files
- parameter types
- update behaviour
- How does it work with aws cdk?
Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html