Cloudformation long form to short form variable substitution

In cloud formation, you don't need to inject Region or Account Id into your template unless you are referencing something external.

If you use Join's maybe look at swapping them for Sub if you are not adding anything or just dealing with a string e.g.

from

SourceArn: !Join [ '', ["arn:aws:execute-api:", Ref: AWS::Region, ":", Ref: AWS::AccountId, ":*"] ]

to

SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*"

the !Sub form is so much easier to read.


https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-sub.html

AWS Lambda with SSM Paramater store variables

So you have used Spring Cloud SSM access for elastic beanstalk and docker but want to get into lambda with same nice config setup.

Sadly Spring framework is a bit too heavy for lambda and they suggest Dagger 2 or Guice. This guide is not about static/dynamic wiring of beans together but on getting parameters into your beans.

In the old days you had to place all of your environment path or via a file in s3 which you had to parse. Now this was ok for simple things but it was not secure for secrets aka database passwords or other sub-systems external to aws.

So most people rolled their own kms decryption system when it loads in lambda, ok that's nice but its still not easy to test locally vs on the cloud.

This code was inspired by the spring-cloud-aws project. But without the spring bits. (yep this does not do the nice overlays with dynamic profile activation etc but its still a good steps away from having all of your properties on the environment path)


Do ensure you have iam policy to allow ssm access (here an excerpt from cfn), the SSMKey is the arn for the kms key to decrypt your paramaters (if they are encrypted, else you can drop this action)

  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref LambdaRoleName
      AssumeRolePolicyDocument:
        Statement:
        - Action:
            - sts:AssumeRole
          Effect: Allow
          Principal:
            Service:
              - lambda.amazonaws.com
        Version: '2012-10-17'
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName:
            Fn::Join:
              - '-'
              - - Ref: Product
                - Application-Lambda-Policy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - ssm:DescribeParameters
                Resource: "*"
              - Effect: Allow
                Action:
                  - ssm:GetParameters
                  - ssm:GetParameter
                  - ssm:GetParametersByPath
                Resource:
                  - !Sub "arn:aws:ssm:*:*:parameter/config/${Service}"
                  - !Sub "arn:aws:ssm:*:*:parameter/config/${Service}/*"
                  - !Sub "arn:aws:ssm:*:*:parameter/config/${Service}_*"
                  - !Sub "arn:aws:ssm:*:*:parameter/config/${Service}_*/*"
              - Effect: Allow
                Action:
                  - kms:Decrypt
                Resource:
                  - Ref: SSMKey