Can cloudformation SSM dynamic reference with type StringList resolve to list?

4
votes

Dynamic references to SSM parameters are supported within cloudformation templates

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html

The documentation states that you can Use the ssm dynamic reference to include values stored in the Systems Manager Parameter Store of type String or StringList in your templates.

We are trying to reference a parameter of type StringList in our template using the syntax {{resolve:ssm:parameter-name:version}} and have it resolve to a list of strings in the template (more specifically, a list of SecurityGroupIds for an EC2 instance). This has not worked, and the documentation does not specify how to do this or if it is supported. We have tried using Fn::Split however it appears this gets called before dynamic value gets resolved. We are unable to use SSM values in the parameters section of the template, where this is documented. Does anyone know if it is possible to have {{resolve ... to a list of strings?

2
amazon-cloudformationamazon-systems-manager
Can you share your CF template? Any error messages?jogold

2 Answers

5
votes

AWS Support has responded to my request about this issue and explained that the answer to my question is no, it is not currently supported. The full text of their response is below.

Currently, CFN can take a StringList type, but such StringList is being returned as comma separated string values resulting in one long string. Therefore, in cases where we need it to become multiple values like an array or list of strings, for example a list of SecurityGroup Ids for an EC2 instance, it is not presently supported.

With that said, I dug further and found we internally have this as an existing feature request to which I have added your voice to help gain more traction for this feature. I do not have an ETA to share as the service team is discreet about their timeline/worklog. However, if/when the feature becomes available, it shall be publicly announced at the following places:

3
votes

While waiting for AWS to implement the pending feature request for {{resolve: ... dynamic references to resolve to 'List of String' type, you can work around this currently using the SSM parameter type of AWS::SSM::Parameter::Value<List<String>> with a default value corresponding to the SSM parameter you want to reference:

Parameters:
  SecurityGroups:
    Type: AWS::SSM::Parameter::Value<List<String>>
    Default: security-groups
Resources:
  Type: AWS::EC2::Instance
  Properties:
    SecurityGroupIds: !Ref SecurityGroups