Skip to content

Resource: awsSsmParameter

Provides an SSM Parameter resource.

\~> Note: overwrite also makes it possible to overwrite an existing SSM Parameter that's not created by Terraform before.

Example Usage

Basic example

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssmParameter.SsmParameter(this, "foo", {
  name: "foo",
  type: "String",
  value: "bar",
});

Encrypted string using default SSM KMS key

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.dbInstance.DbInstance(this, "default", {
  allocatedStorage: 10,
  dbSubnetGroupName: "my_database_subnet_group",
  engine: "mysql",
  engineVersion: "5.7.16",
  instanceClass: "db.t2.micro",
  name: "mydb",
  parameterGroupName: "default.mysql5.7",
  password: "${var.database_master_password}",
  storageType: "gp2",
  username: "foo",
});
new aws.ssmParameter.SsmParameter(this, "secret", {
  description: "The parameter description",
  name: "/production/database/password/master",
  tags: {
    environment: "production",
  },
  type: "SecureString",
  value: "${var.database_master_password}",
});

\~> Note: The unencrypted value of a SecureString will be stored in the raw state as plain-text. Read more about sensitive data in state.

Argument Reference

The following arguments are required:

  • name - (Required) Name of the parameter. If the name contains a path (e.g., any forward slashes (/)), it must be fully qualified with a leading forward slash (/). For additional requirements and constraints, see the AWS SSM User Guide.
  • type - (Required) Type of the parameter. Valid types are string, stringList and secureString.

The following arguments are optional:

  • allowedPattern - (Optional) Regular expression used to validate the parameter value.
  • dataType - (Optional) Data type of the parameter. Valid values: text, aws:ssm:integration and aws:ec2:image for AMI format, see the Native parameter support for Amazon Machine Image IDs.
  • description - (Optional) Description of the parameter.
  • insecureValue - (Optional, exactly one of value or insecureValue is required) Value of the parameter. Use caution: This value is never marked as sensitive in the Terraform plan output. This argument is not valid with a type of secureString.
  • keyId - (Optional) KMS key ID or ARN for encrypting a SecureString.
  • overwrite - (Optional) Overwrite an existing parameter. If not specified, will default to false if the resource has not been created by terraform to avoid overwrite of existing resource and will default to true otherwise (terraform lifecycle rules should then be used to manage the update behavior).
  • tags - (Optional) Map of tags to assign to the object. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • tier - (Optional) Parameter tier to assign to the parameter. If not specified, will use the default parameter tier for the region. Valid tiers are standard, advanced, and intelligentTiering. Downgrading an advanced tier parameter to standard will recreate the resource. For more information on parameter tiers, see the AWS SSM Parameter tier comparison and guide.
  • value - (Optional, exactly one of value or insecureValue is required) Value of the parameter. This value is always marked as sensitive in the Terraform plan output, regardless of type. In Terraform CLI version 0.15 and later, this may require additional configuration handling for certain scenarios. For more information, see the Terraform v0.15 Upgrade Guide.

\~> NOTE: aws:ssm:integration data_type parameters must be of the type secureString and the name must start with the prefix /d9D010874A3F49E0B0B4D568D7826553/ssm/integrations/webhook/. See here for information on the usage of aws:ssm:integration parameters.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - ARN of the parameter.
  • tagsAll - Map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.
  • version - Version of the parameter.

Import

SSM Parameters can be imported using the parameterStoreName, e.g.,

$ terraform import aws_ssm_parameter.my_param /my_path/my_paramname