Skip to content

aws.ssm-parameter resource

Description

Parameter manages an SSM parameter: a single PutParameter upsert keyed by name. The name and the data type are fixed at create time -- a parameter cannot be renamed in place, and SSM rejects a data-type change on an existing parameter -- so a change to either replaces the parameter; every other input is reconciled in place by Update through another PutParameter.

The value is given either as value (masked, the SecureString secret) or as insecure-value (plaintext, readable back). Both feed the single SDK Value argument; exactly one must be set, and insecure-value is forbidden when the type is SecureString. Tags do not ride a PutParameter that overwrites an existing parameter -- SSM rejects setting both Tags and Overwrite -- so on an update they are reconciled by separate AddTagsToResource and RemoveTagsFromResource calls.

Source: internal/service/ssm/parameter_rsrc.go:49

Example usage:

imports: {
  aws: 'github.com/cloudboss/unobin-library-aws'
}

resources: {
  example: aws.ssm-parameter {
    # Set input fields here.
  }
}

Inputs

name

string

required

Name is the fully qualified parameter name and the resource identity. It must be 1 to 2048 characters, a length checked in Create and Update.

type

string

required

Type is the parameter type: String, StringList, or SecureString.

value

optional(string)

sensitive

Value is the parameter value when it should be masked; it is the SecureString secret and is held sensitive. Exactly one of value or insecure-value is set.

insecure-value

optional(string)

InsecureValue is the parameter value when it should read back in plaintext. It is not sensitive and is forbidden with a SecureString type. Exactly one of value or insecure-value is set.

allowed-pattern

optional(string)

AllowedPattern is a regular expression SSM uses to validate the value. It is always sent so clearing it back to empty clears it server-side, and must be at most 1024 characters, a length checked in Create and Update.

description

optional(string)

Description is optional metadata for the parameter, at most 1024 characters, a length checked in Create and Update.

key-id

optional(string)

KeyId is the KMS key that encrypts a SecureString value. It is sent only when the type is SecureString, since SSM rejects it for other types.

data-type

optional(string)

DataType is the value's data type: text, aws:ec2:image, or aws:ssm:integration. An aws:ec2:image value is validated asynchronously.

tier

optional(string)

Tier is the parameter tier: Standard, Advanced, or Intelligent-Tiering. An unset tier lets SSM apply the account default.

tags

map(string)

Tags is the parameter's tag set. On create the tags ride the PutParameter call; on update they are reconciled by separate tag calls, since SSM forbids setting both Tags and Overwrite.

Input Constraints

Field combinations

Exactly one of value or insecure-value.

Type rules

insecure-value cannot be set when type is SecureString.

Rule logic
When
input.type == 'SecureString'
Require
input.insecure-value == null

Conditional requirement.

Rule logic
Require
input.type == 'String'
|| input.type == 'StringList'
|| input.type == 'SecureString'

Tier rules

tier must be Standard, Advanced, or Intelligent-Tiering.

Rule logic
When
input.tier != null
Require
input.tier == 'Standard'
|| input.tier == 'Advanced'
|| input.tier == 'Intelligent-Tiering'

Data type rules

data-type must be text, aws:ec2:image, or aws:ssm:integration.

Rule logic
When
input.data-type != null
Require
input.data-type == 'text'
|| input.data-type == 'aws:ec2:image'
|| input.data-type == 'aws:ssm:integration'

Outputs

arn

string

version

integer

name

string