junaid18183 · April 3, 2018 07:35
diff --git a/ssm-cft.json b/ssm-cft.json
 {
  "AWSTemplateFormatVersion": "2010-09-09",
  "Metadata": {
    "AWS::CloudFormation::Interface": {
      "ParameterGroups": [
        {
          "Label": {
            "default": "HelloWorld Parameters"
          },
          "Parameters": [
            "PanoUsername",
            "PanoPassword",
            "LambdaRoleName"
          ]
        }
      ]
    }
  },
  "Parameters": {
    "PanoUsername": {
      "Description": "PanoUsername",
      "Type": "String",
      "NoEcho": true
    },
    "PanoPassword": {
      "Description": "PanoPassword",
      "Type": "String",
      "NoEcho": true
    }
  },
  "Resources": {
    "SSMPanoUser": {
      "Type": "AWS::SSM::Parameter",
      "Properties": {
        "Name": "pano-username",
        "Type": "String",
        "Value": {
          "Ref": "PanoUsername"
        },
        "Description": "SSM Parameter for Pano UserName",
        "AllowedPattern": "^[a-zA-Z]{1,10}$"
      }
    },
    "SSMPanoPassword": {
      "Type": "AWS::SSM::Parameter",
      "Properties": {
        "Name": "pano-password",
        "Type": "String",
        "Value": {
          "Ref": "PanoPassword"
        },
        "Description": "SSM Parameter for Password",
        "AllowedPattern": "^[a-zA-Z]{1,10}$"
      }
    },
    "LambdaExecutionRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": {
          "Fn::Join": [
            "-",
            [
              "LambdaExecutionRole",
              {
                "Ref": "AWS::StackName"
              }
            ]
          ]
        },
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "lambda.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/"
      }
    },
    "LambdaExecutionPolicy": {
      "Type": "AWS::IAM::ManagedPolicy",
      "DependsOn": [
        "LambdaExecutionRole"
      ],
      "Properties": {
        "ManagedPolicyName": {
          "Fn::Join": [
            "-",
            [
              "LambdaExecutionPolicy",
              {
                "Ref": "AWS::StackName"
              }
            ]
          ]
        },
        "Roles": [
          {
            "Ref": "LambdaExecutionRole"
          }
        ],
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "VisualEditor0",
              "Effect": "Allow",
              "Action": [
                "sqs:DeleteMessage",
                "dynamodb:PutItem",
                "states:ListExecutions",
                "dynamodb:DeleteItem",
                "ssm:Get*",
                "sqs:ReceiveMessage",
                "ec2:DeleteNetworkInterface",
                "sqs:SendMessage",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:UpdateItem",
                "sqs:GetQueueAttributes",
                "logs:CreateLogGroup",
                "logs:PutLogEvents",
                "ec2:CreateNetworkInterface",
                "logs:CreateLogStream",
                "ec2:DescribeNetworkInterfaces",
                "dynamodb:DescribeTable",
                "ssm:Describe*",
                "dynamodb:GetItem",
                "states:StartExecution",
                "ssm:List*",
                "dynamodb:UpdateTable",
                "dynamodb:GetRecords"
              ],
              "Resource": "*"
            }
          ]
        }
      }
    },
    "HelloWorld": {
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "FunctionName": "HelloWorld",
        "Description": "HelloWorld",
        "Handler": "index.handler",
        "Role": {
          "Fn::GetAtt": [
            "LambdaExecutionRole",
            "Arn"
          ]
        },
        "Code": {
          "ZipFile": {
            "Fn::Join": [
              "\n",
              [
                "import os,boto3,sys",
                "user = os.environ['user']",
                "password = os.environ['password']",
                "def get_ssm_parameter(parameter_name):",
                "    try:",
                "        ssm_client = boto3.client('ssm')",
                "        response = ssm_client.get_parameters(Names=[parameter_name],WithDecryption=True)",
                "        if len(response['Parameters']) == 0:",
                "            print('Error Getting the value for parameter {}.'.format(parameter_name))",
                "            sys.exit(1)",
                "        else:",
                "            value=response['Parameters'][0]['Value']",
                "        return value",
                "    except Exception as e:",
                "        print('Error Getting the value for parameter {}, Error : {}'.format(parameter_name,str(e)))",
                "        sys.exit(1)",
                "def handler(event,context):",
                "    print(event)",
                "    db_username = get_ssm_parameter(user)",
                "    db_password = get_ssm_parameter(password)",
                "    print('DB User name is {} and password is {}'.format(db_username,db_password))"
              ]
            ]
          }
        },
        "Environment": {
          "Variables": {
            "user": {
              "Ref": "SSMPanoUser"
            },
            "password": {
              "Ref": "SSMPanoPassword"
            }
          }
        },
        "Runtime": "python3.6",
        "Timeout": "300"
      }
    }
  },
  "Outputs": {
    "PanoUser": {
      "Value": {
        "Ref": "SSMPanoUser"
      }
    }
  }
 }
diff --git a/ssm_example_cft.yaml b/ssm_example_cft.yaml
 AWSTemplateFormatVersion: '2010-09-09'
 Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: HelloWorld Parameters
        Parameters:
          - PanoUsername
          - PanoPassword
          - LambdaRoleName
 Parameters:
  PanoUsername:
    Description: PanoUsername
    Type: String
    NoEcho: true
  PanoPassword:
    Description: PanoPassword
    Type: String
    NoEcho: true
 Resources:
  SSMPanoUser:
    Type: AWS::SSM::Parameter
    Properties:
      Name: pano-username
      Type: String
      Value: !Ref 'PanoUsername'
      Description: SSM Parameter for Pano UserName
      AllowedPattern: ^[a-zA-Z]{1,10}$
  SSMPanoPassword:
    Type: AWS::SSM::Parameter
    Properties:
      Name: pano-password
      Type: String
      Value: !Ref 'PanoPassword'
      Description: SSM Parameter for Password
      AllowedPattern: ^[a-zA-Z]{1,10}$
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Join
        - '-'
        - - LambdaExecutionRole
          - !Ref 'AWS::StackName'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
  LambdaExecutionPolicy:
    Type: AWS::IAM::ManagedPolicy
    DependsOn:
      - LambdaExecutionRole
    Properties:
      ManagedPolicyName: !Join
        - '-'
        - - LambdaExecutionPolicy
          - !Ref 'AWS::StackName'
      Roles:
        - !Ref 'LambdaExecutionRole'
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: VisualEditor0
            Effect: Allow
            Action:
              - sqs:DeleteMessage
              - dynamodb:PutItem
              - states:ListExecutions
              - dynamodb:DeleteItem
              - ssm:Get*
              - sqs:ReceiveMessage
              - ec2:DeleteNetworkInterface
              - sqs:SendMessage
              - dynamodb:Scan
              - dynamodb:Query
              - dynamodb:UpdateItem
              - sqs:GetQueueAttributes
              - logs:CreateLogGroup
              - logs:PutLogEvents
              - ec2:CreateNetworkInterface
              - logs:CreateLogStream
              - ec2:DescribeNetworkInterfaces
              - dynamodb:DescribeTable
              - ssm:Describe*
              - dynamodb:GetItem
              - states:StartExecution
              - ssm:List*
              - dynamodb:UpdateTable
              - dynamodb:GetRecords
            Resource: '*'
  HelloWorld:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: HelloWorld
      Description: HelloWorld
      Handler: index.handler
      Role: !GetAtt 'LambdaExecutionRole.Arn'
      Code:
        ZipFile: !Join
          - "\n"
          - - import os,boto3,sys
            - user = os.environ['user']
            - password = os.environ['password']
            - 'def get_ssm_parameter(parameter_name):'
            - '    try:'
            - '        ssm_client = boto3.client(''ssm'')'
            - '        response = ssm_client.get_parameters(Names=[parameter_name],WithDecryption=True)'
            - '        if len(response[''Parameters'']) == 0:'
            - '            print(''Error Getting the value for parameter {}.''.format(parameter_name))'
            - '            sys.exit(1)'
            - '        else:'
            - '            value=response[''Parameters''][0][''Value'']'
            - '        return value'
            - '    except Exception as e:'
            - '        print(''Error Getting the value for parameter {}, Error : {}''.format(parameter_name,str(e)))'
            - '        sys.exit(1)'
            - 'def handler(event,context):'
            - '    print(event)'
            - '    db_username = get_ssm_parameter(user)'
            - '    db_password = get_ssm_parameter(password)'
            - '    print(''DB User name is {} and password is {}''.format(db_username,db_password))'
      Environment:
        Variables:
          user: !Ref 'SSMPanoUser'
          password: !Ref 'SSMPanoPassword'
      Runtime: python3.6
      Timeout: '300'
 Outputs:
  PanoUser:
    Value: !Ref 'SSMPanoUser'
	{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Metadata": {
	"AWS::CloudFormation::Interface": {
	"ParameterGroups": [
	{
	"Label": {
	"default": "HelloWorld Parameters"
	},
	"Parameters": [
	"PanoUsername",
	"PanoPassword",
	"LambdaRoleName"
	]
	}
	]
	}
	},
	"Parameters": {
	"PanoUsername": {
	"Description": "PanoUsername",
	"Type": "String",
	"NoEcho": true
	},
	"PanoPassword": {
	"Description": "PanoPassword",
	"Type": "String",
	"NoEcho": true
	}
	},
	"Resources": {
	"SSMPanoUser": {
	"Type": "AWS::SSM::Parameter",
	"Properties": {
	"Name": "pano-username",
	"Type": "String",
	"Value": {
	"Ref": "PanoUsername"
	},
	"Description": "SSM Parameter for Pano UserName",
	"AllowedPattern": "^[a-zA-Z]{1,10}$"
	}
	},
	"SSMPanoPassword": {
	"Type": "AWS::SSM::Parameter",
	"Properties": {
	"Name": "pano-password",
	"Type": "String",
	"Value": {
	"Ref": "PanoPassword"
	},
	"Description": "SSM Parameter for Password",
	"AllowedPattern": "^[a-zA-Z]{1,10}$"
	}
	},
	"LambdaExecutionRole": {
	"Type": "AWS::IAM::Role",
	"Properties": {
	"RoleName": {
	"Fn::Join": [
	"-",
	[
	"LambdaExecutionRole",
	{
	"Ref": "AWS::StackName"
	}
	]
	]
	},
	"AssumeRolePolicyDocument": {
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Service": [
	"lambda.amazonaws.com"
	]
	},
	"Action": [
	"sts:AssumeRole"
	]
	}
	]
	},
	"Path": "/"
	}
	},
	"LambdaExecutionPolicy": {
	"Type": "AWS::IAM::ManagedPolicy",
	"DependsOn": [
	"LambdaExecutionRole"
	],
	"Properties": {
	"ManagedPolicyName": {
	"Fn::Join": [
	"-",
	[
	"LambdaExecutionPolicy",
	{
	"Ref": "AWS::StackName"
	}
	]
	]
	},
	"Roles": [
	{
	"Ref": "LambdaExecutionRole"
	}
	],
	"PolicyDocument": {
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "VisualEditor0",
	"Effect": "Allow",
	"Action": [
	"sqs:DeleteMessage",
	"dynamodb:PutItem",
	"states:ListExecutions",
	"dynamodb:DeleteItem",
	"ssm:Get*",
	"sqs:ReceiveMessage",
	"ec2:DeleteNetworkInterface",
	"sqs:SendMessage",
	"dynamodb:Scan",
	"dynamodb:Query",
	"dynamodb:UpdateItem",
	"sqs:GetQueueAttributes",
	"logs:CreateLogGroup",
	"logs:PutLogEvents",
	"ec2:CreateNetworkInterface",
	"logs:CreateLogStream",
	"ec2:DescribeNetworkInterfaces",
	"dynamodb:DescribeTable",
	"ssm:Describe*",
	"dynamodb:GetItem",
	"states:StartExecution",
	"ssm:List*",
	"dynamodb:UpdateTable",
	"dynamodb:GetRecords"
	],
	"Resource": "*"
	}
	]
	}
	}
	},
	"HelloWorld": {
	"Type": "AWS::Lambda::Function",
	"Properties": {
	"FunctionName": "HelloWorld",
	"Description": "HelloWorld",
	"Handler": "index.handler",
	"Role": {
	"Fn::GetAtt": [
	"LambdaExecutionRole",
	"Arn"
	]
	},
	"Code": {
	"ZipFile": {
	"Fn::Join": [
	"\n",
	[
	"import os,boto3,sys",
	"user = os.environ['user']",
	"password = os.environ['password']",
	"def get_ssm_parameter(parameter_name):",
	" try:",
	" ssm_client = boto3.client('ssm')",
	" response = ssm_client.get_parameters(Names=[parameter_name],WithDecryption=True)",
	" if len(response['Parameters']) == 0:",
	" print('Error Getting the value for parameter {}.'.format(parameter_name))",
	" sys.exit(1)",
	" else:",
	" value=response['Parameters'][0]['Value']",
	" return value",
	" except Exception as e:",
	" print('Error Getting the value for parameter {}, Error : {}'.format(parameter_name,str(e)))",
	" sys.exit(1)",
	"def handler(event,context):",
	" print(event)",
	" db_username = get_ssm_parameter(user)",
	" db_password = get_ssm_parameter(password)",
	" print('DB User name is {} and password is {}'.format(db_username,db_password))"
	]
	]
	}
	},
	"Environment": {
	"Variables": {
	"user": {
	"Ref": "SSMPanoUser"
	},
	"password": {
	"Ref": "SSMPanoPassword"
	}
	}
	},
	"Runtime": "python3.6",
	"Timeout": "300"
	}
	}
	},
	"Outputs": {
	"PanoUser": {
	"Value": {
	"Ref": "SSMPanoUser"
	}
	}
	}
	}
	AWSTemplateFormatVersion: '2010-09-09'
	Metadata:
	AWS::CloudFormation::Interface:
	ParameterGroups:
	- Label:
	default: HelloWorld Parameters
	Parameters:
	- PanoUsername
	- PanoPassword
	- LambdaRoleName
	Parameters:
	PanoUsername:
	Description: PanoUsername
	Type: String
	NoEcho: true
	PanoPassword:
	Description: PanoPassword
	Type: String
	NoEcho: true
	Resources:
	SSMPanoUser:
	Type: AWS::SSM::Parameter
	Properties:
	Name: pano-username
	Type: String
	Value: !Ref 'PanoUsername'
	Description: SSM Parameter for Pano UserName
	AllowedPattern: ^[a-zA-Z]{1,10}$
	SSMPanoPassword:
	Type: AWS::SSM::Parameter
	Properties:
	Name: pano-password
	Type: String
	Value: !Ref 'PanoPassword'
	Description: SSM Parameter for Password
	AllowedPattern: ^[a-zA-Z]{1,10}$
	LambdaExecutionRole:
	Type: AWS::IAM::Role
	Properties:
	RoleName: !Join
	- '-'
	- - LambdaExecutionRole
	- !Ref 'AWS::StackName'
	AssumeRolePolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- lambda.amazonaws.com
	Action:
	- sts:AssumeRole
	Path: /
	LambdaExecutionPolicy:
	Type: AWS::IAM::ManagedPolicy
	DependsOn:
	- LambdaExecutionRole
	Properties:
	ManagedPolicyName: !Join
	- '-'
	- - LambdaExecutionPolicy
	- !Ref 'AWS::StackName'
	Roles:
	- !Ref 'LambdaExecutionRole'
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Sid: VisualEditor0
	Effect: Allow
	Action:
	- sqs:DeleteMessage
	- dynamodb:PutItem
	- states:ListExecutions
	- dynamodb:DeleteItem
	- ssm:Get*
	- sqs:ReceiveMessage
	- ec2:DeleteNetworkInterface
	- sqs:SendMessage
	- dynamodb:Scan
	- dynamodb:Query
	- dynamodb:UpdateItem
	- sqs:GetQueueAttributes
	- logs:CreateLogGroup
	- logs:PutLogEvents
	- ec2:CreateNetworkInterface
	- logs:CreateLogStream
	- ec2:DescribeNetworkInterfaces
	- dynamodb:DescribeTable
	- ssm:Describe*
	- dynamodb:GetItem
	- states:StartExecution
	- ssm:List*
	- dynamodb:UpdateTable
	- dynamodb:GetRecords
	Resource: '*'
	HelloWorld:
	Type: AWS::Lambda::Function
	Properties:
	FunctionName: HelloWorld
	Description: HelloWorld
	Handler: index.handler
	Role: !GetAtt 'LambdaExecutionRole.Arn'
	Code:
	ZipFile: !Join
	- "\n"
	- - import os,boto3,sys
	- user = os.environ['user']
	- password = os.environ['password']
	- 'def get_ssm_parameter(parameter_name):'
	- ' try:'
	- ' ssm_client = boto3.client(''ssm'')'
	- ' response = ssm_client.get_parameters(Names=[parameter_name],WithDecryption=True)'
	- ' if len(response[''Parameters'']) == 0:'
	- ' print(''Error Getting the value for parameter {}.''.format(parameter_name))'
	- ' sys.exit(1)'
	- ' else:'
	- ' value=response[''Parameters''][0][''Value'']'
	- ' return value'
	- ' except Exception as e:'
	- ' print(''Error Getting the value for parameter {}, Error : {}''.format(parameter_name,str(e)))'
	- ' sys.exit(1)'
	- 'def handler(event,context):'
	- ' print(event)'
	- ' db_username = get_ssm_parameter(user)'
	- ' db_password = get_ssm_parameter(password)'
	- ' print(''DB User name is {} and password is {}''.format(db_username,db_password))'
	Environment:
	Variables:
	user: !Ref 'SSMPanoUser'
	password: !Ref 'SSMPanoPassword'
	Runtime: python3.6
	Timeout: '300'
	Outputs:
	PanoUser:
	Value: !Ref 'SSMPanoUser'