Is there a way of updating a SSM Parameter Store value using AWS CDK

Hello,

From the description, I understand that you are using EC2 Image Builder Pipeline in CDK and you wish to clarify the below questions:

1. Is there a ssm update function which can be called via AWS CDK which does what the AWS CLI call aws ssm put-parameter --overwrite does?

I would like to inform you that when you create the SSM Parameter within the CDK code using "StringParameter" construct, CDK automatically makes the "PutParameter" API call with "overwrite": true to create a new version with updated value passed in stringValue property.

You can test the same at your end using below sample snippet in CDK TypeScript. On modifying the SampleQueue logical ID, the ARN is changed and the SSM Parameter '/my/ami' gets updated with the new value as expected. This is because of presence of the"overwrite": true in the associated "PutParameter" API call. Therefore a similar approach can be used to update the AMI value present in SSM Parameter for your use-case too.

import * as sqs from 'aws-cdk-lib/aws-sqs';
import * as ssm from 'aws-cdk-lib/aws-ssm';

  const SampleQueue = new sqs.Queue(this, 'SampleQueue1'); #Original 
  
  const SampleQueue = new sqs.Queue(this, 'SampleQueue2'); #Updated
  
  const AMIParameterSSM = new ssm.StringParameter(this, 'ParameterSSM', {
    parameterName: '/my/ami',
    stringValue: SampleQueue.queueArn,
  });

2. Is there a way of suppressing the behaviour of latest AMI Lookup and/or assign the new Base Image to existing recipe version to avoid "The following resource 'ImageRecipe' already exists: and requires an increment in the Base Recipe Semantic version in order to be successful " error in the associated CloudFormation stack?

Please note that it is expected for the public AMI SSM parameters to get updated over time with the release of latest AMIs. Therefore, if you make use of the public SSM Parameters for "parentAmiAlias", it is expected for the change to happen with time and that cannot be controlled via CDK.

As mentioned in the doc, "After you create a recipe, you can't modify or replace it. To update components after you create a recipe, you must create a new recipe or recipe version.". Therefore, it is not possible to assign the new base Image to existing recipe version from an Image Builder perspective. Hence, such operation leads to the "'ImageRecipe' already exists" error as expected in CDK/CloudFormation.

However, I would like to suggest the below options as a workaround to prevent any unexpected trigger to the pipeline :

1. Make use of "Schedule" property of "AWS::ImageBuilder::ImagePipeline" resource to configure when and how often a pipeline will automatically create a new image irrespective of the change in public AMI SSM parameters.

2. Another option would be to set the "Status" property to "DISABLED" when not in use.