Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Cloudformation stack is not getting updated after updating SSM Parameter
Hi, I am deploying an application on ECS Fargate and using the cloudformation as IaC. I have created a SSM parameter to store the image URI. SSM parameter is not a part of cloudformation template. I am dynamically (Image: !Sub '{{resolve:ssm:/${ecr}/${image}/test}}') referencing the image URI in the task definition from SSM Parameter store . I am substituting the parameter value to create the SSM Parameter name. For the first time deployment, changeSet is getting created and all the resources are being deployed successfully. Next, I am updating the ssm parameter with latest image URI through console. After that I am again deploying the stack using cli command: aws cloudformation deploy --template-file ${template-file} --stack-name ${stack-name } —capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM but this time changeSet is not getting created and as a result stack is not getting updated. I am getting 'No changes to deploy' as output of the command. But when I am hardcoding the SSM Parameter name (Image: '{{resolve:ssm:/ecr/image/test}}') instead of creating the SSM Parameter name by using Sub function, I am not getting the above issues even after updating the SSM parameter value manually through console. When I am deploying the stack, ChangeSet is getting created and stack is getting updated successfully each time. Can anyone please suggest why I am getting this issue? or is this a bug in cloudformation?
- Topics
- Management & Governance
- Language
- English
- Newest
- Most votes
- Most comments
Hi,
I use a lot of such SSM parameters to hold (for example) container image names in my CFN templates. But, I don't use your resolve:ssm construct.
I do it this way:
Resources:
#define parameter
ImageUri:
Type: AWS::SSM::Parameter
DeletionPolicy: Delete
Properties:
Type: 'String'
Value: !Sub '${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${ImageName}:${ImageTag}'
#use parameter: see !GetAtt ImageUri.Value below
EcsTaskDefinition:
Type: AWS::ECS::TaskDefinition
DeletionPolicy: Delete
Properties:
Cpu: !Ref ContainerCpu
Memory: !Ref ContainerMemory
NetworkMode: 'awsvpc'
ExecutionRoleArn: !GetAtt EcsTaskRole.Arn
ContainerDefinitions:
- Name: !GetAtt ContainerName.Value
Cpu: !Ref ContainerCpu
Memory: !Ref ContainerMemory
Image: !GetAtt ImageUri.Value
It has been working fine for me over the last couple of years in numerous use cases.
Best,
Didier
Dynamic references are executed when resources (e.g., ECS task definitions) are created. CloudFormation doesn’t detect drifts for these, so they aren’t referenced in ChangeSets.[1]
Two workarounds:
- Mention the version in the dynamic reference. After updating the parameter, update the version in the stack and create a ChangeSet to see the retrieved value.
- Update the stack directly after parameter updates.
References: [1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references-ssm.html
