SSM Parameter to hold Slack channel

[hlascelles]

We would like to hold the Slack webhook URL in a secure SSM parameter so it isn't in source control.

Looks like we can pass a value into Lambda using that:

const lambdaFunction = new lambda.Function(this, 'LogHandler', {
  environment: {
    SLACK_INCOMING_WEBHOOK_URL: ssmParameter.stringValue,
  },
});

Would you accept a PR for that if you agree?

[acomagu]

Hi, I understand the needs to use SSM parameter and would be happy to see a PR!

I have a question: if we specify as you wrote, would the actual value be visible in the environment variables section of the Lambda console?(or masked?)

I don't have experience with SSM so I need to learn the best practice around that. Thank you!

[hlascelles]

Ha, me neither! Reading this article it appears that using native "SSM->ENV" is not sufficient as it would mean anyone updating the stack would need access to the SSM (I think). I guess it should be done by reading the SSM "live" in the JS code.

As he says:

But, personally I still think you should:

fetch SSM parameter values at runtime
cache these values, and hot-swap when source values change

I will look at a PR when I get the chance 👍