Built-in parameter resolvers

You can use parameter resolvers to resolve values for stack parameters at deployment time. Takomo has a few built-in parameter resolvers, and you can also implement your own.

In a stack configuration, you choose which resolver to use by providing value to the resolver property. In addition to the resolver property, each resolver may have its own set of additional properties.

Here are the built-in parameter resolvers:

Stack output resolver

Stack output resolver reads the parameter value from a stack output of another stack configured within the same Takomo project. The source stack automatically becomes the target stack's dependency. Takomo reads the output value using the credentials associated with the source stack.

If you need to read outputs of stacks that are not configured in the same Takomo project, you can use the external stack output resolver.

Properties

Here are the properties of the stack output resolver:

Key

Required

Type

Description

resolver

yes

string

Resolver name, this must be stack-output.

stack

yes

string

Stack path of the source stack. Can be an absolute or a relative stack path.

output

yes

string

Name of the stack output whose value is read.

confidential

no

boolean

Conceal the resolved parameter value from logs, defaults to false

immutable

no

boolean

Mark the parameter as immutable, defaults to false

Example

Say, we have two stacks: vpc.yml and security-groups.yml. The former creates a VPC and exposes its id in the stack outputs with a name VpcId, and the latter uses the VPC id to create some security groups.

The directory structure looks like this:

.
├─ stacks
│ ├─ vpc.yml
│ └─ security-groups.yml
└─ templates
├─ vpc.yml
└─ security-groups.yml

In security-groups.yml stack configuration we use the stack-output resolver to read the value for the VpcId parameter like so:

stacks/security-groups.yml
parameters:
VpcId:
resolver: stack-output
stack: /vpc.yml
output: MyVpcId

External stack output resolver

The external stack output resolver reads the parameter value from a stack output of a stack. The source stack does not have to belong to the same Takomo project as the target stack.

Properties

Here are the properties of the external stack output resolver:

Key

Required

Type

Description

resolver

yes

string

Resolver name, this must be external-stack-output.

stack

yes

string

Name of the source stack.

output

yes

string

Name of the stack output whose value is read.

region

no

string

Region of the source stack. Region is optional. By default, the region of the target stack is used.

commandRole

no

string

IAM role used to access the stack output. Command role is optional. By default, credentials associated with the target stack are used.

confidential

no

boolean

Conceal the resolved parameter value from logs, defaults to false

immutable

no

boolean

Mark the parameter as immutable, defaults to false

Example

Say, we have two accounts: 123456789012 and 888888888888.

The account 123456789012 has one stack: src-bucket. It is located in the us-east-1 region and exposes the name of an application source bucket in a stack output named SrcBucketName. The 123456789012 account also has a read-only role that the 888888888888 account can assume.

The 888888888888 account has two stacks: assets-bucket and build-infra. The stacks are located in the us-east-1 and eu-west-1 regions, respectively. The assets-bucket stack exposes the name of an assets bucket in a stack output named AssetsBucket.

Only the build-infra stack is managed in our Takomo project. The two other stacks are configured elsewhere. The build-infra stack has two parameters: SrcBucket and AssetsBucket. To get the values for them, we use the external-stack-output resolver to read the two other stacks' outputs.

The directory structure looks like this:

.
├─ stacks
│ └─ build-infra.yml
└─ templates
└─ build-infra.yml

The configuration of build-infra stack looks like this:

stacks/build-infra.yml
regions: us-east-1
parameters:
SrcBucket:
resolver: external-stack-output
stack: src-bucket
output: SrcBucketName
commandRole: arn:aws:iam::123456789012:role/read-only
AssetsBucket:
resolver: external-stack-output
stack: assets-bucket
output: AssetsBucketName
region: eu-west-1

For the SrcBucket parameter, we need to specify the commandRole property because the source stack is located in a different account. We don't need to specify the region because both stacks are located in the same region.

For the AssetsBucket parameter, we must specify the region but not the commandRole because the stacks are located in the same account but different regions.

Command resolver

The command resolver executes a specified shell command and uses the command output as a parameter value.

Properties

Here are the properties of the command resolver:

Key

Required

Type

Description

resolver

yes

string

Resolver name, this must be cmd.

command

yes

string

Shell command to execute.

confidential

no

boolean

Conceal the resolved parameter value from logs, defaults to false

immutable

no

boolean

Mark the parameter as immutable, defaults to false

exposeStackCredentials

no

boolean

Make the current stack's AWS credentials available for the shell command. Defaults to false. Added in Takomo v3.11.0.

exposeStackRegion

no

boolean

Make the current stack's region available for the shell command. Defaults to false. Added in Takomo v3.11.0.

capture

no

string

Controls how to capture the output of the executed shell command. By default, all output is captured. To capture only the last line, set this to last-line. Added in Takomo v3.11.0.

Environment variables available in the shell command

The following environment variables are available in the shell command:

Name

Description

AWS_ACCESS_KEY_ID

If exposeStackCredentials is true, this will hold the access key id of credentials of the current stack.

AWS_SECRET_ACCESS_KEY

If exposeStackCredentials is true, this will hold the secret access key of credentials of the current stack.

AWS_SESSION_TOKEN

If exposeStackCredentials is true, this will hold the session token of credentials of the current stack.

AWS_SECURITY_TOKEN

If exposeStackCredentials is true, this will hold the session token of credentials of the current stack.

AWS_DEFAULT_REGION

IF exposeStackRegion is true, this will hold the region of the current stack.

Example

Use contents of the /home/password.txt file as parameter value:

parameters:
Password:
resolver: cmd
command: cat /home/password.txt

File contents resolver

The file contents resolver reads a file and uses the file contents as a parameter value.

Properties

Here are the properties of the file contents resolver:

Key

Required

Type

Description

resolver

yes

string

Resolver name, this must be file-contents.

file

yes

string

Path to file. Can be an absolute path or a path relative to the project directory.

confidential

no

boolean

Conceal the resolved parameter value from logs, defaults to false

immutable

no

boolean

Mark the parameter as immutable, defaults to false

Examples

Use contents of the /tmp/commit.txt file as parameter value:

parameters:
CommitHash:
resolver: file-contents
file: /tmp/commit.txt

Use a relative file path:

parameters:
Code:
resolver: file-contents
file: code.txt

Hook output resolver

The hook output resolver reads parameter values from hook outputs. Added in Takomo v3.5.0.

Properties

Here are the properties of the hook output resolver:

Key

Required

Type

Description

resolver

yes

string

Resolver name, this must be hook-output.

hook

yes

string

Name of the hook whose output should be read.

confidential

no

boolean

Conceal the resolved parameter value from logs, defaults to false

immutable

no

boolean

Mark the parameter as immutable, defaults to false

Examples

This stack configuration has a hook named my-hook, which runs before stack operations. It is a command hook and will store the output from the shell command to hook outputs from where the subsequent hooks and parameter resolvers can access it.

A hook output resolver reads the output of my-hook and sets it as the value of the Greeting parameter.

parameters:
Greeting:
resolver: hook-output
hook: my-hook
hooks:
- name: my-hook
type: cmd
stage: before
command: echo 'hello world'

SSM parameter resolver

The SSM parameter resolver reads parameter values from SSM parameter store. The parameter can be encrypted.

Properties

Here are the properties of the SSM parameter resolver:

Key

Required

Type

Description

resolver

yes

string

Resolver name, this must be ssm.

name

yes

string

Name of the SSM parameter.

region

no

string

Region where the SSM parameter resides. By default, Takomo uses the region of the stack where the parameter resolver is used.

commandRole

no

string

IAM role used to access the SSM parameter. Command role is optional. By default, credentials associated with the current stack are used.

confidential

no

boolean

Conceal the resolved parameter value from logs, defaults to false

immutable

no

boolean

Mark the parameter as immutable, defaults to false

Examples

Read value from an SSM parameter /database/password that resides in the same region as the current stack:

parameters:
Password:
resolver: ssm
name: /database/password

Read value from an SSM parameter /database/username that resides in eu-north-1 region:

parameters:
Username:
resolver: ssm
region: eu-north-1
name: /database/username

Read value from an SSM parameter using custom IAM role:

parameters:
Password:
resolver: ssm
commandRole: arn:aws:iam::123456789012:role/read-only
name: MyParam

See also