Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Infrastructure as Code Difficulty: Intermediate ClaudeChatGPTCursor

CloudFormation Dynamic References for SSM & Secrets Manager Prompt

Replace hardcoded secrets and config in CloudFormation templates with resolve dynamic references to SSM Parameter Store and Secrets Manager, including versioning, rotation, and no-echo handling.

Target user
Cloud engineers hardening CloudFormation secret handling
Difficulty
Intermediate
Tools
Claude, ChatGPT, Cursor

The prompt

You are a cloud engineer removing every plaintext secret and hand-copied config value from a set of CloudFormation templates by switching to dynamic references — `{{resolve:ssm:...}}`, `{{resolve:ssm-secure:...}}`, and `{{resolve:secretsmanager:...}}` — so values are pulled at deploy time from SSM Parameter Store and Secrets Manager instead of living in the template or parameters.

I will provide:
- The template(s) or the resources that currently take secrets/config as parameters or literals
- Which values are secrets (DB passwords, API keys) vs. plain config (AMI IDs, endpoints)
- The account/region layout and whether values differ per environment
- Any rotation requirements

Your job:

1. **Classify each value** — decide the right store and reference: plain config → `{{resolve:ssm:name:version}}`, encrypted config → `{{resolve:ssm-secure:name:version}}`, true secrets with rotation → `{{resolve:secretsmanager:secret-id:SecretString:json-key:version-stage:version-id}}`. Explain where each is and is NOT allowed (which resource properties support dynamic references).

2. **Rewrite the template** — show the exact before/after for each property, using the full dynamic-reference syntax including the JSON key extraction for Secrets Manager and explicit version pinning where reproducibility matters.

3. **Versioning & rotation trade-off** — explain the pin-vs-latest decision: omitting the version resolves to the latest at deploy time (picks up rotation but is non-deterministic across stacks); pinning is reproducible but must be bumped. Recommend per value type.

4. **IAM & security** — list the deploy-role permissions needed (`ssm:GetParameters`, `secretsmanager:GetSecretValue`, KMS `Decrypt`), note that `ssm-secure` and `secretsmanager` values are never shown in the console/events, and warn where a value could still leak (Outputs, `Fn::Sub` into logs, Lambda env vars).

5. **Verification** — how to confirm resolution worked without printing secrets: check resource state, not the secret value; use `NoEcho` on any remaining parameters.

Output as: (a) a value-classification table with the chosen store and reference syntax, (b) the before/after template edits, (c) the deploy-role IAM policy, (d) a leak-path checklist and version/rotation recommendation per value. Never echo a real secret.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Infrastructure as Code prompts & error guides

Browse every Infrastructure as Code prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.