AWS Systems Manager Parameter Store is a capability provided by AWS Systems Manager for managing configuration data. You can use the Parameter Store to centrally store configuration parameters for your apps.
Your Flogo app connects to the AWS Systems Manager Parameter Store server as its client. At runtime, you are required to provide the Parameter Store server connection details by setting the
FLOGO_APP_PROPS_AWS environment variable in order for your app to connect to the Parameter Store server. You have the option to enter the values for the Parameter Store connection parameters either by typing in their values as JSON strings, or creating a file that contains the values and using the file as input.
Using the Parameter Store with TIBCO Cloud Integration - Flogo (PAYG)
Below is a high-level workflow for using AWS Systems Manager Parameter Store with your Flogo app.
Prerequisites
This document assumes that you have an AWS account, have access to the AWS Systems Manager and know how to use the AWS Systems Manager Parameter Store. Refer to the AWS documentation for the information on the AWS Systems Manager Parameter Store.
Overview
To use the Parameter Store to override app properties set in TIBCO Cloud Integration - Flogo (PAYG), do the following:
1. You begin by building an app binary which has the app properties already configured in TIBCO Cloud Integration - Flogo (PAYG). Refer to Building the App for details on how to build the app.
2. Configure the app properties that you want to override in the Parameter Store. At runtime, the app fetches these values from the Parameter Store and uses them to replace their default values that were set in the app.
3. Set the FLOGO_APP_PROPS_AWS environment variable to set the Parameter Store connection parameters from the command line.
When you run the command for setting the FLOGO_APP_PROPS_AWS environment variable, it runs your app, connects to the Parameter Store, and fetches the overridden values for the app properties from the Parameter Store. Only the values for properties that were configured in the Parameter Store will be overridden. The remaining app properties will get their values from the Application
Properties dialog.
See the Setting the Parameter Store Connection Parameters and Parameter Store Connection Parameters sections for details.
Parameter Store Connection Parameters
To connect to AWS Systems Manager Parameter Store, provide the below configuration at runtime.
Property Name Required
Data
Type Description
access_key_id Yes String Access ID for your AWS account. To protect access key, an encrypted value can be provided in this configuration. See Encrypting Password Values section for information on how to encrypt a string.
The encrypted value must be
secret_access_key Yes String Secret access key for your AWS account.
This account must have access to the Parameter Store. To protect secret access key, an encrypted value can be provided in this configuration. See Encrypting
region Yes String Select a geographic area where your
Parameter Store is located. This
configuration is optional if use_iam_role is set to true and your Parameter Store is configured in the same region as the running service. When running in AWS services (for example, EC2, ECS, EKS), this configuration is optional if the Parameter Store is in the same region as these services.
Property Name Required
Data
Type Description
param_prefix No String This is essentially the hierarchy that your app follows to get to the app property location in the Parameter Store. It is the prefix to be prepended to the lookup parameter. This is helpful in case the parameter hierarchy is not fixed and may change based on the environment during runtime.
This is also helpful in case you want to switch to a different configuration service such as Consul KV store.
As an example of a param_prefix, if you have an app property (for example,
Message) which has two different values depending on the environment from which it is being accessed (for example dev or test environment), your param_prefix for the two values can be /dev/<APPNAME/ and /
test/<APPNAME/. At run time, the right value for Message will be picked up depending on which param_prefix you specify in the FLOGO_APP_PROPS_AWS
environment variable. Hence, setting a param_prefix allows you to change the values of the app properties at runtime without modifying your app.
use_iam_role No Boolean Set to true if the Flogo app is running in the AWS services (such as EC2, ECS, EKS) and you want to leverage IAM role (such as instance role or task role) to fetch parameters from the Parameter Store. In that case, access_key_id, and
secret_access_key are not required.
Setting the Parameter Store Connection Parameters
You can use the AWS Systems Manager Parameter Store to override the property value set in your Flogo app. You do so by creating the property in the Parameter Store and assigning it the value with which to override the default value set in the app. You can create a standalone property or a hierarchy (group) in which your property resides.
Prerequisites
This document assumes that you have an AWS account and the Parameter Store and are familiar with its use. Refer to the AWS documentation for more information on the Parameter Store.
To create a standalone property (without hierarchy), you simply enter the property name when creating it. To create a property within a hierarchy enter the hierarchy in the following format when creating the property: <param_prefix>/<property_name> where <param_prefix> is a meaningful string or hierarchy that serves as a path to the property name in Parameter Store and <property_name> is the name of the app property whose value you want to override. For example, in dev/Timer/Message and
test/Timer/Message/dev/Timer and test/Timer are the <param_prefix> which could stand for the dev and test environments and Message is the key name. During runtime, you provide the
<param_prefix> value which tells your app the location in Parameter Store from where to access the property values.
The parameter name in Parameter Store must be identical to its counterpart (app property) in the Application Properties dialog in TIBCO Cloud Integration - Flogo (PAYG). If the parameter names do not match exactly, you will receive a warning message and the app will use the default value that you configured for the property in TIBCO Cloud Integration - Flogo (PAYG).
A single app property, for example Message, will be looked up by your app as either Message or
<param_prefix>/Message in Parameter Store. An app property within a hierarchy such as x.y.z will be looked up as x/y/z or <param_prefix>/x/y/z in Parameter Store. Note that the dot in the
hierarchy is represented by a forward slash (/) in the Parameter Store.
After you have configured the app properties in the Parameter Store, you need to set the environment variable, FLOGO_APP_PROPS_AWS with the Parameter Store connection parameters in order for your app to connect to the Parameter Store. When you set the environment variable, it triggers your app to run, which connects to the Parameter Store using the Parameter Store connection parameters you provided and pulls the app property values from the param_prefix location you set by matching the app property name with the param_name. Hence, it is mandatory for the property names to be identical to the app property names defined in the Application Properties dialog in TIBCO Cloud Integration -Flogo (PAYG).
You can set the FLOGO_APP_PROPS_AWS environment variable either by manually entering the values as a JSON string on the command line or placing the properties in a file and using the file as input to the
FLOGO_APP_PROPS_AWS environment variable.
If your Container is Not Running on ECS or EKS
If the container in which your app resides is running external to ECS, you must enter the values for
access_key_id and secret_access_key parameters when setting the FLOGO_APP_PROPS_AWS
environment variable.
Entering the Parameter Store Values as a JSON String
To enter the Parameter Store connection parameters as a JSON string, enter the parameters and their value using the comma delimiter. The following example illustrates how to set the values as JSON strings. This would be run from the location where your app resides:
FLOGO_APP_PROPS_AWS="{"access_key_id":"SECRET:XXXXXXXXXXXXX","secret_access_key":"SE CRET:XXXXXXXXXXX","region":"us-west-2","param_prefix":"/MyFlogoApp/Dev/"}"
where /MyFlogoApp/Dev/ is the param_prefix (path to the properties) and SECRET is the encrypted version of the key or key_id obtained from the Parameter Store.
This will connect to the Parameter Store and pull the values for the properties and override their default values that were set in the app.
Refer to Parameter Store Connection Parameters section for a description of the parameters.
Setting the Parameter Store Values Using a File
To set the parameter values in a file, create a .json file, for example, aws_config.json containing the parameter values. Here's an example:
Place the aws_config.json file in the same directory which contains your app binary.
You would then run the following from the location where your app binary resides to set the
FLOGO_APP_PROPS_AWS environment variable. For example, to use the aws_config.json file from the example above, run:
FLOGO_APP_PROPS_AWS=aws_config.json ./<app_binary_name>
This will connect to the Parameter Store to pull the overridden app properties values from the Parameter Store and run your app with those values.
If your Container is Running on ECS or EKS
In case your Flogo apps are running in ECS and intend to leverage the EC2 instance credentials, set
use_iam_role to true . The values for access_key_id and secret_access_key will be gathered from the running container. Ensure that the ECS task has the permission to access the param store.
The IAM role that you use must have permissions to access parameter(s) from the AWS Systems Manager Parameter Store. The following policy must be configured for IAM role:
{
The following is an example of how to set the FLOGO_APP_PROPS_AWS environment variable when your container is running on ECS. Notice that the values for access_key_id and secret_access_key are omitted:
FLOGO_APP_PROPS_AWS="{\"use_iam_role\":true, \"region\":\"us-west-2\"}" ./Timer-darwin-amd64