@63klabs/cache-data 1.2.5 → 1.2.7

package/SECURITY.md

@@ -2,4 +2,4 @@
 
 ## Reporting a Vulnerability
 
-Report all vulnerabilities under the [Security menu in the Cache-Data GitHub repository](https://github.com/63klabs/npm-cache-data/security/advisories).
+Report all vulnerabilities under the [Security menu in the Cache-Data GitHub repository](https://github.com/63klabs/cache-data/security/advisories).

package/docs/00-example-implementation/README.md

@@ -0,0 +1,55 @@
+# Implementation Examples
+
+> Note: To implement Cache Data, a DynamoDb and S3 bucket needs to be created to store the cache. See the [Cache-Data DynamoDb and S3 CloudFormation Resource Templates](#cache-data-dynamodb-and-s3-cloudformation-resource-templates) section below.
+
+A full implementation example and tutorial is available through the [Atlantis Tutorials repository](https://github.com/63klabs/atlantis-tutorials) as [Tutorial #2](https://github.com/63Klabs/atlantis-tutorials/blob/main/tutorials/02-s3-dynamo-api-gateway-lambda-cache-data-node/README.md). (Atlantis is a collection of templates and deployment scripts to assist in starting and automating serverless deployments using AWS SAM and CloudFormation.)
+
+## CloudFormation Template Examples
+
+### Cache-Data DynamoDb and S3 CloudFormation Resource Example Templates
+
+Use the [S3 and DynamoDb example template](./example-template-s3-and-dynamodb-cache-store.yml) for creating your DynamoDb and S3 cache storage locations.
+
+You can create a centrally-shared DynamoDb table and S3 location for use among all your instances (each instance has its own encryption key to prevent cache-sharing/exposure).
+
+You can also add the `CacheDataDynamoDbTable` and `CacheDataS3Bucket` to each application template individually. However, this will quickly increase the number of S3 buckets and DynamoDb tables to keep track of.
+
+### Lambda Function Resource Template Example
+
+Use the [Lambda Example Template](./example-template-lambda-function.yml) for properties, environment variables, and execution permissions to use in your Lambda function.
+
+The Cache Data packages utilizes environment variables for cache, logging, and other configuration settings.
+
+Conditionals or parameters can be utilized to provide deployment context switching instead of hard-coding values.
+
+In order to utilize X-Ray tracing, Lambda Insights, and to write and read data from the DynamoDb and S3 data stores, IAM permissions must be provided in a Lambda execution role.
+
+### Cache-Data Parameter Examples
+
+If you want to pass cache-data settings as CloudFormation template parameters during deployments, see [Cache-Data Template Parameter Examples](./example-template-parameters.yml).
+
+Even if not using the parameters, the parameter example also provides descriptions, examples, and value requirements to further understand how to use the settings.
+
+## CodeBuild Script Examples
+
+Cache-Data requires a secret key to encrypt cached data in S3 and DynamoDb. 
+
+This key is stored in SSM Parameter store and can be generated using [the generate-put-ssm.py build script](./generate-put-ssm.py)
+
+The script can be used to store additional parameters at build time. Review comments in the script for usage information.
+
+The script will also look for a [template-configuration.json](./template-configuration.json) file in the script or parent directory and apply supplied tags to the parameter. If placeholders are used in tag values (for example `$VARIBLE_NAME$`) it is replaced with the corresponding environment variable.
+
+Template configuration files are often used alongside buildspec.yml files for supplying `Parameters` and `Tags` to SAM deployments.
+
+To implement the generate-put-ssm.py script during your CodeBuild process, you can refer to the [example buildspec.yml](./example-buildspec.yml).
+
+## Code Examples
+
+### Configuration
+
+[Configuration Example Code](./example-config.js)
+
+### Lambda Handler
+
+[Lambda Handler Example Code](./example-handler.js)

package/docs/00-example-implementation/example-buildspec.yml

@@ -0,0 +1,15 @@
+version: 0.2
+
+phases:
+
+  pre_build:
+    commands:
+
+      # Generate a random 256 bit key (hexidecimal) in SSM for cache data:
+      - generate-put-ssm.py /webservice/app-name/CacheData_SecureDataKey --generate 256
+
+      # Generate a parameter with a preset value:
+      - generate-put-ssm.py /webservice/app-name/HelloWorld --value "some-value"
+
+      # Generate a parameter with value of 'BLANK' to fill in later:
+      - generate-put-ssm.py /webservice/app-name/WeatherServiceApiKey

package/docs/00-example-implementation/example-template-lambda-function.yml

@@ -0,0 +1,119 @@
+# template.yml
+# This is a template for a Lambda function that uses the 63klabs/cache-data package
+
+Resources:
+
+  # API Gateway
+
+  WebApi:
+    Type: AWS::Serverless::Api
+    Properties: 
+      PropagateTags: True
+      TracingEnabled: True
+      OpenApiVersion: 3.0.0
+
+  # Lambda Function
+
+  AppFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      # ...
+      Runtime: nodejs22.x
+      MemorySize: 1028
+      Role: !GetAtt LambdaExecutionRole.Arn
+
+      # Lambda Insights and X-Ray
+      Tracing: "Active" # X-Ray
+
+      Layers:
+        # Lambda Insights and Param Secrets - Account and Version are Mapped in as they vary by region and architecture
+        - !Sub "arn:aws:lambda:${AWS::Region}:${AWSInsightsAccount}:layer:LambdaInsightsExtension:${Version}"
+        - !Sub "arn:aws:lambda:${AWS::Region}:${AWSParamAccount}:layer:AWS-Parameters-and-Secrets-Lambda-Extension:${Version}"
+
+      Environment:
+        Variables:
+
+          DEPLOY_ENVIRONMENT: "DEV" # PROD, TEST, DEV - a different category of environment
+          LOG_LEVEL: 5 # 0 for prod, 2-5 for non-prod
+          
+          # Cache-Data settings - Parameters may be used instead of hard-coded values - see docs/00-example-implementation/example-template-parameters.yml
+          CACHE_DATA_DYNAMO_DB_TABLE: your-dynamodb-table-name # The DynamoDb table name to use for caching data
+          CACHE_DATA_S3_BUCKET: your-s3-bucket-name # The S3 bucket name to use for caching data
+          CACHE_DATA_SECURE_DATA_ALGORITHM: "aes-256-cbc" # The cryptographic algorithm to use for storing sensitive cached data in S3 and DynamoDb
+          CACHE_DATA_ID_HASH_ALGORITHM: "RSA-SHA256" # The hash algorithm to use for generating the URI ID to identify cached requests
+          CACHE_DATA_DYNAMO_DB_MAX_CACHE_SIZE_KB: 10 # The cut-off in KB that large objects should be stored in S3 instead of DynamoDb
+          CACHE_DATA_PURGE_EXPIRED_CACHE_ENTRIES_AFTER_X_HRS: 24 # The number of hours expired cached data should be kept before purging
+          CACHE_DATA_ERROR_EXP_IN_SECONDS: 300 # How long should errors be cached? This prevents retrying a service that is currently in error too often
+          CACHE_DATA_TIME_ZONE_FOR_INTERVAL: "Etc/UTC" # Cache-Data may expire using an interval such as every four, six, twelve, ... hours on the hour starting at midnight. What timezone holds the midnight to calculate from?
+          CACHE_DATA_AWS_X_RAY_ON: true # Enable X-Ray tracing for Cache-Data
+          CACHE_DATA_USE_TOOLS_HASH_METHOD: true # Use the tools.hash method for generating the URI ID to identify cached requests (default is false)
+
+  # -- LambdaFunction Execution Role --
+
+  LambdaExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Sub "${LAMBDA_EXECUTION_ROLE_NAME}-ExecutionRole"
+      Description: "IAM Role that allows the Lambda permission to execute and access resources"
+      Path: /
+
+      AssumeRolePolicyDocument:
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service: [lambda.amazonaws.com]
+          Action: sts:AssumeRole
+
+      # These are for application monitoring via LambdaInsights and X-Ray
+      ManagedPolicyArns:
+        - 'arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy'
+        - 'arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess'
+
+      # These are the resources your Lambda function needs access to
+      # Logs, SSM Parameters, DynamoDb, S3, etc.
+      # Define specific actions such as get/put (read/write)
+      Policies:
+      - PolicyName: LambdaResourceAccessPolicies
+        PolicyDocument:
+          Statement:
+
+          - Sid: LambdaAccessToWriteLogs
+            Action:
+            - logs:CreateLogGroup
+            - logs:CreateLogStream
+            - logs:PutLogEvents
+            Effect: Allow
+            Resource: !GetAtt AppLogGroup.Arn
+
+          # cache-data Parameter Read Access (from: https://www.npmjs.com/package/@63klabs/cache-data)
+          - Sid: LambdaAccessToSSMParameters
+            Action:
+            - ssm:DescribeParameters
+            - ssm:GetParameters
+            - ssm:GetParameter
+            - ssm:GetParametersByPath
+            Effect: Allow
+            Resource: 
+            - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter${ParameterPath}*"
+
+          # cache-data S3 bucket (from: https://www.npmjs.com/package/@63klabs/cache-data)
+          - Sid: LambdaAccessToS3BucketCacheData
+            Action:
+            - s3:PutObject
+            - s3:GetObject
+            - s3:GetObjectVersion
+            Effect: Allow
+            Resource: !Join [ '', [ !GetAtt CacheDataS3Bucket.Arn, '/cache/*' ] ]
+
+          # cache-data DynamoDb table (from: https://www.npmjs.com/package/@63klabs/cache-data)
+          - Sid: LambdaAccessToDynamoDBTableCacheData
+            Action:
+            - dynamodb:GetItem
+            - dynamodb:Scan
+            - dynamodb:Query
+            - dynamodb:BatchGetItem
+            - dynamodb:PutItem
+            - dynamodb:UpdateItem
+            - dynamodb:BatchWriteItem
+            Effect: Allow
+            Resource: !GetAtt CacheDataDynamoDbTable.Arn

package/docs/00-example-implementation/example-template-parameters.yml

@@ -0,0 +1,66 @@
+# The following parameters can be used to customize the Cache-Data implementation on a per-deployment basis.
+# They can then be used to set the Lambda environment variables in the template.
+# However, you can just as easily set these directly in the Lambda environment variables
+
+Parameters:
+
+  # ...
+
+  # Cache-Data Parameters
+
+  CacheDataDbMaxCacheSizeInKB:
+    Type: Number
+    Description: "DynamoDb does better when storing smaller pieces of data. Choose the cut-off in KB that large objects should be stored in S3 instead (10)"
+    Default: 10
+    MinValue: 10
+    MaxValue: 200
+    ConstraintDescription: "Numeric value between 10 and 200 (inclusive)"
+
+  CacheDataCryptIdHashAlgorithm:
+    Type: String
+    Description: "Hash algorithm used for generating the URI ID to identify cached requests. This is for generating IDs, not crypto."
+    Default: "RSA-SHA256"
+    AllowedValues: ["RSA-SHA256", "RSA-SHA3-224", "RSA-SHA3-256", "RSA-SHA3-384", "RSA-SHA3-512"]
+    ConstraintDescription: "Use possible hashes available from Node.js in the RSA- category (RSA-SHA256 to RSA-SM3)"
+
+  CacheDataCryptSecureDataAlg:
+    Type: String
+    Description: "Cryptographic algorithm to use for storing sensitive cached data in S3 and DynamoDb"
+    Default: "aes-256-cbc"
+    AllowedValues: ["aes-256-cbc", "aes-256-cfb", "aes-256-cfb1", "aes-256-cfb8", "aes-256-ofb"]
+    ConstraintDescription: "Use possible cipher algorithms available (crypto.getCiphers()) from Node.js in the aes-256-xxx category"
+
+  CacheDataErrorExpirationInSeconds:
+    Type: Number
+    Description: "How long should errors be cached? This prevents retrying a service that is currenlty in error too often (300 is recommended)"
+    Default: 300
+    MinValue: 1
+    ConstraintDescription: "Choose a value of 1 or greater"
+
+  CacheDataPurgeExpiredCacheEntriesInHours:
+    Type: Number
+    Description: "The number of hours expired cached data should be kept before purging. Expired cache data may be used if the source returns an error."
+    Default: 24
+    MinValue: 1
+    ConstraintDescription: "Choose a value of 1 or greater"
+
+  CacheDataPurgeAgeOfCachedBucketObjInDays:
+    Type: Number
+    Description: "Similar to CacheData_PurgeExpiredCacheEntriesInHours, but for the S3 Bucket. S3 calculates from time object is created/last modified (not accessed). This should be longer than your longest cache expiration set in custom/policies. Keeping objects in S3 for too long increases storage costs. (30 is recommended)"
+    Default: 15
+    MinValue: 3
+    ConstraintDescription: "Choose a value of 3 days or greater. This should be slightly longer than the longest cache expiration expected"
+
+  CacheDataTimeZoneForInterval:
+    Type: String
+    Description: "Cache-Data may expire using an interval such as every four, six, twelve, ... hours on the hour starting at midnight. What timezone holds the midnight to calculate from?"
+    Default: "Etc/UTC"
+    AllowedValues: ["Etc/UTC", "America/Puerto_Rico", "America/New_York", "America/Indianapolis", "America/Chicago", "America/Denver", "America/Phoenix", "America/Los_Angeles", "America/Anchorage", "Pacific/Honolulu"] # https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+    ConstraintDescription: "Common examples for United States of America. Accepted values can be changed in the template for your region."
+
+  CacheDataAWSXRayOn:
+    Type: String
+    Description: "Turn on AWS XRay tracing for Cache-Data"
+    Default: "false"
+    AllowedValues: ["true", "false"]
+    ConstraintDescription: "Accepted values are true or false"

package/docs/00-example-implementation/example-template-s3-and-dynamodb-cache-store.yml

@@ -0,0 +1,77 @@
+Resources:
+
+  # ... all your other resources
+  # ... make sure your Lambda function has between 512MB and 1024MB allocated (256MB minimum)
+  # ... also make sure you added environment variables to your Lambda function
+  # ... and make sure your Lambda Execution Role grants access to your DynamoDb and S3 buckets
+
+  # ---------------------------------------------------------------------------
+  # Cache-Data
+  # From: https://www.npmjs.com/package/@63klabs/cache-data
+  # Your Lambda function will need access via the Execution Role
+
+  # -- Cache-Data DynamoDb Table --
+
+  CacheDataDynamoDbTable:
+    Type: AWS::DynamoDB::Table
+    Description: Table to store Cache-Data. 
+    Properties:
+      TableName: !Sub '${YOUR-DYNAMODB-TABLE}-CacheData'
+      AttributeDefinitions: 
+        - AttributeName: "id_hash"
+          AttributeType: "S"
+      KeySchema: 
+        - AttributeName: "id_hash"
+          KeyType: "HASH"
+      TimeToLiveSpecification:
+        AttributeName: "purge_ts"
+        Enabled: true
+      BillingMode: "PAY_PER_REQUEST"
+
+
+  # -- Cache-Data S3 Bucket --
+
+  CacheDataS3Bucket:
+    Type: AWS::S3::Bucket
+    Description: S3 Bucket to store Cache-Data too big for DynamoDb. Cache-Data stores objects in /cache directory. The application may store additional data outside of the cache directory.
+    Properties:
+      BucketName: !Sub "${YOUR-BUCKET-NAME}-cachedata"
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      LifecycleConfiguration:
+        Rules:
+          - Id: "ExpireObjects"
+            AbortIncompleteMultipartUpload:
+              DaysAfterInitiation: 1
+            ExpirationInDays: !Ref CacheDataPurgeAgeOfCachedBucketObjInDays
+            Prefix: "cache" # this will limit this policy to YOURBUCKETNAME/cache/*
+            NoncurrentVersionExpirationInDays: !Ref CacheDataPurgeAgeOfCachedBucketObjInDays
+            Status: "Enabled" # Enable only if you are going to use this LifecycleConfiguration
+
+  # -- Cache-Data S3 Bucket Policy --
+
+  CacheDataS3BucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref CacheDataS3Bucket
+      PolicyDocument:
+        Version: "2012-10-17"
+        Id: SecurityPolicy
+        Statement:
+          - Sid: "DenyNonSecureTransportAccess"
+            Effect: Deny
+            Principal: "*"
+            Action: "s3:*"
+            Resource:
+              - !GetAtt CacheDataS3Bucket.Arn
+              - !Join [ '', [ !GetAtt CacheDataS3Bucket.Arn, '/*' ] ]
+            Condition:
+              Bool:
+                "aws:SecureTransport": false

package/docs/00-example-implementation/generate-put-ssm.py

@@ -0,0 +1,209 @@
+#!/usr/bin/env python3
+
+# From npm @63klabs/cache-data
+# This script is used to create a secure SSM Parameter in AWS Parameter Store.
+# Cache-Data requires a secure key to be stored in SSM Parameter Store.
+# This script can be used to generate random keys or use provided values.
+# Include this script in your CI/CD pipeline to automate the process of creating secure parameters.
+# It reads tags from a template-configuration.json file, which is common for SAM deployments,
+# and applies them to the parameter.
+
+import sys
+import secrets
+import boto3
+from botocore.exceptions import ClientError
+import json
+import os
+import argparse
+import re
+
+def usage():
+    print(f"""Creates a secure SSM Parameter in AWS Parameter Store.
+    This script can generate a random key of specified bit length or use a provided value.
+    It also reads tags from a template-configuration.json file (common for SAM deployments)
+    and applies them to the parameter.
+          
+    NOTE:
+        It is designed to be used in a CI/CD pipeline, such as AWS CodePipeline.
+        It requires the AWS SDK for Python (boto3) and the botocore library.
+        Ensure CodeBuild has the necessary permissions to create and manage SSM parameters.
+        It can be run manually from a local CLI with a specific AWS profile if needed.
+        There is a --dryrun option to check if the parameter exists (and see values and tags) without creating it for testing purposes.
+        IT WILL NOT OVERWRITE AN EXISTING PARAMETER! DELETE IT FIRST IF YOU WANT TO REPLACE IT,
+          or, update using the AWS CLI, or manually through the console.
+          
+    Usage: {sys.argv[0]} <PARAM_NAME> [--generate BITS | --value VALUE] [--dryrun] [--profile PROFILE]
+      PARAM_NAME
+        The name of the key parameter
+        For example, '/webservices/myapp/CacheData_SecureDataKey'
+      --generate BITS
+         Generate a random key with specified number of bits (mutually exclusive with --value)
+      --value VALUE
+         Use the provided value directly (mutually exclusive with --generate)
+      --dryrun
+         Check if parameter exists but don't create it
+      --profile PROFILE
+         AWS profile to use for the request""", file=sys.stderr)
+
+def generate_key(key_len):
+    """Generate a random hex key of specified bit length"""
+    return secrets.token_hex(key_len // 8)  # key_len bits ÷ 8 bits/byte = bytes needed
+
+def put_parameter(ssm_client, param_full_name, value, tags, dryrun=False):
+    """Store a parameter in SSM Parameter Store"""
+    print(f"Checking for SSM Parameter: {param_full_name} ...")
+    
+    try:
+        ssm_client.get_parameter(Name=param_full_name)
+        print("Parameter already exists. Skipping.")
+    except ClientError as e:
+        if e.response['Error']['Code'] == 'ParameterNotFound':
+            print("...parameter does not exist...")
+            if dryrun:
+                print(f"[DRYRUN] Would store parameter: {param_full_name}")
+            else:
+                print(f"Storing parameter: {param_full_name} ...")
+                ssm_client.put_parameter(
+                    Name=param_full_name,
+                    Value=value,
+                    Type='SecureString',
+                    Tags=tags,
+                    Overwrite=False
+                )
+        else:
+            raise
+
+def get_tags():
+
+    tags = []
+
+    # read in template-configuration.json from current directory or parent directory
+    config_file = None
+    if os.path.exists('template-configuration.json'):
+        config_file = 'template-configuration.json'
+    elif os.path.exists('../template-configuration.json'):
+        config_file = '../template-configuration.json'
+    
+    try:
+        if config_file:
+            with open(config_file, 'r') as f:
+                config = json.load(f)
+
+                # Find the Tags property in config
+                # {
+                #   "Tags": {
+                #     "Provisioner": "CloudFormation",
+                #     "Environment": "$DEPLOY_ENVIRONMENT$",
+                #     "Deploy": "$PREFIX$ - $DEPLOY_ENVIRONMENT$",
+                #     "Stage": "$STAGE_ID$"
+                #     }
+                # }
+                # perform a search and replace of config utilizing environment variables,
+                # for example: replace $PREFIX$ with the value of the PREFIX environment variable
+                # Replacements may come anywhere in the value of the tag, not just at the beginning or end.
+                # set tags to the value of the tags property in config
+                if 'Tags' in config:
+                    config_tags = config['Tags']
+                    for key, value in config_tags.items():
+                        # Find all instances of variable placeholders in the value
+                        # Place holders are in the format $VARIABLE_NAME$
+                        # Replace them with the corresponding environment variable values
+                        if isinstance(value, str):
+                            # Find variable placeholders in the format $VARIABLE_NAME$
+                            placeholders = re.findall(r'\$([A-Z_][A-Z0-9_]*)\$', value)
+                            for placeholder in placeholders:
+                                # Check if the placeholder corresponds to an environment variable
+                                env_value = os.getenv(placeholder)
+                                if env_value is not None:
+                                    # Replace the placeholder with the environment variable value
+                                    value = value.replace(f"${placeholder}$", env_value)
+                                else:
+                                    print(f"Environment variable '{placeholder}' not found. Using original value.", file=sys.stderr)
+                        # Append the tag to the tags list
+                        tags.append({'Key': key, 'Value': value})
+                else:
+                    print("No Tags found in template-configuration.json. Using default tags.", file=sys.stderr)
+
+        else:
+            raise FileNotFoundError("template-configuration.json not found in current or parent directory")
+
+    except FileNotFoundError:
+        print("template-configuration.json not found in current or parent directory. Using default tags.", file=sys.stderr)
+    except json.JSONDecodeError:
+        print("Error decoding JSON from template-configuration.json. Using default tags.", file=sys.stderr)
+    except Exception as e:
+        print(f"Error reading template-configuration.json: {e}", file=sys.stderr)
+
+    # Find the element in the tags list that has the key 'Provisioner' and replace its value with 'CodeBuild'
+    provisioner_tag = next((tag for tag in tags if tag['Key'] == 'Provisioner'), None)
+    if provisioner_tag:
+        provisioner_tag['Value'] = 'CodeBuild'
+    else:
+        tags.append({'Key': 'Provisioner', 'Value': 'CodeBuild'})
+
+    # Find the element in the tags list that has the key 'DeployedUsing' and replace its value with 'CodeBuild'
+    deployed_using_tag = next((tag for tag in tags if tag['Key'] == 'DeployedUsing'), None)
+    if deployed_using_tag:
+        deployed_using_tag['Value'] = 'Build Script'
+    else:
+        tags.append({'Key': 'DeployedUsing', 'Value': 'Build Script (generate-put-ssm.py)'})
+
+    # print out the tags
+    print("Tags to be used:")
+    for tag in tags:
+        print(f"  {tag['Key']}: {tag['Value']}")
+
+    return tags
+
+def main():
+    parser = argparse.ArgumentParser(add_help=False)
+    parser.add_argument('param_name', help='The name of the key parameter')
+    parser.add_argument('--generate', type=int, help='Generate a random key with specified number of bits')
+    parser.add_argument('--value', type=str, help='Use the provided value directly')
+    parser.add_argument('--dryrun', action='store_true', help='Check if parameter exists but don\'t create it')
+    parser.add_argument('--profile', type=str, help='AWS profile to use for the request')
+    
+    try:
+        args = parser.parse_args()
+    except:
+        usage()
+        sys.exit(1)
+    
+    # Check for mutually exclusive options
+    if args.generate is not None and args.value is not None:
+        print("Error: --generate and --value cannot be used together", file=sys.stderr)
+        sys.exit(1)
+    
+    param_name = args.param_name
+    if not param_name.startswith('/'):
+        print("Error: PARAM_NAME must start with a '/'", file=sys.stderr)
+        sys.exit(1)
+
+    print(f"Parameter Name: {param_name}")
+
+    # Determine value to store
+    if args.value is not None:
+        value = args.value
+        print(f"Using provided value: {value}")
+    elif args.generate is not None:
+        value = generate_key(args.generate)
+        if (args.dryrun):
+            print(f"[DRYRUN] Generated key of bit length {args.generate}: {value}")
+        else:
+            print(f"Generated key of bit length {args.generate}")
+    else:
+        value = "BLANK"
+        print("No value provided. Using default value: 'BLANK' which needs to be replaced with a real value.")
+    
+    tags = get_tags()
+
+    try:
+        session = boto3.Session(profile_name=args.profile) if args.profile else boto3.Session()
+        ssm_client = session.client('ssm')
+        put_parameter(ssm_client, f"{param_name}", value, tags, args.dryrun)
+    except Exception as e:
+        print(f"Error: {e}", file=sys.stderr)
+        sys.exit(1)
+
+if __name__ == "__main__":
+    main()

package/docs/00-example-implementation/template-configuration.json

@@ -0,0 +1,14 @@
+{
+  "Parameters": {
+    "FunctionMaxMemoryInMB": "2048",
+    "FunctionTimeOutInSeconds": "30",
+    "CacheDataTimeZoneForInterval": "America/Chicago",
+    "CacheDataAWSXRayOn": "true"
+  },
+  "Tags": {
+    "Provisioner": "CloudFormation",
+    "Application": "$PREFIX$-$PROJECT_ID$",
+    "ApplicationDeploymentId": "$PREFIX$-$PROJECT_ID$-$STAGE_ID$",
+    "Repository": "$REPOSITORY$"
+  }
+}