Overview
Parameter files provide environment-specific values for each template. They control CloudFormation parameters, stack tags, and deployment options.
Directory layout
Each environment folder under parameters/ mirrors the files found in templates/:
parameters/
test/
oidc-provider.yml
production/
oidc-provider.yml
Rain looks for parameter files with extensions .json, .yml, or .yaml (in that order). The first match is passed to rain deploy with the --config flag.
File structure
Parameter files follow Rain's configuration syntax:
Parameters:
SubjectClaimFilters: "repo:my-org/platform:*"
Tags:
Project: GitHubActions
Environment: test
Options:
StackName: github-oidc-provider
Configuration blocks
| Block | Purpose |
|---|---|
| Parameters | Feeds values into the template's Parameters section |
| Tags | Applies to resources that support AWS tags |
| Options | Overrides stack-level settings like StackName, Capabilities, or TerminationProtection |
Parameters block
Provide values for each template parameter:
Parameters:
VpcCidr: "10.0.0.0/16"
Environment: test
EnableLogging: "true"
Tags block
Apply consistent tags across all stack resources:
Tags:
Project: MyProject
Environment: test
CostCenter: engineering
Owner: platform-team
Options block
Override stack-level settings:
Options:
StackName: custom-stack-name
Capabilities:
- CAPABILITY_IAM
- CAPABILITY_NAMED_IAM
TerminationProtection: true
Managing secrets
Avoid storing secrets directly in parameter files. Use these approaches instead:
| Method | Description |
|---|---|
| SSM Parameter Store | Reference with {{resolve:ssm:/path/to/value}} in template |
| Secrets Manager | Reference with {{resolve:secretsmanager:secret-name}} in template |
| GitHub Actions secrets | Inject as environment variables in the deploy step |
Example using SSM reference in template:
Parameters:
DatabasePassword:
Type: AWS::SSM::Parameter::Value<String>
Default: /myapp/database/password
Version control tips
- Commit parameter files even if they contain placeholders so everyone knows the expected structure
- Coordinate changes with deployment windows since Rain updates stacks immediately when workflows run
- Document exclusions in a README within the environment folder if you need to exclude sensitive parameters from git
Next steps
- Templates reference - Template organization
- Scripts reference - Deployment automation
- Rain reference - CLI configuration options