Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(ssm): StringParameter.fromSecureStringParameterAttributes not working without version #22311

Closed
wants to merge 1 commit into from

Conversation

dglsparsons
Copy link

@dglsparsons dglsparsons commented Sep 30, 2022

It is possible to omit the version of an SSM SecureString parameter.

When omitted, the reference generated by CDK results in a ValidationError when applying the changes.

e.g.

Error [ValidationError]: Incorrect format is used in the following SSM reference: [{{resolve:ssm-secure:/some/parameter:}}]

Related to #18729


All Submissions:

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Sep 30, 2022

@aws-cdk-automation aws-cdk-automation requested a review from a team September 30, 2022 16:11
@github-actions github-actions bot added p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Sep 30, 2022
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pull Request Linter fails with the following errors:

❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.

PRs must pass status checks before we can provide a meaningful review.

@mrgrain
Copy link
Contributor

mrgrain commented Sep 30, 2022

Nice catch! Would you mind applying the same fix here: https://github.com/aws/aws-cdk/pull/22311/files#diff-c6cc0ad12503f28d8ab4c545f7efa3d406d90dfe0d34b67c2b29ad115e7a889bR671

@dglsparsons dglsparsons changed the title Don't specify SSM secure string parameter version when it is not supp… fix(ssm) don't specify secure string parameter version when not supplied Oct 1, 2022
@mergify mergify bot dismissed aws-cdk-automation’s stale review October 1, 2022 10:21

Pull request has been modified.

Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.

PRs must pass status checks before we can provide a meaningful review.

@aws-cdk-automation aws-cdk-automation dismissed their stale review October 1, 2022 10:22

Pull Request updated. Dissmissing previous PRLinter Review.

Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.

PRs must pass status checks before we can provide a meaningful review.

@mergify mergify bot dismissed aws-cdk-automation’s stale review October 1, 2022 10:22

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation dismissed their stale review October 1, 2022 10:22

Pull Request updated. Dissmissing previous PRLinter Review.

Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.

PRs must pass status checks before we can provide a meaningful review.

@aws-cdk-automation aws-cdk-automation dismissed their stale review October 1, 2022 10:24

Pull Request updated. Dissmissing previous PRLinter Review.

Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.

PRs must pass status checks before we can provide a meaningful review.

Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.

PRs must pass status checks before we can provide a meaningful review.

@aws-cdk-automation aws-cdk-automation dismissed their stale review October 1, 2022 10:41

Pull Request updated. Dissmissing previous PRLinter Review.

Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.

PRs must pass status checks before we can provide a meaningful review.

@dglsparsons dglsparsons changed the title fix(ssm) don't specify secure string parameter version when not supplied fix(ssm) parameter version incorrectly specied when omitted Oct 1, 2022
@aws-cdk-automation aws-cdk-automation dismissed their stale review October 1, 2022 10:43

Pull Request updated. Dissmissing previous PRLinter Review.

Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.

PRs must pass status checks before we can provide a meaningful review.

@dglsparsons
Copy link
Author

Hey @mrgrain - I'm not sure where you intended to link with that comment, but it just takes me to the changes I've already made.

I can't see anywhere else that doesn't have conditional logic on the version being provided though.

I've fixed the unit test, but can't seem to make the PR title happy for conventional commits, and it's unhappy with me for not updating any snapshots - although they all seem happy...

Would appreciate any pointers here, if you have any! :)

→ yarn integ-runner --directory packages/@aws-cdk/aws-ssm
yarn run v1.22.18
$ ./aws-cdk/node_modules/.bin/integ-runner --directory packages/@aws-cdk/aws-ssm

Verifying integration test snapshots...

  UNCHANGED  integ.parameter-store-string.lit 0.46s
  UNCHANGED  integ.list-parameter 0.559s
  UNCHANGED  integ.parameter.lit 1.152s
  UNCHANGED  integ.parameter-arns 1.161s

Snapshot Results:

Tests:    4 passed, 4 total
✨  Done in 1.66s.

@mrgrain mrgrain changed the title fix(ssm) parameter version incorrectly specied when omitted fix(ssm): parameter version incorrectly specified when omitted Oct 1, 2022
@aws-cdk-automation aws-cdk-automation dismissed their stale review October 1, 2022 11:39

Pull Request updated. Dissmissing previous PRLinter Review.

Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

PRs must pass status checks before we can provide a meaningful review.

@mrgrain mrgrain changed the title fix(ssm): parameter version incorrectly specified when omitted fix(ssm): StringParamter.fromSecureStringParameterAttributes not working without version Oct 1, 2022
@mrgrain
Copy link
Contributor

mrgrain commented Oct 1, 2022

@dglsparsons Apologies, I thought the List one needed a fix as well, but I see now how that's not the case. 🙇🏻


Regarding integration tests, it appears there is no existing integration test that covered omitting version (which makes sense, otherwise it would have failed). So you'll need to add or update one of the integration tests to include the scenario you are fixing.


You were missing a : in your PR title. I fixed that for you and update the title to our preferred phrasing.

@aws-cdk-automation aws-cdk-automation dismissed their stale review October 1, 2022 11:41

Pull Request updated. Dissmissing previous PRLinter Review.

Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

PRs must pass status checks before we can provide a meaningful review.

@dglsparsons dglsparsons changed the title fix(ssm): StringParamter.fromSecureStringParameterAttributes not working without version fix(ssm): StringParameter.fromSecureStringParameterAttributes not working without version Oct 1, 2022
@aws-cdk-automation aws-cdk-automation dismissed their stale review October 1, 2022 11:49

Pull Request updated. Dissmissing previous PRLinter Review.

Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

PRs must pass status checks before we can provide a meaningful review.

…orking without version

It is possible to omit the `version` of an SSM SecureString parameter.

When omitted, the reference generated by CDK results in a
ValidationError when applying the changes.

e.g.

```
Error [ValidationError]: Incorrect format is used in the following SSM reference: [{{resolve:ssm-secure:/some/parameter:}}]
```
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

PRs must pass status checks before we can provide a meaningful review.

@dglsparsons
Copy link
Author

@mrgrain - it looks like the integration tests don't really exist for SecureString parameters as there is no way to provision them (no construct for SecureString, only String). So I'm a bit unsure on how to proceed.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: a96f622
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mrgrain
Copy link
Contributor

mrgrain commented Oct 2, 2022

I see. Could we maybe use an AwsCustomResource to provision them?
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.custom_resources.AwsCustomResource.html#oncreate

Something like (untested code):

new cr.AwsCustomResource(this, 'GetParameter', {
  onUpdate: { // will also be called for a CREATE event
    service: 'SSM',
    action: 'putParameter',
    parameters: {
      Name: '/My/Secure/Parameter',
      Type: 'SecureString',
      Value: 'abcdef'
    },
    physicalResourceId: cr.PhysicalResourceId.of('/My/Secure/Parameter'),
  },
  onDelete: {
    service: 'SSM',
    action: 'deleteParameter',
    parameters: {
      Name:  new cr.PhysicalResourceIdReference(),
    },
  },
  policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
    resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
  }),
});

See also:

@aws-cdk-automation
Copy link
Collaborator

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

@mrgrain
Copy link
Contributor

mrgrain commented Oct 24, 2022

@dglsparsons Thanks for your original contribution. FYI I've prepared the new PR #22618 that includes your change, as well as a refacor of the SSM Parameter Store integ tests.

@dglsparsons
Copy link
Author

@dglsparsons Thanks for your original contribution. FYI I've prepared the new PR #22618 that includes your change, as well as a refacor of the SSM Parameter Store integ tests.

That's amazing! Thank you! I've been meaning to carve out some time to address those tests for ages but haven't been able to get around to it :).

@mrgrain
Copy link
Contributor

mrgrain commented Oct 24, 2022

That's amazing! Thank you! I've been meaning to carve out some time to address those tests for ages but haven't been able to get around to it :).

Yeah no worries! It turned out to be a bit more complicated anyway. But I'm glad we've now got proper tests for this. 🎉

@mrgrain
Copy link
Contributor

mrgrain commented Oct 24, 2022

Closing in favour of #22618

@mrgrain mrgrain closed this Oct 24, 2022
mergify bot pushed a commit that referenced this pull request Oct 25, 2022
…orking without version (#22618)

It is possible to omit the `version` of an SSM SecureString parameter.

When omitted, the reference generated by CDK results in a ValidationError when applying the changes.

e.g.

```
Error [ValidationError]: Incorrect format is used in the following SSM reference: [{{resolve:ssm-secure:/some/parameter:}}]
```

Related to #18729
Replaces #22311

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK p2
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants