Skip to content

Commit

Permalink
feat(ssm): reference latest version of secure string parameters (aws#…
Browse files Browse the repository at this point in the history
…18187)

Supported by CF since April 2021 but not yet ported to CDK.

See https://aws.amazon.com/about-aws/whats-new/2021/04/now-reference-latest-aws-systems-manager-parameter-values-in-aws-cloudformation-templates-without-specifying-parameter-versions/

Close aws#17091


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
jogold authored and TikiTDO committed Feb 21, 2022
1 parent ef68019 commit a863286
Show file tree
Hide file tree
Showing 6 changed files with 40 additions and 9 deletions.
9 changes: 6 additions & 3 deletions packages/@aws-cdk/aws-ssm/lib/parameter.ts
Original file line number Diff line number Diff line change
Expand Up @@ -311,9 +311,11 @@ export interface StringParameterAttributes extends CommonStringParameterAttribut
*/
export interface SecureStringParameterAttributes extends CommonStringParameterAttributes {
/**
* The version number of the value you wish to retrieve. This is required for secure strings.
* The version number of the value you wish to retrieve.
*
* @default - AWS CloudFormation uses the latest version of the parameter
*/
readonly version: number;
readonly version?: number;

/**
* The encryption key that is used to encrypt this parameter
Expand Down Expand Up @@ -365,7 +367,8 @@ export class StringParameter extends ParameterBase implements IStringParameter {
* Imports a secure string parameter from the SSM parameter store.
*/
public static fromSecureStringParameterAttributes(scope: Construct, id: string, attrs: SecureStringParameterAttributes): IStringParameter {
const stringValue = new CfnDynamicReference(CfnDynamicReferenceService.SSM_SECURE, `${attrs.parameterName}:${Tokenization.stringifyNumber(attrs.version)}`).toString();
const version = attrs.version ? Tokenization.stringifyNumber(attrs.version) : '';
const stringValue = new CfnDynamicReference(CfnDynamicReferenceService.SSM_SECURE, `${attrs.parameterName}:${version}`).toString();

class Import extends ParameterBase {
public readonly parameterName = attrs.parameterName;
Expand Down
13 changes: 13 additions & 0 deletions packages/@aws-cdk/aws-ssm/test/parameter.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -589,6 +589,19 @@ test('StringParameter.fromSecureStringParameterAttributes with encryption key cr
});
});

test('StringParameter.fromSecureStringParameterAttributes without version', () => {
// GIVEN
const stack = new cdk.Stack();

// WHEN
const param = ssm.StringParameter.fromSecureStringParameterAttributes(stack, 'MyParamName', {
parameterName: 'MyParamName',
});

// THEN
expect(stack.resolve(param.stringValue)).toEqual('{{resolve:ssm-secure:MyParamName:}}');
});

test('StringListParameter.fromName', () => {
// GIVEN
const stack = new cdk.Stack();
Expand Down
4 changes: 3 additions & 1 deletion packages/@aws-cdk/core/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -223,7 +223,9 @@ Using AWS Secrets Manager is the recommended way to reference secrets in a CDK a
`SecretValue` also supports the following secret sources:

- `SecretValue.plainText(secret)`: stores the secret as plain text in your app and the resulting template (not recommended).
- `SecretValue.ssmSecure(param, version)`: refers to a secret stored as a SecureString in the SSM Parameter Store.
- `SecretValue.ssmSecure(param, version)`: refers to a secret stored as a SecureString in the SSM
Parameter Store. If you don't specify the exact version, AWS CloudFormation uses the latest
version of the parameter.
- `SecretValue.cfnParameter(param)`: refers to a secret passed through a CloudFormation parameter (must have `NoEcho: true`).
- `SecretValue.cfnDynamicReference(dynref)`: refers to a secret described by a CloudFormation dynamic reference (used by `ssmSecure` and `secretsManager`).

Expand Down
8 changes: 4 additions & 4 deletions packages/@aws-cdk/core/lib/secret-value.ts
Original file line number Diff line number Diff line change
Expand Up @@ -67,11 +67,11 @@ export class SecretValue extends Intrinsic {
* Parameter Store. The parameter name is case-sensitive.
*
* @param version An integer that specifies the version of the parameter to
* use. You must specify the exact version. You cannot currently specify that
* AWS CloudFormation use the latest version of a parameter.
* use. If you don't specify the exact version, AWS CloudFormation uses the
* latest version of the parameter.
*/
public static ssmSecure(parameterName: string, version: string): SecretValue {
const parts = [parameterName, version];
public static ssmSecure(parameterName: string, version?: string): SecretValue {
const parts = [parameterName, version ?? ''];
return this.cfnDynamicReference(new CfnDynamicReference(CfnDynamicReferenceService.SSM_SECURE, parts.join(':')));
}

Expand Down
11 changes: 11 additions & 0 deletions packages/@aws-cdk/core/test/secret-value.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,17 @@ describe('secret value', () => {

});

test('ssmSecure without version', () => {
// GIVEN
const stack = new Stack();

// WHEN
const v = SecretValue.ssmSecure('param-name');

// THEN
expect(stack.resolve(v)).toEqual('{{resolve:ssm-secure:param-name:}}');
});

test('cfnDynamicReference', () => {
// GIVEN
const stack = new Stack();
Expand Down
4 changes: 3 additions & 1 deletion packages/aws-cdk-lib/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,9 @@ Using AWS Secrets Manager is the recommended way to reference secrets in a CDK a
`SecretValue` also supports the following secret sources:

- `SecretValue.plainText(secret)`: stores the secret as plain text in your app and the resulting template (not recommended).
- `SecretValue.ssmSecure(param, version)`: refers to a secret stored as a SecureString in the SSM Parameter Store.
- `SecretValue.ssmSecure(param, version)`: refers to a secret stored as a SecureString in the SSM
Parameter Store. If you don't specify the exact version, AWS CloudFormation uses the latest
version of the parameter.
- `SecretValue.cfnParameter(param)`: refers to a secret passed through a CloudFormation parameter (must have `NoEcho: true`).
- `SecretValue.cfnDynamicReference(dynref)`: refers to a secret described by a CloudFormation dynamic reference (used by `ssmSecure` and `secretsManager`).

Expand Down

0 comments on commit a863286

Please sign in to comment.