Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(ssm): Retrieve secure string without version number #17091

Closed
fire015 opened this issue Oct 21, 2021 · 4 comments · Fixed by #18187
Closed

(ssm): Retrieve secure string without version number #17091

fire015 opened this issue Oct 21, 2021 · 4 comments · Fixed by #18187
Labels
@aws-cdk/aws-ssm Related to AWS Systems Manager feature/enhancement A new API to make things easier or more intuitive. A catch-all for general feature requests. feature-request A feature should be added or improved. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed.

Comments

@fire015
Copy link

fire015 commented Oct 21, 2021

General Issue

Ability to retrieve secure string without version number

The Question

I am using ECS fargate and the secrets property to retrieve secret env vars from SSM.

    new ApplicationLoadBalancedFargateService(this, "ECSService", {
      taskImageOptions: {
        secrets: {
          API_KEY: this.getSecret("API_KEY", 1),
        },
      },
    });

  private getSecret(parameterName: string, version: number): ecs.Secret {
    return ecs.Secret.fromSsmParameter(
      ssm.StringParameter.fromSecureStringParameterAttributes(this, `SecretParameter-${parameterName}`, { parameterName, version })
    );
  }

The problem is you have to define the version number to retrieve a secure string (unlike a regular string) and this gets difficult when you deploy the same stack to different environments and the version of the secret may differ between environments.

Is there a better way of doing this or can I suggest this as a new feature request? It's not clear why you don't have to define a version for a regular string but you do for a secure one...

CDK CLI Version

1.107.0

Framework Version

No response

Node.js Version

12

OS

No response

Language

Typescript

Language Version

No response

Other information

No response
@fire015 fire015 added guidance Question that needs advice or information. needs-triage This issue or PR still needs to be triaged. labels Oct 21, 2021
@github-actions github-actions bot added the @aws-cdk/aws-ssm Related to AWS Systems Manager label Oct 21, 2021
@ryparker ryparker removed the needs-triage This issue or PR still needs to be triaged. label Oct 21, 2021
@jumic
Copy link
Contributor

jumic commented Oct 24, 2021

Referencing the latest version of a secure string is not possible in the underlying CloudFormation function. The documentation for property version describes this limitation:

An integer that specifies the version of the parameter to use. You must specify the exact version. You can't currently specify that AWS CloudFormation use the latest version of a parameter.

For string parameters, this limitation doesn't exist in CloudFormation. Therefore there is a different behavior for String and Secure String.

From my point of view, you have to create a parameter for the version number to pass different values for each environment.

@peterwoodworth
Copy link
Contributor

Thanks @jumic

Since this is limited by cloudformation, the chance of this being a feature worked on by the team is pretty low. I could still convert it to a feature request if you want though @fire015, just let me know

@peterwoodworth peterwoodworth added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 25, 2021
@fire015
Copy link
Author

fire015 commented Oct 26, 2021

@peterwoodworth thanks, I will open as a feature request on the CF github repo!

@fire015 fire015 mentioned this issue Oct 26, 2021
Closed
@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 26, 2021
@peterwoodworth peterwoodworth added feature-request A feature should be added or improved. feature/enhancement A new API to make things easier or more intuitive. A catch-all for general feature requests. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. and removed guidance Question that needs advice or information. labels Oct 26, 2021
jogold added a commit to jogold/aws-cdk that referenced this issue Dec 27, 2021
@jogold
feat(core,ssm): reference latest version of secure string parameters
9201954 
Supported by CF since April 2021 but no yet ported to CDK.

See https://aws.amazon.com/about-aws/whats-new/2021/04/now-reference-latest-aws-systems-manager-parameter-values-in-aws-cloudformation-templates-without-specifying-parameter-versions/

Close aws#17091
@jogold jogold mentioned this issue Dec 27, 2021
Merged
@mergify mergify bot closed this as completed in #18187 Dec 30, 2021
mergify bot pushed a commit that referenced this issue Dec 30, 2021
@jogold
feat(ssm): reference latest version of secure string parameters (#18187)
7d0680a 
Supported by CF since April 2021 but not yet ported to CDK.

See https://aws.amazon.com/about-aws/whats-new/2021/04/now-reference-latest-aws-systems-manager-parameter-values-in-aws-cloudformation-templates-without-specifying-parameter-versions/

Close #17091


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@dbartholomae dbartholomae mentioned this issue Jan 28, 2022
Closed
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@jogold @TikiTDO
feat(ssm): reference latest version of secure string parameters (aws#…
a863286 
…18187)

Supported by CF since April 2021 but not yet ported to CDK.

See https://aws.amazon.com/about-aws/whats-new/2021/04/now-reference-latest-aws-systems-manager-parameter-values-in-aws-cloudformation-templates-without-specifying-parameter-versions/

Close aws#17091


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ssm Related to AWS Systems Manager feature/enhancement A new API to make things easier or more intuitive. A catch-all for general feature requests. feature-request A feature should be added or improved. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(ssm): reference latest version of secure string parameters jogold/aws-cdk
5 participants
@fire015 @njlynch @jumic @ryparker @peterwoodworth