fix(ssm): malformed ARNs for parameters with physical names that use path notation #4842
Conversation
…path notation SSM parameter names can have one of two forms: “simpleName” or “/path/name”. This makes it tricky to render an ARN for the parameter is the name is an unresolvable token (such as a “Ref”) because we can’t decide whether a “/“ separator is required in the ARN. The previous implementation assumed "Ref" always returns the name without a "/" prefix, and therefore did not use the "/" separator. This fix will use the physical name itself (if possible) to determine the separator (and also assume that generated names will not use the path notation). The only case where this is impossible is if the physical name is a token (either created or imported), in which case we should be able to synthesize a CloudFormation condition which will parse the token during deployment. This test also adds a validation that verifies that if a physical name is provided and uses path notation, it must begin with a "/". Misc: re-add `install.sh` to call `npx yarn install`
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
| // parameterName is a token and physical name is not helping us (either missing or a token itself) | ||
| // in this use case we will need to synthesize a CloudFormation condition that will be used to determine | ||
| // if the name has a "/" prefix or not. | ||
| const startsWithSlash = startsWithCondition(scope as Construct, parameterName, "/"); |
There was a problem hiding this comment.
Oh shit. After thinking about it some more, I'm not sure this is going to work. At least, this won't work for { Refs }s, as Conditions need to evaluate before Resources are.
There was a problem hiding this comment.
Yes, you are right:
❌ integ-parameter-arns failed: ValidationError: Template format error: Unresolved dependencies [StringDeployTime8EC8E402]. Cannot reference resources in the Conditions block of the template
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
revert attempt to guess parameter name prefix if it's a token since we can't incorporate refs in conditions. Instead, if the parameter name if a token, we expect `parameterArnSeparator` to be explicitly defined and be one of "/" or "".
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
install.sh
Outdated
| @@ -0,0 +1,3 @@ | |||
| #!/bin/bash | |||
| set -euo pipefail | |||
| exec npx yarn install | |||
| * @default - automatically determined based on the value of `parameterName` | ||
| * unless it is a token, in which case this field is required. | ||
| */ | ||
| readonly parameterArnSeparator?: string; |
There was a problem hiding this comment.
Why is this not simply a boolean startsWithSlash or not?
There was a problem hiding this comment.
I don't know. I am dumb?
There was a problem hiding this comment.
Please fix!! I am getting Unable to determine ARN separator for SSM parameter since the parameter name is an unresolved token. Use "fromAttributes" and specify "simpleName" explicitly
There was a problem hiding this comment.
Can you please raise a new issue with a retro?
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request is now being automatically merged. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
5 participants
SSM parameter names can have one of two forms: “simpleName” or “/path/name”. This makes it impossible to render an ARN for the parameter is the name is an unresolvable token (such as a “Ref”) because we can’t decide whether a “/“ separator is required in the ARN.
The previous implementation assumed "Ref" always returns the name without a "/" prefix, and therefore did not use the "/" separator.
This fix will use the physical name itself (if possible) to determine the separator (and also assume that generated names will not use the path notation) and in the case where there is no concrete name to use, it requires that users explicitly specify the ARN separator through an attribute or a prop.
This change also adds a validation that verifies that if a physical name is provided and uses path notation, it must begin with a "/".
Fixes #4803
Fixes #2777
Misc: re-add
install.shto callnpx yarn installBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license