feat: Create GuSSMParameter using AWS Custom Resources

[stephengeller]

What does this change?

Problem

At the moment, the general practice for injecting secrets into CloudFormation templates is through CFN parameters. In CDK, this looks like this:

DatabaseUser: new GuStringParameter(this, "DatabaseUser", {
        description: "Username of the RDS DB",
        default: "grafana",
}),

This is a bit gross, as it:

1. Doesn't have a sensible default (and it wouldn't make sense to have one here), meaning you have to input it yourself every time you create the stack and somehow keep it safe in an unspecified place
2. Requires you to go into the UI every time you want to change it
3. Doesn't make it clear that it is a secure/sensitive value
4. Makes the CFN more unwieldy as more parameters == more things to remember and update and maintain

Solution

This PR creates a GuSSMParameter construct, making use of the SSM Parameter Store to fetch values dynamically.

DatabaseUser: GuSSMParameter(this, "/PATH/TO/database-user")

Using AWS Custom Resources, the GuSSMParameter construct can dynamically fetch the latest version of an SSM parameter, something that AWS' own CDK construct cannot do yet.

This also creates GuSSMDefaultParam (would prefer a new name, suggestions welcome!) that assumes the default path of /$STAGE/$STACK/$APP/$PARAM_NAME as a prefix to the parameter name, for added simplicity.

All three of the below implementations work:

import type { App } from "@aws-cdk/core";
import { CfnOutput } from "@aws-cdk/core";
import type { GuStackProps } from "@guardian/cdk/lib/constructs/core";
import { GuStack } from "@guardian/cdk/lib/constructs/core";
import { GuSSMDefaultParam, GuSSMParameter } from "./ssmParams";

export class CdkStack extends GuStack {
  constructor(scope: App, id: string, props: GuStackProps) {
    super(scope, id, props);

    const secrets = {
      fullPath: new GuSSMParameter(this, "/CODE/test/tag-janitor/test-output").getValue(),
      usingDefaultValues: GuSSMDefaultParam(this, "test-output").getValue(),
      usingTokensInPath: new GuSSMParameter(this, `/${this.stage}/${this.stack}/${this.app}/test-output`).getValue(),
    };

    new CfnOutput(this, "fullPath", { value: secrets.fullPath });
    new CfnOutput(this, "usingDefaultValues", { value: secrets.usingDefaultValues });
    new CfnOutput(this, "usingTokensInPath", { value: secrets.usingTokensInPath });
  }
}

This offers numerous advantages:

1. It's less code (yay!) and easier to declare
2. It requires no user input to deploy
3. Updating the value is easier, as you can navigate to SSM on the CLI as well as the UI and then redeploy the app in RiffRaff
4. You can optionally and easily make use of the /$STAGE/$STACK/$APP/$PARAM_NAME path prefix with ease and have it dynamically resolve based on the value of those parameters

Usage

Abridged from tag-janitor

export class CdkStack extends GuStack {
  constructor(scope: App, id: string, props: GuStackProps) {
    super(scope, id, props);

    const secrets = {
      prismUrl: new GuSSMParameter(this, `/${this.stage}/${this.stack}/${this.app}/prism-url`).getValue(),
    };

    new GuScheduledLambda(this, `${this.app}-lambda`, {
      handler: "dist/src/handler.handler",
      functionName: `${this.app}-${this.stage}`,
      runtime: Runtime.NODEJS_12_X,
      code: {
        bucket: parameters.bucketName.valueAsString,
        key: `${this.stack}/${this.stage}/${this.app}/${this.app}.zip`,
      },
      environment: { PRISM_URL: parameters.prismUrl }, // Used here
      vpc: GuVpc.fromIdParameter(this, "vpc"),
      vpcSubnets: {
        subnets: GuVpc.subnetsfromParameter(this),
      },
      schedule: Schedule.rate(lambdaFrequency),
      monitoringConfiguration: {
        snsTopicName: "devx-alerts",
        toleratedErrorPercentage: 99,
      },
    });
  }
}

How does it work?

This uses AWS Custom Resouces, which creates a few things alongside your normal resources. Namely, this creates a lambda which will essentially execute anything you want, but we've restricted ours to just call SSM getParameter for our purposes. When you create/update a stack, the lambda will run, fetch the latest version of the SSM parameters you need and populate the relevant resources with them.

Does this change require changes to existing projects or CDK CLI?

Not yet, as this would be something to begin replacing traditional GuParameters with.

How to test

Tests will be added before moving this from draft to live.

How can we measure success?

1. We pretty much eliminate all manually filled-in CFN parameters from CDK stacks
2. We can always fetch the latest version of an SSM parameter for use in CDK stacks
3. We can dymically fetch parameters for appropriate $STAGE/$STACK/$APP paths

Have we considered potential risks?

Not risks as such, but AWS Custom Resources will somewhat unavoidably create additional resources per stack. This isn't necessarily a problem (and should be fine cost-wise due to the low number of executions), but is a bit of a gotcha that's worth knowing about. However, users will not need to touch these resources and can happily ignore them.

[jacobwinch]

I think there are plans to change this; see similar a discussion here. However perhaps param should be part of props, for consistency?

[stephengeller]

Good shout, and done. It's actually becoming apparent that passing in an ID might solve a couple of issues down the line but will investigate.

The problem is essentially that it looks like we need to ensure we create new custom resources every time (not the lambda, but possibly everything else) in order to trigger the fetching of an SSM parameter every time. If you have a fixed ID, it might be the case that it won't update past creation unless you somehow inform it that there's been a change.

Will investigate though.

[akash1810]

#352 revises the linting rules.

[jacobwinch]

I think you're in luck!

[stephengeller]

Yay! Updated to use Node 14.

[jacobwinch]

If GuSSMParameterProps was:

export interface GuSSMParameterProps {
  secure?: boolean;
  /*
   * If no path is provided we will assume it is`/${STAGE}/${STACK}/${APP}/${param}`
   * */
  overridePath?: string; // not sure about the name, but hopefully you get the idea
}

Then we could consider dropping GuSSMDefaultParam entirely?

Although it would still be possible to stray from the well-trodden path (no pun intended), it would be a little harder to do so accidentally.

[stephengeller]

Yeah, maybe if we called the prop fullPath instead, that might be clearer? eg:

const withFullPath = new GuSSMParameter(this, { parameter: "/path/to/param", fullPath: true })
const assumedPath = new GuSSMParameter(this, { parameter: "param" }) // assumes /stage/stack/app/param

[jacobwinch]

I think that you could use v3 of this sdk. I had a few problems migrating a project to it recently, but unless you are aware of any known issues with the functionality you're using it could be worth a try?

[stephengeller]

Good shout! I've tried it and looks fine, thanks for the heads up about this.

[stephengeller]

Sadly, I've had to revert to v2 of the library since an AWS Node Lambda only has v2 of the library available. If and when this changes we can definitely upgrade though, but not sure we can make this work with v3 at the moment.

[jacobwinch]

Great PR description, thanks for taking the time to write this up! I've left a few comments but it's looking good so far!

[stephengeller]

I've got a couple of things to work out before this is good to go (getting CI to pass included), so will work those out before requesting another review but all comments so far should be addressed

[stephengeller]

This is now ready for review! Good to get eyes on it from @jacobwinch @akash1810 and/or @sihil if possible.

[akash1810]

Looks good! Added a few comments.

Could we add some usage guidance to the PR description? The example use case is a database user - when should this be normal application config vs a GuSSMParameter in the CFN template?

Lastly, should the PR's prefix be "feat" as we're adding a feature and a new minor version should be released?

[akash1810]

Oh wow! I'd be curious to know the output of npm pack now? IIUC npm pack will create a local bundle that's representative of what gets published to NPM - a sort of publish dry run.

I'm not sure what JS file will be added - the empty lambda.js or the one that tsc will create?

[stephengeller]

Just ran it and it looks like it packs fine! By that I mean the resulting lambda.js file is the expected compiled TS lambda, not the dummy file. I assume it simply overwrites it no matter what, as the dummy file could equally be seen as a stale JS file in need of updating

[akash1810]

Don't think this is needed?

[stephengeller]

Good find, thanks!

[akash1810]

Node 12 is in maintenance LTS. AWS recently announced support for node 14 in AWS Lambda.

How does the output for a node 14 runtime break? There might be some TS config tweaks we can make? Or raise it with our AWS TAM?

[stephengeller]

I think this TODO is outdated, as the TS configuration in the app creates Node 12 compliant JS code. The problem with upgrading to Node 14 is that it for some reason prevents us from using inline code (ie Code.fromInline), which is necessary here. I can't find anything online yet that specifically explains why, but it means that we're somewhat restricted to 12 until we can inline the code or find a better solution.

[akash1810]

The comment suggests this is pretty crucial, should we explicitly test it?

[stephengeller]

Yeah, we should. I've added two tests that hopefully capture this behaviour!

[akash1810]

Would be good, but not a blocker, to isolate this function to make it super obvious that given this input, we expect this output. That is, test the id function outside of the constructor. We can do this later as needed though.

[akash1810]

I think you're on NPM v7? You'll want to downgrade to v6, I think . See #340 and #335 (comment).

[stephengeller]

D'oh, thanks! Resolved in a coming push.

[stephengeller]

Thanks for the comments @akash1810 , I've now addressed them all as well as updated the PR name and added a use case, hope that's what you were after?

[akash1810]

Looks great. A couple of minor comments to consider, but feel free to address them in future PRs.

[akash1810]

What does content-type of empty string do/mean? Would omitting it yield the same behaviour?

[stephengeller]

I assume it's a bad thing, if anything. However, it was copied straight from aws's source code, so I'm tempted to leave it for now and only change if it causes issues?

[akash1810]

Would be good, but not a blocker, to isolate this function to make it super obvious that given this input, we expect this output. That is, test the id function outside of the constructor. We can do this later as needed though.

[akash1810]

#352 allows for this constructor 🎉 a rebase of main should allow you to remove this line.

[stephengeller]

Nice one, done.

[akash1810]

#352 allows for this constructor 🎉 a rebase of main should allow you to remove this line.

[stephengeller]

Would be good, but not a blocker, to isolate this function to make it super obvious that given this input, we expect this output. That is, test the id function outside of the constructor. We can do this later as needed though.

I isolated the function and added some tests, hopefully that should do the trick @akash1810 .

[github-actions]

🎉 This PR is included in version 6.2.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀