search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.7k stars 3.93k forks source link

(signer): not working for signing platforms other than AWSLambda-SHA384-ECDSA #25332

Open sthuber90 opened 1 year ago

sthuber90 commented 1 year ago

Describe the bug

Trying to create a signing profile for platform "AmazonFreeRTOS-Default" or "AWSIoTDeviceManagement-SHA256-ECDSA" fails with CDK L2 and L1 constructs.

Expected Behavior

A signing profile for platform "AmazonFreeRTOS-Default" or "AWSIoTDeviceManagement-SHA256-ECDSA" has been created.

Current Behavior

Creating a singing profile for a platform ID other than "AWSLambda-SHA384-ECDSA" fails with following message:

Properties validation failed for resource MySigningProfile with message:

/PlatformId: # only 1 subschema matches out of 2

/PlatformId: failed validation constraint for keyword [enum]

Reproduction Steps

import * as signer from 'aws-cdk-lib/aws-signer';

// neither of the provided snippets work. Not L2 and also not L1 const signingProfile = new signer.SigningProfile(this, 'SigningProfile', { platform: signer.Platform.AMAZON_FREE_RTOS_DEFAULT, });

const cfnSigningProfile = new signer.CfnSigningProfile(this, 'MyCfnSigningProfile', { platformId: 'AmazonFreeRTOS-Default', });

Possible Solution

Unfortunately it seems there is no solution until CloudFormation supports all signing platforms. Still, I believe this issue is valuable as I spent days to figure out why cdk deploy fails before realizing that the issue is not on my side.

reference: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1641

Additional Information/Context

While trying to dig into the issue, I've also tried to create a signing profile through the AWS CLI, providing the same parameters that CDK sets in the CloudFormation template. There the error message is a lot clearer

> aws signer put-signing-profile --profile-name test --platform-id AWSIoTDeviceManagement-SHA256-ECDSA 

An error occurred (ValidationException) when calling the PutSigningProfile operation: signing material cannot be null.

It became clear to me that CloudFormation and thereby also CDK don't provide a way to set the signing material. The signing material refers to the AWS Certificate Manager certificate used for signing. In my use case, I would have to additionally set the signing parameters which is also not supported through CloudFormation.

CDK CLI Version

2.73.0

Framework Version

No response

Node.js Version

18.12.1

OS

macOS Ventura 13.3.1

Language

Typescript

Language Version

No response

Other information

The only way that I could find to create a signing profile with CDK was to resort to AWSCustomResources

import { Platform } from 'aws-cdk-lib/aws-signer'
import {
  AwsCustomResource,
  AwsCustomResourcePolicy,
  PhysicalResourceId,
} from 'aws-cdk-lib/custom-resources'

new AwsCustomResource(this, 'SingingProfileCustomResource', {
  onCreate: {
    service: 'Signer',
    action: 'putSigningProfile',
    parameters: {
      profileName: 'MySigningProfile',
      platformId: Platform.AMAZON_FREE_RTOS_DEFAULT.platformId,
      signingMaterial: { 
         certificateArn: 'arn:aws:acm:eu-central-1:01234567890:certificate/abcd-efgh-ijkkl-pqerst' 
      },
      signingParameters: {
        my: 'parameters'
      },
    },
    physicalResourceId: PhysicalResourceId.of('AwsCustomResourceSigningProfile'),
  },
  policy: AwsCustomResourcePolicy.fromSdkCalls({
    resources: AwsCustomResourcePolicy.ANY_RESOURCE,
  }),
  installLatestAwsSdk: true,
})
pahud commented 1 year ago

Thank you for the report. Sounds like its blocked by cloudformation and AwsCustomResource can be a working workaround?

sthuber90 commented 1 year ago

That's what I'm thinking, yes