aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.65k stars 3.91k forks source link

Changing ssm parameter from string -> securestring throws me an cdk deployment error #30129

Closed maddyexplore closed 5 months ago

maddyexplore commented 5 months ago

Describe the bug

I was trying to secure all strings in ssm parameter group and I found the cdk-bootstrap version there and I changed it into securestring, after that any deployment with cdk fails with error

AutomationStack: SSM parameter /cdk-bootstrap/<blabla>/version not a number

Expected Behavior

it should sense and decrypt with the km kwy

Current Behavior

throws me error

Reproduction Steps

secure all strings in ssm parameter group and I found the cdk-bootstrap version there and I changed it into securestring, after that any deployment with cdk fails

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.124.0

Framework Version

No response

Node.js Version

v21.6.1

OS

Windows

Language

Python

Language Version

python 3.10

Other information

No response

ashishdhingra commented 5 months ago

Bootstrap version SSM parameter is defined as DEFAULT_BOOTSTRAP_STACK_VERSION_SSM_PARAMETER here. During synthesize() operation, CheckBootstrapVersion rule would be added in the generated CloudFormation template along with the CfnParameter named BootstrapVersion as shown in example below:

Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]
Resources:
...
...
Rules:
  CheckBootstrapVersion:
    Assertions:
      - Assert:
          Fn::Not:
            - Fn::Contains:
                - - "1"
                  - "2"
                  - "3"
                  - "4"
                  - "5"
                - Ref: BootstrapVersion
        AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.

As per description Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. of BootstrapVersion parameter in the generated CloudFormation template, the value for this parameter is automatically retrieved from SSM Parameter Store. The CDK deployment is essentially a CloudFormation deployment and is handled by the CloudFormation service.

Per CDK Bootstrapping documentation,

I would rather go with 2nd option to add necessary IAM permissions. Hope it unblocks you.

On a side note, is there any specific reason for which you would you like to make the SSM parameter /cdk-bootstrap/<blabla>/version encrypted as it's not sensitive data and you will need to manage a key for that.

Thanks, Ashish

maddyexplore commented 5 months ago

I tried both option but still failed,

❌ Deployment failed: Error: Stack: SSM parameter /cdk-bootstrap/hnb659fds/version not a number:

ashishdhingra commented 5 months ago

I tried both option but still failed,

❌ Deployment failed: Error: Stack: SSM parameter /cdk-bootstrap/hnb659fds/version not a number:

@maddyexplore I would need to investigate the workaround (above and if any) at my end. In the meanwhile, could you please share if there any specific reason for which you would you like to make the SSM parameter /cdk-bootstrap/<qualifier>/version encrypted as it's not sensitive data and you will need to manage a key for that?

Thanks, Ashish

ashishdhingra commented 5 months ago

Investigation:

Finding: Following stack trace, it appears error is thrown at at Deployments.validateBootstrapStackVersion (/usr/local/lib/node_modules/aws-cdk/lib/api/deployments.ts:665:13). Code path is buildSingleAsset() > validateBootstrapStackVersion() > validateVersion() > versionFromSsmParameter().

The method versionFromSsmParameter() uses AWS JS SDK SSM.getParameter() without using the WithDecryption flag/option. Hence, encrypted value for SecureString is retrieved from SSM (in other words, it is not decrypted automatically).

The document Read Systems Manager values at synthesis time mentions that Only plain Systems Manager strings may be retrieved. Secure strings cannot be retrieved. The latest version will always be returned. Specific versions cannot be requested..

Need to discuss with Core CLI team.

maddyexplore commented 5 months ago

I tried both option but still failed, ❌ Deployment failed: Error: Stack: SSM parameter /cdk-bootstrap/hnb659fds/version not a number:

@maddyexplore I would need to investigate the workaround (above and if any) at my end. In the meanwhile, could you please share if there any specific reason for which you would you like to make the SSM parameter /cdk-bootstrap/<qualifier>/version encrypted as it's not sensitive data and you will need to manage a key for that?

Even though its not a sensitive data, we thought that storing it in a secure way since SSM parameter supports the SecureString

would appreciate the quicker fix for this

ashishdhingra commented 5 months ago

I tried both option but still failed, ❌ Deployment failed: Error: Stack: SSM parameter /cdk-bootstrap/hnb659fds/version not a number:

@maddyexplore I would need to investigate the workaround (above and if any) at my end. In the meanwhile, could you please share if there any specific reason for which you would you like to make the SSM parameter /cdk-bootstrap/<qualifier>/version encrypted as it's not sensitive data and you will need to manage a key for that?

Even though its not a sensitive data, we thought that storing it in a secure way since SSM parameter supports the SecureString

would appreciate the quicker fix for this

@maddyexplore Good morning. Per review from the CDK team, this is not an issue. Resources created by bootstrap template should not be manually altered. Doing so may lead to unexpected failures, as observed in this issue.

Thanks, Ashish

github-actions[bot] commented 5 months ago

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

aws-cdk-automation commented 3 months ago

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.