search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.71k stars 3.94k forks source link

SSM Secure Parameter Version ignored in ARN #8405

Open MartinLoeper opened 4 years ago

MartinLoeper commented 4 years ago

We create a secure string parameter in SSM and pass it down to an ECS service via a TaskDefinition (inside a ContainerDefinition) as Secret. However, the version of the secure string seems to be ignored when the CloudFormation ARN for the secret in the ECS task definition is created.

Reproduction Steps

const param = StringParameter.fromSecureStringParameterAttributes(construct, "SecretParameterForEcsTaskDefinition" {
     simpleName: false,
     parameterName: "some-name",
     version: 2,
});

const secret = Secret.fromSsmParameter(param);
// pass the secret to ECS task definition via secrets property
...
const options: ContainerDefinitionOptions = {
    ...
    secrets: {
      "some-key": secret,
    }
}

Error Log

Not an error, but the parameter version is not pinned. The ECS task definition contains the following:

...
"secrets": [
        {
          "valueFrom": "arn:aws:ssm:eu-central-1:xxxxxxxxxx:parameter/some-name",
          "name": "some-key"
        }
]

I would expect the ARN to end with: some-name:2.

Environment

This is :bug: Bug Report

cynicaljoy commented 4 years ago

This is actually saving my bacon right now. So, if this is fixed it would be helpful to have a way to ignore the version and keep using the latest version.

MrArnoldPalmer commented 4 years ago

yeah @cynicaljoy thats definitely on the radar. Trying to figure out where logic for versioning should go and how to make sure have that information. Right now the arn of the parameter doesn't contain the version, but if its provided by the user during import we "have" it. ECS docs aren't very clear that providing secretarn:version works though.

jnawk commented 3 years ago

Here is my +1

jcsturges commented 3 years ago

I'm having this same issue as well. It would actually be amazing if we could specify a latest version per @cynicaljoy 's post or specify a specific version.

In either case, changing the version should trigger a new deployment in ECS. The issue I'm having in @aws-cdk/aws-ssm:1.93.0 is setting a different version for a SecureString parameter does not update my running containers.

jnawk commented 3 years ago

I did a bit of digging, it appears one can't specify the version of a SSM Parameter in a task def, so no amount of wishing in the CDK will make it happen. One either needs to use Secrets Manager (which one can (must) specify versions for), or the ECS service itself needs to be changed to support passing in SSM parameter versions.

MrArnoldPalmer commented 3 years ago

@jnawk can you provide links for that? I remember looking and not getting a straightforward answer for this. If we can close this out and prefer moving towards better Secrets Manager support that may make sense.

Nevon commented 2 years ago

This is the corresponding feature request on the containers roadmap https://github.com/aws/containers-roadmap/issues/636

It was closed after implementing support for versioned secrets for Secret Store, but not SSM Parameters.