at de_ParameterNotFoundRes (/var/runtime/node_modules/@aws-sdk/client-ssm/dist-cjs/index.js:7776:21)

[AllanOricil]

Checkboxes for prior research

• [X] I've gone through Developer Guide and API reference
• [X] I've checked AWS Forums and StackOverflow.
• [X] I've searched for previous similar issues and didn't find any solution.

Describe the bug

I can no longer deploy lambda edge functions to AWS using cdk. The error comes from AWS server, from a process that uses @aws-sdk/client-ssm, as you can show in the picture below.

This is my lambda function. It is adds some CSP and other headers to my static site that is served by cloudfront.

exports.handler = async (event) => {
  const response = event.Records[0].cf.response;
  const headers = response.headers;

  const csp = [
    "default-src 'none'",
    "connect-src 'self' https://*.amazonaws.com https://*.sentry.io",
    "img-src 'self' data:",
    "script-src 'self' 'wasm-unsafe-eval' https://*.stripe.com https://*.sentry.io",
    "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
    "font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com",
    "worker-src 'self' blob: https://d2um66r0wif404.cloudfront.net",
    "frame-src 'self' https://*.stripe.com",
    "manifest-src 'self'",
    "object-src 'none'",
    "report-uri https://abcd.ingest.sentry.io/api/abcd/security/?sentry_key=abcd",
  ];

  const reportToObject = {
    group: "default",
    max_age: 10886400,
    endpoints: [
      {
        url: "https://abcd.ingest.sentry.io/api/abcd/security/?sentry_key=abcd",
      },
    ],
    include_subdomains: true,
  };

  const reportToValue = `group=${reportToObject.group}; max-age=${
    reportToObject.max_age
  }; include_subdomains=${
    reportToObject.include_subdomains ? "true" : "false"
  }; endpoints=${reportToObject.endpoints
    .map((endpoint) => `url="${endpoint.url}"`)
    .join(" ")}`;

  csp.push(`report-to ${reportToValue}`);

  headers["strict-transport-security"] = [
    {
      key: "Strict-Transport-Security",
      value: "max-age=63072000; includeSubdomains; preload",
    },
  ];
  headers["content-security-policy"] = [
    {
      key: "Content-Security-Policy",
      value: csp.join(";"),
    },
  ];
  headers["x-content-type-options"] = [
    {
      key: "X-Content-Type-Options",
      value: "nosniff",
    },
  ];
  headers["x-frame-options"] = [
    {
      key: "X-Frame-Options",
      value: "DENY",
    },
  ];
  headers["x-xss-protection"] = [
    {
      key: "X-Xss-Protection",
      value: "1; mode=block",
    },
  ];

  console.log(headers);

  return response;
};

This is my construct

const cspEdgeFunction = new cloudfront.experimental.EdgeFunction(
      this,
      `${props.name}-csp-edge-function-version`,
      {
        functionName: `${props.name}-csp-edge-function`,
        runtime: lambda.Runtime.NODEJS_18_X,
        handler: "index.handler",
        timeout: cdk.Duration.seconds(30),
        memorySize: cdk.Size.mebibytes(128).toMebibytes(),
        retryAttempts: 2,
        currentVersionOptions: {
          removalPolicy: cdk.RemovalPolicy.RETAIN,
        },
        code: lambda.Code.fromAsset(
          path.resolve(DEFAULT_HANDLERS_DIRECTORY_PATH, "csp")
        ),
      }
    );

SDK version number

@aws-sdk/client-ssm

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

Im using node 18.19.1 but the error message comes from the Cloudformation server that is using your library, and because of that I really don't know what version of node this service is using.

Reproduction Steps

1. create a cdk project using typescript
2. create a lambda function as the one I shared above
3. create a lambda construct and make sure it uses NODE_18 and the function create in step 2
4. sso with aws cli to an AWS account. Im using a child account and the region Im deploying is us-east-2.
5. run cdk synth STACK_NAME -e --profile YOUR_AWS_PROFILE
6. run cdk deploy STACK_NAME -e --profile YOUR_AWS_PROFILE
7. expect the results shown above

Use node 18.19.1 like I'm using Im also using macos

Observed Behavior

A server side exception is thrown in a step which is doing something to my lambda function after it has being "uploaded" to AWS via cloudformation.

Expected Behavior

lambda function should not thrown any exception

Possible Solution

No idea. I was able to deploy it without a problem 1 months ago.

Additional Information/Context

No response

[AllanOricil]

Upon further inspecting I discovered where the issue is comming from. This experimental edge function construct generates a function which requires (@aws-sdk/client-ssm). Somehow there is a parameter from ssm that this autogenerated function can't find.

[RanVaknin]

Hi @AllanOricil ,

The error you are seeing means that the SSM service cant find the requested resource, in this case the parameter this auto generated lambda function is asking for doesn't exist.

I can see that there is something called "CrossRegionStringParameterReader" failing, my guess is that this entity is trying to access a resource in an incorrect region.

Your auto generated lambda has some log statements. You need to see where these logs are printed to, make note of the parameter value and region and compare it to where those actual parameters live upstream. There is a chance this SSM client is being automatically created in an incorrect region.

This seems like a more CDK related issue w.r.t how this function is created and populated. Im going to ask you to open this issue on the CDK repo instead.

Thanks, Ran~

[AllanOricil]

I think the issue was caused because I forgot that I also needed to bootstrap us-east-1 in my aws account. However, I can't be sure if it will work, because I have not tried to deploy my edge function again after bootstrapping that region.

I just wanted to share this information in case someone one day finds this page indexed in Google after searching for the same error message.

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.