fix(ssm): StringParameter.fromSecureStringParameterAttributes not working without version
#22311
Conversation
|
|
github-actions
bot
added
p2
beginning-contributor
|
Nice catch! Would you mind applying the same fix here: https://github.com/aws/aws-cdk/pull/22311/files#diff-c6cc0ad12503f28d8ab4c545f7efa3d406d90dfe0d34b67c2b29ad115e7a889bR671 |
dglsparsons
changed the title
mergify
bot
dismissed
aws-cdk-automation’s stale review
Pull request has been modified.
There was a problem hiding this comment.
The Pull Request Linter fails with the following errors:
❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.
PRs must pass status checks before we can provide a meaningful review.
aws-cdk-automation
dismissed
their stale review
Pull Request updated. Dissmissing previous PRLinter Review.
There was a problem hiding this comment.
The Pull Request Linter fails with the following errors:
❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.
PRs must pass status checks before we can provide a meaningful review.
mergify
bot
dismissed
aws-cdk-automation’s stale review
Pull request has been modified.
aws-cdk-automation
dismissed
their stale review
Pull Request updated. Dissmissing previous PRLinter Review.
There was a problem hiding this comment.
The Pull Request Linter fails with the following errors:
❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.
PRs must pass status checks before we can provide a meaningful review.
aws-cdk-automation
dismissed
their stale review
Pull Request updated. Dissmissing previous PRLinter Review.
There was a problem hiding this comment.
The Pull Request Linter fails with the following errors:
❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.
PRs must pass status checks before we can provide a meaningful review.
mergify
bot
dismissed
aws-cdk-automation’s stale review
Pull request has been modified.
There was a problem hiding this comment.
The Pull Request Linter fails with the following errors:
❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.
PRs must pass status checks before we can provide a meaningful review.
aws-cdk-automation
dismissed
their stale review
Pull Request updated. Dissmissing previous PRLinter Review.
There was a problem hiding this comment.
The Pull Request Linter fails with the following errors:
❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.
PRs must pass status checks before we can provide a meaningful review.
dglsparsons
changed the title
aws-cdk-automation
dismissed
their stale review
Pull Request updated. Dissmissing previous PRLinter Review.
There was a problem hiding this comment.
The Pull Request Linter fails with the following errors:
❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.
PRs must pass status checks before we can provide a meaningful review.
|
Hey @mrgrain - I'm not sure where you intended to link with that comment, but it just takes me to the changes I've already made. I can't see anywhere else that doesn't have conditional logic on the I've fixed the unit test, but can't seem to make the PR title happy for conventional commits, and it's unhappy with me for not updating any snapshots - although they all seem happy... Would appreciate any pointers here, if you have any! :) |
mrgrain
changed the title
aws-cdk-automation
dismissed
their stale review
Pull Request updated. Dissmissing previous PRLinter Review.
mrgrain
changed the title
StringParamter.fromSecureStringParameterAttributes not working without version
|
@dglsparsons Apologies, I thought the List one needed a fix as well, but I see now how that's not the case. 🙇🏻 Regarding integration tests, it appears there is no existing integration test that covered omitting You were missing a |
aws-cdk-automation
dismissed
their stale review
Pull Request updated. Dissmissing previous PRLinter Review.
dglsparsons
changed the title
StringParamter.fromSecureStringParameterAttributes not working without versionStringParameter.fromSecureStringParameterAttributes not working without version
aws-cdk-automation
dismissed
their stale review
Pull Request updated. Dissmissing previous PRLinter Review.
…orking without version
It is possible to omit the `version` of an SSM SecureString parameter.
When omitted, the reference generated by CDK results in a
ValidationError when applying the changes.
e.g.
```
Error [ValidationError]: Incorrect format is used in the following SSM reference: [{{resolve:ssm-secure:/some/parameter:}}]
```
mergify
bot
dismissed
aws-cdk-automation’s stale review
Pull request has been modified.
|
@mrgrain - it looks like the integration tests don't really exist for SecureString parameters as there is no way to provision them (no construct for SecureString, only String). So I'm a bit unsure on how to proceed. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
I see. Could we maybe use an Something like (untested code): new cr.AwsCustomResource(this, 'GetParameter', {
onUpdate: { // will also be called for a CREATE event
service: 'SSM',
action: 'putParameter',
parameters: {
Name: '/My/Secure/Parameter',
Type: 'SecureString',
Value: 'abcdef'
},
physicalResourceId: cr.PhysicalResourceId.of('/My/Secure/Parameter'),
},
onDelete: {
service: 'SSM',
action: 'deleteParameter',
parameters: {
Name: new cr.PhysicalResourceIdReference(),
},
},
policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
}),
});See also: |
|
This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
|
@dglsparsons Thanks for your original contribution. FYI I've prepared the new PR #22618 that includes your change, as well as a refacor of the SSM Parameter Store integ tests. |
That's amazing! Thank you! I've been meaning to carve out some time to address those tests for ages but haven't been able to get around to it :). |
Yeah no worries! It turned out to be a bit more complicated anyway. But I'm glad we've now got proper tests for this. 🎉 |
|
Closing in favour of #22618 |
…orking without version (#22618) It is possible to omit the `version` of an SSM SecureString parameter. When omitted, the reference generated by CDK results in a ValidationError when applying the changes. e.g. ``` Error [ValidationError]: Incorrect format is used in the following SSM reference: [{{resolve:ssm-secure:/some/parameter:}}] ``` Related to #18729 Replaces #22311 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
It is possible to omit the
versionof an SSM SecureString parameter.When omitted, the reference generated by CDK results in a ValidationError when applying the changes.
e.g.
Related to #18729
All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license