From d0e399f03c5224e49a4c298c0d06ae64e4ff460e Mon Sep 17 00:00:00 2001 From: lennartrommeiss Date: Fri, 23 Aug 2024 13:42:08 +0200 Subject: [PATCH 1/4] feat: splitup the policy creation if too many parameters are created for one policy Signed-off-by: lennartrommeiss --- API.md | 6 +- src/MultiStringParameter.ts | 4 +- src/SopsSync.ts | 75 ++++++++++++- .../yaml/sopsfile-parameters-large.yaml | 100 ++++++++++++++++++ .../SecretIntegrationAsset.assets.json | 10 +- .../SecretIntegrationAsset.template.json | 2 +- .../SecretIntegrationInline.assets.json | 10 +- .../SecretIntegrationInline.template.json | 2 +- .../SecretIntegrationAsset.assets.json | 10 +- .../SecretIntegrationAsset.template.json | 2 +- .../SecretMultiKms.assets.json | 10 +- .../SecretMultiKms.template.json | 2 +- test/secret.test.ts | 84 +++++++++++---- 13 files changed, 262 insertions(+), 55 deletions(-) create mode 100644 test-secrets/yaml/sopsfile-parameters-large.yaml diff --git a/API.md b/API.md index fbb44db6..e6f455a9 100644 --- a/API.md +++ b/API.md @@ -1735,7 +1735,7 @@ const multiStringParameterProps: MultiStringParameterProps = { ... } | type | aws-cdk-lib.aws_ssm.ParameterType | The type of the string parameter. | | encryptionKey | aws-cdk-lib.aws_kms.IKey | *No description.* | | keyPrefix | string | *No description.* | -| keySeperator | string | *No description.* | +| keySeparator | string | *No description.* | --- @@ -2075,10 +2075,10 @@ public readonly keyPrefix: string; --- -##### `keySeperator`Optional +##### `keySeparator`Optional ```typescript -public readonly keySeperator: string; +public readonly keySeparator: string; ``` - *Type:* string diff --git a/src/MultiStringParameter.ts b/src/MultiStringParameter.ts index 143c3e24..cc7f886c 100644 --- a/src/MultiStringParameter.ts +++ b/src/MultiStringParameter.ts @@ -17,7 +17,7 @@ interface JSONObject { } export interface MultiStringParameterProps extends SopsStringParameterProps { - readonly keySeperator?: string; + readonly keySeparator?: string; readonly keyPrefix?: string; } @@ -67,7 +67,7 @@ export class MultiStringParameter extends Construct { region: this.stack.region, }; this.keyPrefix = props.keyPrefix ?? '/'; - this.keySeparator = props.keySeperator ?? '/'; + this.keySeparator = props.keySeparator ?? '/'; const keys = this.parseFile(props.sopsFilePath!, this.keySeparator) .filter((key) => !key.startsWith('sops')) diff --git a/src/SopsSync.ts b/src/SopsSync.ts index 95f70732..0267ffa3 100644 --- a/src/SopsSync.ts +++ b/src/SopsSync.ts @@ -9,7 +9,11 @@ import { CustomResource, FileSystem, } from 'aws-cdk-lib'; -import { IGrantable, PolicyStatement } from 'aws-cdk-lib/aws-iam'; +import { + IGrantable, + ManagedPolicy, + PolicyStatement, +} from 'aws-cdk-lib/aws-iam'; import { IKey, Key } from 'aws-cdk-lib/aws-kms'; import { SingletonFunction, Code, Runtime } from 'aws-cdk-lib/aws-lambda'; import { Asset } from 'aws-cdk-lib/aws-s3-assets'; @@ -342,10 +346,74 @@ export class SopsSync extends Construct { props.encryptionKey?.grantEncryptDecrypt(provider); } if (props.parameterNames) { - provider.addToRolePolicy( + // Avoid too large policies + // The maximum size of a managed policy is 6.144 bytes -> 1 character = 1 byte + const maxPolicyBytes = 6000; // Keep some bytes as a buffer + const arnPrefixBytes = 55; // Content for "arn:aws:ssm:ap-southeast-3::parameter/ + let startAtParameter = 0; + let currentPolicyBytes = 300; // Reserve some byte space for basic stuff inside the policy + for (let i = 0; i < props.parameterNames.length; i += 1) { + if ( + // Check if the current parameter would fit into the policy + arnPrefixBytes + + props.parameterNames[i].length + + currentPolicyBytes < + maxPolicyBytes + ) { + // If so increase the byte counter + currentPolicyBytes = + arnPrefixBytes + + props.parameterNames[i].length + + currentPolicyBytes; + } else { + const parameterNamesChunk = props.parameterNames.slice( + startAtParameter, + i, //end of slice is not included + ); + startAtParameter = i; + currentPolicyBytes = 300; + // Create the policy for the selected chunk + const putPolicy = new ManagedPolicy( + this, + `SopsSecretParameterProviderManagedPolicyParameterAccess${i}`, + { + description: + 'Policy to grant parameter provider permissions to put parameter', + }, + ); + putPolicy.addStatements( + new PolicyStatement({ + actions: ['ssm:PutParameter'], + resources: parameterNamesChunk.map( + (param) => + `arn:aws:ssm:${Stack.of(this).region}:${ + Stack.of(this).account + }:parameter${ + param.startsWith('/') ? param : `/${param}` + }`, + ), + }), + ); + provider.role.addManagedPolicy(putPolicy); + } + } + const parameterNamesChunk = props.parameterNames.slice( + startAtParameter, + props.parameterNames.length, //end of slice is not included + ); + // Create the policy for the remaning elements + const putPolicy = new ManagedPolicy( + this, + `SopsSecretParameterProviderManagedPolicyParameterAccess${props.parameterNames.length}`, + { + description: + 'Policy to grant parameter provider permissions to put parameter', + }, + ); + putPolicy.addStatements( new PolicyStatement({ actions: ['ssm:PutParameter'], - resources: props.parameterNames.map( + resources: parameterNamesChunk.map( (param) => `arn:aws:ssm:${Stack.of(this).region}:${ Stack.of(this).account @@ -353,6 +421,7 @@ export class SopsSync extends Construct { ), }), ); + provider.role.addManagedPolicy(putPolicy); props.encryptionKey?.grantEncryptDecrypt(provider); } if (sopsAsset !== undefined) { diff --git a/test-secrets/yaml/sopsfile-parameters-large.yaml b/test-secrets/yaml/sopsfile-parameters-large.yaml new file mode 100644 index 00000000..99761eca --- /dev/null +++ b/test-secrets/yaml/sopsfile-parameters-large.yaml @@ -0,0 +1,100 @@ +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting1: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting2: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting3: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting4: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting5: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting6: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting7: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting8: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting9: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting10: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting11: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting12: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting13: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting14: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting15: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting16: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting17: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting18: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting19: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting20: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting21: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting22: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting23: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting24: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting25: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting26: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting27: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting28: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting29: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting30: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting31: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting32: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting33: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting34: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting35: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting36: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting37: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting38: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting39: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting40: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting41: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting42: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting43: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting44: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting45: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting46: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting47: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting48: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting49: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting50: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting51: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting52: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting53: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting54: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting55: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting56: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting57: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting58: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting59: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting60: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting61: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting62: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting63: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting64: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting65: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting66: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting67: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting68: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting69: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting70: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting71: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting72: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting73: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting74: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting75: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting76: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting77: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting78: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting79: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting80: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting81: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting82: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting83: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting84: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting85: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting86: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting87: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting88: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting89: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting90: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting91: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting92: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting93: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting94: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting95: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting96: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting97: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting98: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting99: value +DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting100: value diff --git a/test/secret-asset.integ.snapshot/SecretIntegrationAsset.assets.json b/test/secret-asset.integ.snapshot/SecretIntegrationAsset.assets.json index 1977d597..97c22956 100644 --- a/test/secret-asset.integ.snapshot/SecretIntegrationAsset.assets.json +++ b/test/secret-asset.integ.snapshot/SecretIntegrationAsset.assets.json @@ -1,15 +1,15 @@ { "version": "36.0.0", "files": { - "b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41": { + "4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee": { "source": { - "path": "asset.b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41.zip", + "path": "asset.4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee.zip", "packaging": "file" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41.zip", + "objectKey": "4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee.zip", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } @@ -79,7 +79,7 @@ } } }, - "aff7a4caa6364c14b174f47d6f89c5548ee0f3d3edb126625196f9a1aa8f2c6a": { + "b8f7a720cae97852ff07ce91238efad7186c0206ba62608f89fefdbce4f5f35c": { "source": { "path": "SecretIntegrationAsset.template.json", "packaging": "file" @@ -87,7 +87,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "aff7a4caa6364c14b174f47d6f89c5548ee0f3d3edb126625196f9a1aa8f2c6a.json", + "objectKey": "b8f7a720cae97852ff07ce91238efad7186c0206ba62608f89fefdbce4f5f35c.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/test/secret-asset.integ.snapshot/SecretIntegrationAsset.template.json b/test/secret-asset.integ.snapshot/SecretIntegrationAsset.template.json index a14584e4..3ccd0c30 100644 --- a/test/secret-asset.integ.snapshot/SecretIntegrationAsset.template.json +++ b/test/secret-asset.integ.snapshot/SecretIntegrationAsset.template.json @@ -232,7 +232,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41.zip" + "S3Key": "4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee.zip" }, "Environment": { "Variables": { diff --git a/test/secret-inline.integ.snapshot/SecretIntegrationInline.assets.json b/test/secret-inline.integ.snapshot/SecretIntegrationInline.assets.json index 9ceb4018..38b3eaa4 100644 --- a/test/secret-inline.integ.snapshot/SecretIntegrationInline.assets.json +++ b/test/secret-inline.integ.snapshot/SecretIntegrationInline.assets.json @@ -1,20 +1,20 @@ { "version": "36.0.0", "files": { - "b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41": { + "4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee": { "source": { - "path": "asset.b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41.zip", + "path": "asset.4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee.zip", "packaging": "file" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41.zip", + "objectKey": "4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee.zip", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } }, - "d73979929a48c0d0fa477c040de543344bb5c6ba004fc1950e3b342d9aff2fa3": { + "f9c79044b4c7adec5e9c4c5330008537c68f3db85414f7faf77a202065e2d02b": { "source": { "path": "SecretIntegrationInline.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "d73979929a48c0d0fa477c040de543344bb5c6ba004fc1950e3b342d9aff2fa3.json", + "objectKey": "f9c79044b4c7adec5e9c4c5330008537c68f3db85414f7faf77a202065e2d02b.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/test/secret-inline.integ.snapshot/SecretIntegrationInline.template.json b/test/secret-inline.integ.snapshot/SecretIntegrationInline.template.json index eb07509b..ac02057f 100644 --- a/test/secret-inline.integ.snapshot/SecretIntegrationInline.template.json +++ b/test/secret-inline.integ.snapshot/SecretIntegrationInline.template.json @@ -199,7 +199,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41.zip" + "S3Key": "4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee.zip" }, "Environment": { "Variables": { diff --git a/test/secret-manual.integ.snapshot/SecretIntegrationAsset.assets.json b/test/secret-manual.integ.snapshot/SecretIntegrationAsset.assets.json index 6c3eb3c0..6f322a18 100644 --- a/test/secret-manual.integ.snapshot/SecretIntegrationAsset.assets.json +++ b/test/secret-manual.integ.snapshot/SecretIntegrationAsset.assets.json @@ -1,20 +1,20 @@ { "version": "36.0.0", "files": { - "b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41": { + "4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee": { "source": { - "path": "asset.b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41.zip", + "path": "asset.4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee.zip", "packaging": "file" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41.zip", + "objectKey": "4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee.zip", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } }, - "4f4f7f6d9f11a8e7c3cb43640f53826f069d6d4e9274e49cd544826328ef13ad": { + "ed3d8a385d86ceaa8f6e3b18a7ea9b10362221d29e8634646919ddbc1d23a0b0": { "source": { "path": "SecretIntegrationAsset.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "4f4f7f6d9f11a8e7c3cb43640f53826f069d6d4e9274e49cd544826328ef13ad.json", + "objectKey": "ed3d8a385d86ceaa8f6e3b18a7ea9b10362221d29e8634646919ddbc1d23a0b0.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/test/secret-manual.integ.snapshot/SecretIntegrationAsset.template.json b/test/secret-manual.integ.snapshot/SecretIntegrationAsset.template.json index 3cedfb12..ba68693a 100644 --- a/test/secret-manual.integ.snapshot/SecretIntegrationAsset.template.json +++ b/test/secret-manual.integ.snapshot/SecretIntegrationAsset.template.json @@ -73,7 +73,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41.zip" + "S3Key": "4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee.zip" }, "Environment": { "Variables": { diff --git a/test/secret-multikms.integ.snapshot/SecretMultiKms.assets.json b/test/secret-multikms.integ.snapshot/SecretMultiKms.assets.json index 0924a905..ee8d5e49 100644 --- a/test/secret-multikms.integ.snapshot/SecretMultiKms.assets.json +++ b/test/secret-multikms.integ.snapshot/SecretMultiKms.assets.json @@ -1,20 +1,20 @@ { "version": "36.0.0", "files": { - "b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41": { + "4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee": { "source": { - "path": "asset.b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41.zip", + "path": "asset.4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee.zip", "packaging": "file" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41.zip", + "objectKey": "4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee.zip", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } }, - "01b9e783c0f49006df34866b0814dfc29091108da13c67ba6e5c1b5c11e5d47c": { + "f1487fc13c8a826afeaaaa6b39bf7b42facb487bddca32ea77b9324433d87987": { "source": { "path": "SecretMultiKms.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "01b9e783c0f49006df34866b0814dfc29091108da13c67ba6e5c1b5c11e5d47c.json", + "objectKey": "f1487fc13c8a826afeaaaa6b39bf7b42facb487bddca32ea77b9324433d87987.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/test/secret-multikms.integ.snapshot/SecretMultiKms.template.json b/test/secret-multikms.integ.snapshot/SecretMultiKms.template.json index 661972f1..e5d5a2d5 100644 --- a/test/secret-multikms.integ.snapshot/SecretMultiKms.template.json +++ b/test/secret-multikms.integ.snapshot/SecretMultiKms.template.json @@ -119,7 +119,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "b7c50a3434ecf34da702feaa89e97ff27caa94bfd416feeea0e3f55682836b41.zip" + "S3Key": "4021f9c08ef25037253e7065890f0bc14d6836dbddb32f4cbba626043cde92ee.zip" }, "Environment": { "Variables": { diff --git a/test/secret.test.ts b/test/secret.test.ts index 6f2a9f62..0c85fe9d 100644 --- a/test/secret.test.ts +++ b/test/secret.test.ts @@ -549,6 +549,24 @@ test('Multiple parameters from yaml file', () => { }); template.hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: [ + 'kms:Decrypt', + 'kms:Encrypt', + 'kms:ReEncrypt*', + 'kms:GenerateDataKey*', + ], + Effect: 'Allow', + Resource: + 'arn:aws:kms:eu-central-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', + }, + ], + }, + }); + + template.hasResourceProperties('AWS::IAM::ManagedPolicy', { PolicyDocument: { Statement: [ { @@ -581,17 +599,6 @@ test('Multiple parameters from yaml file', () => { }, ], }, - { - Action: [ - 'kms:Decrypt', - 'kms:Encrypt', - 'kms:ReEncrypt*', - 'kms:GenerateDataKey*', - ], - Effect: 'Allow', - Resource: - 'arn:aws:kms:eu-central-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', - }, ], }, }); @@ -604,7 +611,7 @@ test('Multiple parameters from yaml file with custom key structure', () => { simpleName: false, sopsFilePath: 'test-secrets/yaml/sopsfile-complex-parameters.enc-age.yaml', keyPrefix: '_', - keySeperator: '.', + keySeparator: '.', encryptionKey: Key.fromKeyArn( stack, 'Key', @@ -623,6 +630,24 @@ test('Multiple parameters from yaml file with custom key structure', () => { }); template.hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: [ + 'kms:Decrypt', + 'kms:Encrypt', + 'kms:ReEncrypt*', + 'kms:GenerateDataKey*', + ], + Effect: 'Allow', + Resource: + 'arn:aws:kms:eu-central-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', + }, + ], + }, + }); + + template.hasResourceProperties('AWS::IAM::ManagedPolicy', { PolicyDocument: { Statement: [ { @@ -655,18 +680,31 @@ test('Multiple parameters from yaml file with custom key structure', () => { }, ], }, - { - Action: [ - 'kms:Decrypt', - 'kms:Encrypt', - 'kms:ReEncrypt*', - 'kms:GenerateDataKey*', - ], - Effect: 'Allow', - Resource: - 'arn:aws:kms:eu-central-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', - }, ], }, }); }); + +test('Large set of parameters to split in multiple policies', () => { + const app = new App(); + const stack = new Stack(app, 'ParameterIntegration'); + new MultiStringParameter(stack, 'SopsSecret1', { + simpleName: false, + sopsFilePath: 'test-secrets/yaml/sopsfile-parameters-large.yaml', + keyPrefix: '_', + keySeparator: '.', + encryptionKey: Key.fromKeyArn( + stack, + 'Key', + 'arn:aws:kms:eu-central-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', + ), + stringValue: ' ', + }); + const template = Template.fromStack(stack); + + template.hasResourceProperties('AWS::SSM::Parameter', { + Name: '_DefineSomeExtraExtraLongNameForParameterWhichHaveAExtraExtraLongNameToTestPolicySplitting1', + }); + + template.resourceCountIs('AWS::IAM::ManagedPolicy', 3); +}); From 082e6d7b518d649e4654b97ad04c1534c1e543a3 Mon Sep 17 00:00:00 2001 From: lennartrommeiss Date: Fri, 23 Aug 2024 14:22:31 +0200 Subject: [PATCH 2/4] fix: create a function for improved readability Signed-off-by: lennartrommeiss --- src/SopsSync.ts | 152 ++++++++++++++++++++++++------------------------ 1 file changed, 77 insertions(+), 75 deletions(-) diff --git a/src/SopsSync.ts b/src/SopsSync.ts index 0267ffa3..f072964c 100644 --- a/src/SopsSync.ts +++ b/src/SopsSync.ts @@ -11,6 +11,7 @@ import { } from 'aws-cdk-lib'; import { IGrantable, + IRole, ManagedPolicy, PolicyStatement, } from 'aws-cdk-lib/aws-iam'; @@ -346,82 +347,10 @@ export class SopsSync extends Construct { props.encryptionKey?.grantEncryptDecrypt(provider); } if (props.parameterNames) { - // Avoid too large policies - // The maximum size of a managed policy is 6.144 bytes -> 1 character = 1 byte - const maxPolicyBytes = 6000; // Keep some bytes as a buffer - const arnPrefixBytes = 55; // Content for "arn:aws:ssm:ap-southeast-3::parameter/ - let startAtParameter = 0; - let currentPolicyBytes = 300; // Reserve some byte space for basic stuff inside the policy - for (let i = 0; i < props.parameterNames.length; i += 1) { - if ( - // Check if the current parameter would fit into the policy - arnPrefixBytes + - props.parameterNames[i].length + - currentPolicyBytes < - maxPolicyBytes - ) { - // If so increase the byte counter - currentPolicyBytes = - arnPrefixBytes + - props.parameterNames[i].length + - currentPolicyBytes; - } else { - const parameterNamesChunk = props.parameterNames.slice( - startAtParameter, - i, //end of slice is not included - ); - startAtParameter = i; - currentPolicyBytes = 300; - // Create the policy for the selected chunk - const putPolicy = new ManagedPolicy( - this, - `SopsSecretParameterProviderManagedPolicyParameterAccess${i}`, - { - description: - 'Policy to grant parameter provider permissions to put parameter', - }, - ); - putPolicy.addStatements( - new PolicyStatement({ - actions: ['ssm:PutParameter'], - resources: parameterNamesChunk.map( - (param) => - `arn:aws:ssm:${Stack.of(this).region}:${ - Stack.of(this).account - }:parameter${ - param.startsWith('/') ? param : `/${param}` - }`, - ), - }), - ); - provider.role.addManagedPolicy(putPolicy); - } - } - const parameterNamesChunk = props.parameterNames.slice( - startAtParameter, - props.parameterNames.length, //end of slice is not included + this.createReducedParameterPolicy( + props.parameterNames, + provider.role, ); - // Create the policy for the remaning elements - const putPolicy = new ManagedPolicy( - this, - `SopsSecretParameterProviderManagedPolicyParameterAccess${props.parameterNames.length}`, - { - description: - 'Policy to grant parameter provider permissions to put parameter', - }, - ); - putPolicy.addStatements( - new PolicyStatement({ - actions: ['ssm:PutParameter'], - resources: parameterNamesChunk.map( - (param) => - `arn:aws:ssm:${Stack.of(this).region}:${ - Stack.of(this).account - }:parameter${param.startsWith('/') ? param : `/${param}`}`, - ), - }), - ); - provider.role.addManagedPolicy(putPolicy); props.encryptionKey?.grantEncryptDecrypt(provider); } if (sopsAsset !== undefined) { @@ -498,4 +427,77 @@ export class SopsSync extends Construct { }); this.versionId = cr.getAttString('VersionId'); } + + private createReducedParameterPolicy(parameters: string[], role: IRole) { + // Avoid too large policies + // The maximum size of a managed policy is 6.144 bytes -> 1 character = 1 byte + const maxPolicyBytes = 6000; // Keep some bytes as a buffer + const arnPrefixBytes = 55; // Content for "arn:aws:ssm:ap-southeast-3::parameter/ + let startAtParameter = 0; + let currentPolicyBytes = 300; // Reserve some byte space for basic stuff inside the policy + for (let i = 0; i < parameters.length; i += 1) { + if ( + // Check if the current parameter would fit into the policy + arnPrefixBytes + parameters[i].length + currentPolicyBytes < + maxPolicyBytes + ) { + // If so increase the byte counter + currentPolicyBytes = + arnPrefixBytes + parameters[i].length + currentPolicyBytes; + } else { + const parameterNamesChunk = parameters.slice( + startAtParameter, + i, //end of slice is not included + ); + startAtParameter = i; + currentPolicyBytes = 300; + // Create the policy for the selected chunk + const putPolicy = new ManagedPolicy( + this, + `SopsSecretParameterProviderManagedPolicyParameterAccess${i}`, + { + description: + 'Policy to grant parameter provider permissions to put parameter', + }, + ); + putPolicy.addStatements( + new PolicyStatement({ + actions: ['ssm:PutParameter'], + resources: parameterNamesChunk.map( + (param) => + `arn:aws:ssm:${Stack.of(this).region}:${ + Stack.of(this).account + }:parameter${param.startsWith('/') ? param : `/${param}`}`, + ), + }), + ); + role.addManagedPolicy(putPolicy); + } + } + const parameterNamesChunk = parameters.slice( + startAtParameter, + parameters.length, + ); + // Create the policy for the remaning elements + const putPolicy = new ManagedPolicy( + this, + `SopsSecretParameterProviderManagedPolicyParameterAccess${parameters.length}`, + { + description: + 'Policy to grant parameter provider permissions to put parameter', + }, + ); + putPolicy.addStatements( + new PolicyStatement({ + actions: ['ssm:PutParameter'], + resources: parameterNamesChunk.map( + (param) => + `arn:aws:ssm:${Stack.of(this).region}:${ + Stack.of(this).account + }:parameter${param.startsWith('/') ? param : `/${param}`}`, + ), + }), + ); + role.addManagedPolicy(putPolicy); + } } From 2d5991fd152f5fe17ce86c0221d057e3b60dbd04 Mon Sep 17 00:00:00 2001 From: lennartrommeiss Date: Mon, 7 Oct 2024 13:40:13 +0200 Subject: [PATCH 3/4] feat: smaller returnData Signed-off-by: lennartrommeiss --- lambda/main.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lambda/main.go b/lambda/main.go index e415ae2d..bbfca416 100644 --- a/lambda/main.go +++ b/lambda/main.go @@ -311,8 +311,10 @@ func (a AWS) syncSopsToSecretsmanager(ctx context.Context, event cfn.Event) (phy if err != nil { return tempArn, nil, err } - returnData[fmt.Sprintf("ParameterName[%v]", i)] = strKey + // A returnData map for each parameter is not created, because it would limit the number of possible parameters unnecessarily } + returnData["Prefix"] = resourceProperties.ParameterKeyPrefix + returnData["Count"] = len(keys) return tempArn, returnData, nil } else { log.Printf("Patching single string parameter") From 76ded0b264c25828c313c4b2fe3f18f288fbf1d4 Mon Sep 17 00:00:00 2001 From: lennartrommeiss Date: Mon, 7 Oct 2024 13:42:43 +0200 Subject: [PATCH 4/4] fix: no i in loop is needed Signed-off-by: lennartrommeiss --- lambda/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lambda/main.go b/lambda/main.go index bbfca416..5aaca1a6 100644 --- a/lambda/main.go +++ b/lambda/main.go @@ -298,7 +298,7 @@ func (a AWS) syncSopsToSecretsmanager(ctx context.Context, event cfn.Event) (phy keys := v.MapKeys() keysOrder := func(i, j int) bool { return keys[i].Interface().(string) < keys[j].Interface().(string) } sort.Slice(keys, keysOrder) - for i, key := range keys { + for _, key := range keys { strKey := resourceProperties.ParameterKeyPrefix + key.String() log.Printf("Parameter: " + strKey) value := v.MapIndex(key).Interface()