Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(lambda): provide support for AWS Parameters and Secrets Extension for Lambda #25725

Merged
merged 49 commits into from
Jun 8, 2023
Merged

feat(lambda): provide support for AWS Parameters and Secrets Extension for Lambda #25725

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
ab0770a
added interface for params and secrets extension configuration option…
colifran May 19, 2023
dc5a38f
created initial getter for params and secrets extension lambda arn
colifran May 19, 2023
36d4bb8
added some initial logic to create params and secrets layer and to ad…
colifran May 19, 2023
93553ff
moved params and secrets extension lambda arn table to region-build d…
colifran May 19, 2023
bba4e63
added readonly keyword to ParametersAndSecretsExtensionConfig interfa…
colifran May 20, 2023
a721460
refactored code and added a params-and-secrets-layers file - separati…
colifran May 20, 2023
d4ac1c5
initial implementation for _bind and some initial logic for configure…
colifran May 20, 2023
762b2d3
refactor
colifran May 21, 2023
d705559
created initial params and secrets fact table and added code for regi…
colifran May 21, 2023
a08b55b
registered params and secrets fact
colifran May 21, 2023
f8a22f1
completed registering fact and created getVersionArn logic
colifran May 21, 2023
7014351
made fromArchitecture static method and made lambda layern arn select…
colifran May 21, 2023
a688ef4
added permissions to configure params and secrets method
colifran May 21, 2023
9614604
small refactoring and added all arns to fact table
colifran May 21, 2023
2def06d
removed test and added attribute to abstract class
colifran May 22, 2023
f8e6f34
wip - unit tests
colifran May 22, 2023
a13cf75
wip
colifran May 22, 2023
2361ff0
updated naming and added unit tests
colifran May 22, 2023
ab603de
corrected unit test and added more description to getVersionArn error…
colifran May 22, 2023
07c4d7d
docstrings and unit test logic
colifran May 22, 2023
9fb3e49
added an options property to allow users to configure environment var…
colifran May 23, 2023
9759a41
refactor
colifran May 24, 2023
3e56c45
wip
colifran May 24, 2023
c86d406
unit tests
colifran May 24, 2023
581a737
added validation for configuration options, added unit tests, updated…
colifran May 24, 2023
f15ba2d
unit tests for bad configuration options
colifran May 24, 2023
06ab452
unit test for arm64 in unsupported region
colifran May 24, 2023
c09bbd4
unit test for kms:Decrypt in execution pole
colifran May 24, 2023
a8c4b3c
unit test for multiple secrets
colifran May 24, 2023
8ae5edf
added some comments
colifran May 24, 2023
d128ab4
wip
colifran May 24, 2023
2b273a8
removed unneeded dependency
colifran May 24, 2023
6e869ad
naming convention
colifran May 25, 2023
2cbb115
Merge branch 'main' into colifran/params-and-secrets-lambda-extension
colifran May 26, 2023
79ed504
Merge branch 'main' into colifran/params-and-secrets-lambda-extension
colifran May 30, 2023
f8fa77c
updated granting of permissions in function to just use grantRead, ma…
colifran May 26, 2023
2745e69
unit tests for fromVersion testing
colifran May 26, 2023
2e4a2af
unit tests for secrets with and without encryption key
colifran May 26, 2023
005d6fd
added unit tests for parameters
colifran May 30, 2023
dd12ce5
unit tests for configuration options
colifran May 30, 2023
4dfb29e
added README section for parameters and secrets extension
colifran May 30, 2023
c16d2d8
updated readme
colifran May 30, 2023
f93ed5b
created integ test for params and secrets
colifran May 30, 2023
9cd452e
integ tests and snapshots
colifran May 30, 2023
8b0f1ff
Merge branch 'main' into colifran/params-and-secrets-lambda-extension
colifran Jun 1, 2023
22cab5d
updated version to correctly use 1.0.103
colifran Jun 1, 2023
c9275e1
updated integ test and snapshots for extension version 1.0.103
colifran Jun 1, 2023
5e1a67c
Merge branch 'main' into colifran/params-and-secrets-lambda-extension
mergify[bot] Jun 8, 2023
19f9cbb
empty commit to re-run integ tests
colifran Jun 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions ...integ.params-and-secrets.js.snapshot/IntegTestDefaultTestDeployAssertE3E7D2A4.assets.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"version": "32.0.0",
"files": {
"21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
"source": {
"path": "IntegTestDefaultTestDeployAssertE3E7D2A4.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
}
},
"dockerImages": {}
}
36 changes: 36 additions & 0 deletions ...teg.params-and-secrets.js.snapshot/IntegTestDefaultTestDeployAssertE3E7D2A4.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}
32 changes: 32 additions & 0 deletions ...mework-integ/test/aws-lambda/test/integ.params-and-secrets.js.snapshot/Stack1.assets.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"version": "32.0.0",
"files": {
"b375dfd7699947c404936c2d1c4a0b91bd2bb49158ce52f6064bda6d3a7e0ead": {
"source": {
"path": "asset.b375dfd7699947c404936c2d1c4a0b91bd2bb49158ce52f6064bda6d3a7e0ead",
"packaging": "zip"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "b375dfd7699947c404936c2d1c4a0b91bd2bb49158ce52f6064bda6d3a7e0ead.zip",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
},
"64fb6d6ac3e1f7cda4cb6336b78f1be8f0e1f6c6323b232c8e04430a803085a2": {
"source": {
"path": "Stack1.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "64fb6d6ac3e1f7cda4cb6336b78f1be8f0e1f6c6323b232c8e04430a803085a2.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
}
},
"dockerImages": {}
}
287 changes: 287 additions & 0 deletions ...work-integ/test/aws-lambda/test/integ.params-and-secrets.js.snapshot/Stack1.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,287 @@
{
"Resources": {
"Parameter9E1B4FBA": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Type": "String",
"Value": "api.example.com",
"Name": "email_url_Stack1"
}
},
"MySecret8FE80B51": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"GenerateSecretString": {}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"MyFuncServiceRole54065130": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
}
},
"MyFuncServiceRoleDefaultPolicyF3C36699": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": {
"Ref": "MySecret8FE80B51"
}
},
{
"Action": [
"ssm:DescribeParameters",
"ssm:GetParameter",
"ssm:GetParameterHistory",
"ssm:GetParameters"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ssm:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":parameter/",
{
"Ref": "Parameter9E1B4FBA"
}
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "MyFuncServiceRoleDefaultPolicyF3C36699",
"Roles": [
{
"Ref": "MyFuncServiceRole54065130"
}
]
}
},
"MyFunc8A243A2C": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "b375dfd7699947c404936c2d1c4a0b91bd2bb49158ce52f6064bda6d3a7e0ead.zip"
},
"Role": {
"Fn::GetAtt": [
"MyFuncServiceRole54065130",
"Arn"
]
},
"Architectures": [
"x86_64"
],
"Environment": {
"Variables": {
"PARAMETERS_AND_SECRETS_EXTENSION_CACHE_ENABLED": "true",
"PARAMETERS_AND_SECRETS_EXTENSION_CACHE_SIZE": "100",
"PARAMETERS_AND_SECRETS_EXTENSION_HTTP_PORT": "2773",
"PARAMETERS_AND_SECRETS_EXTENSION_LOG_LEVEL": "info",
"PARAMETERS_AND_SECRETS_EXTENSION_MAX_CONNECTIONS": "3",
"SECRETS_MANAGER_TIMEOUT_MILLIS": "0",
"SECRETS_MANAGER_TTL": "100",
"SSM_PARAMETER_STORE_TIMEOUT_MILLIS": "0",
"SSM_PARAMETER_STORE_TTL": "100"
}
},
"Handler": "index.handler",
"Layers": [
{
"Fn::FindInMap": [
"ParamsandsecretslayerMap",
{
"Ref": "AWS::Region"
},
"1x0x103xx86x64"
]
}
],
"Runtime": "nodejs18.x"
},
"DependsOn": [
"MyFuncServiceRoleDefaultPolicyF3C36699",
"MyFuncServiceRole54065130"
]
}
},
"Mappings": {
"ParamsandsecretslayerMap": {
"af-south-1": {
"1x0x103xx86x64": "arn:aws:lambda:af-south-1:317013901791:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"ap-east-1": {
"1x0x103xx86x64": "arn:aws:lambda:ap-east-1:768336418462:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"ap-northeast-1": {
"1x0x103xx86x64": "arn:aws:lambda:ap-northeast-1:133490724326:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"ap-northeast-2": {
"1x0x103xx86x64": "arn:aws:lambda:ap-northeast-2:738900069198:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"ap-northeast-3": {
"1x0x103xx86x64": "arn:aws:lambda:ap-northeast-3:576959938190:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"ap-south-1": {
"1x0x103xx86x64": "arn:aws:lambda:ap-south-1:176022468876:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"ap-south-2": {
"1x0x103xx86x64": "arn:aws:lambda:ap-south-2:070087711984:layer:AWS-Parameters-and-Secrets-Lambda-Extension:1"
},
"ap-southeast-1": {
"1x0x103xx86x64": "arn:aws:lambda:ap-southeast-1:044395824272:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"ap-southeast-2": {
"1x0x103xx86x64": "arn:aws:lambda:ap-southeast-2:665172237481:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"ap-southeast-3": {
"1x0x103xx86x64": "arn:aws:lambda:ap-southeast-3:490737872127:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"ca-central-1": {
"1x0x103xx86x64": "arn:aws:lambda:ca-central-1:200266452380:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"cn-north-1": {
"1x0x103xx86x64": "arn:aws-cn:lambda:cn-north-1:287114880934:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"cn-northwest-1": {
"1x0x103xx86x64": "arn:aws-cn:lambda:cn-northwest-1:287310001119:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"eu-central-1": {
"1x0x103xx86x64": "arn:aws:lambda:eu-central-1:187925254637:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"eu-central-2": {
"1x0x103xx86x64": "arn:aws:lambda:eu-central-2:772501565639:layer:AWS-Parameters-and-Secrets-Lambda-Extension:1"
},
"eu-north-1": {
"1x0x103xx86x64": "arn:aws:lambda:eu-north-1:427196147048:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"eu-south-1": {
"1x0x103xx86x64": "arn:aws:lambda:eu-south-1:325218067255:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"eu-south-2": {
"1x0x103xx86x64": "arn:aws:lambda:eu-south-2:524103009944:layer:AWS-Parameters-and-Secrets-Lambda-Extension:1"
},
"eu-west-1": {
"1x0x103xx86x64": "arn:aws:lambda:eu-west-1:015030872274:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"eu-west-2": {
"1x0x103xx86x64": "arn:aws:lambda:eu-west-2:133256977650:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"eu-west-3": {
"1x0x103xx86x64": "arn:aws:lambda:eu-west-3:780235371811:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"me-central-1": {
"1x0x103xx86x64": "arn:aws:lambda:me-central-1:858974508948:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"me-south-1": {
"1x0x103xx86x64": "arn:aws:lambda:me-south-1:832021897121:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"sa-east-1": {
"1x0x103xx86x64": "arn:aws:lambda:sa-east-1:933737806257:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"us-east-1": {
"1x0x103xx86x64": "arn:aws:lambda:us-east-1:177933569100:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"us-east-2": {
"1x0x103xx86x64": "arn:aws:lambda:us-east-2:590474943231:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"us-gov-east-1": {
"1x0x103xx86x64": "arn:aws-us-gov:lambda:us-gov-east-1:129776340158:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"us-gov-west-1": {
"1x0x103xx86x64": "arn:aws-us-gov:lambda:us-gov-west-1:127562683043:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"us-west-1": {
"1x0x103xx86x64": "arn:aws:lambda:us-west-1:997803712105:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
},
"us-west-2": {
"1x0x103xx86x64": "arn:aws:lambda:us-west-2:345057560386:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4"
}
}
},
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}
Loading