Move UIN hash pepper to SSM instead of secret (#449)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Application now retrieves configuration from AWS SSM Parameter Store
alongside Secrets Manager.

* **Tools**
* Added a CLI utility to create/update secure SSM parameters across
multiple regions.

* **Documentation**
  * New guide for creating and managing SSM parameters across regions.

* **Chores**
* Updated AWS SDK dependencies to v3.922.0 and updated runtime
permissions to allow SSM parameter access.

* **Tests**
  * Test setup updated to mock SSM Parameter Store retrievals.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: devksingh4

src/api/index.ts

@@ -62,6 +62,8 @@ import { docsHtml, securitySchemes } from "./docs.js";
 import syncIdentityPlugin from "./routes/syncIdentity.js";
 import { createRedisModule } from "./redis.js";
 import userRoute from "./routes/user.js";
+import { getSsmParameter } from "./utils.js";
+import { SSMClient } from "@aws-sdk/client-ssm";
 /** END ROUTES */
 
 export const instanceId = randomUUID();
@@ -306,7 +308,25 @@ Otherwise, email [infra@acm.illinois.edu](mailto:infra@acm.illinois.edu) for sup
           getSecretValue(app.secretsManagerClient, secretName),
         ),
       );
-      app.secretConfig = allSecrets.reduce(
+      app.log.debug(
+        `Getting secure parameters (SSM): ${JSON.stringify(app.environmentConfig.ConfigurationParameterIds)}.`,
+      );
+      const ssmClient = new SSMClient({ region: genericConfig.AwsRegion });
+      const allParameters = await Promise.all(
+        app.environmentConfig.ConfigurationParameterIds.map(
+          async (parameterName) => {
+            const val = await getSsmParameter({
+              parameterName,
+              logger: app.log,
+              ssmClient,
+            });
+            const key = parameterName.split("/").at(-1) || parameterName;
+            return { [key]: val };
+          },
+        ),
+      );
+      const allConfig = [...allSecrets, ...allParameters];
+      app.secretConfig = allConfig.reduce(
         (acc, currentSecret) => ({ ...acc, ...currentSecret }),
         {},
       ) as SecretConfig;

src/api/package.json

@@ -15,14 +15,15 @@
     "prettier:write": "prettier --write *.ts **/*.ts"
   },
   "dependencies": {
-    "@aws-sdk/s3-request-presigner": "^3.914.0",
-    "@aws-sdk/client-s3": "^3.914.0",
+    "@aws-sdk/s3-request-presigner": "^3.922.0",
+    "@aws-sdk/client-s3": "^3.922.0",
     "@aws-sdk/client-dynamodb": "^3.922.0",
     "@aws-sdk/client-lambda": "^3.922.0",
     "@aws-sdk/client-secrets-manager": "^3.922.0",
     "@aws-sdk/client-ses": "^3.922.0",
     "@aws-sdk/client-sqs": "^3.922.0",
     "@aws-sdk/client-sts": "^3.922.0",
+    "@aws-sdk/client-ssm": "^3.922.0",
     "@aws-sdk/signature-v4-crt": "^3.922.0",
     "@aws-sdk/util-dynamodb": "^3.922.0",
     "@azure/msal-node": "^3.8.1",

src/api/utils.ts

@@ -1,6 +1,7 @@
-import { FastifyBaseLogger } from "fastify";
-import pino from "pino";
+import { InternalServerError } from "common/errors/index.js";
 import { ValidLoggers } from "./types.js";
+import { SSMClient, GetParameterCommand } from "@aws-sdk/client-ssm";
+import { genericConfig } from "common/config.js";
 
 const MAX_RETRIES = 3;
 
@@ -43,4 +44,42 @@ export async function retryDynamoTransactionWithBackoff<T>(
   throw lastError;
 }
 
+type GetSsmParameterInputs = {
+  parameterName: string;
+  logger: ValidLoggers;
+  ssmClient?: SSMClient | undefined;
+};
+
+export const getSsmParameter = async ({
+  parameterName,
+  logger,
+  ssmClient,
+}: GetSsmParameterInputs) => {
+  const client =
+    ssmClient || new SSMClient({ region: genericConfig.AwsRegion });
+
+  const params = {
+    Name: parameterName,
+    WithDecryption: true,
+  };
+
+  const command = new GetParameterCommand(params);
+
+  try {
+    const data = await client.send(command);
+    if (!data.Parameter || !data.Parameter.Value) {
+      logger.error(`Parameter ${parameterName} not found`);
+      throw new InternalServerError({ message: "Parameter not found" });
+    }
+    return data.Parameter.Value;
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    logger.error(
+      `Error retrieving parameter ${parameterName}: ${errorMessage}`,
+      error,
+    );
+    throw new InternalServerError({ message: "Failed to retrieve parameter" });
+  }
+};
+
 export const isProd = process.env.RunEnvironment === "prod";

src/common/config.ts

@@ -26,6 +26,7 @@ export type ConfigType = {
   PaidMemberPriceId: string;
   AadValidReadOnlyClientId: string;
   ConfigurationSecretIds: string[];
+  ConfigurationParameterIds: string[];
   DiscordGuildId: string;
   GroupSuffix: string;
   GroupEmailSuffix: string;
@@ -60,7 +61,6 @@ export type GenericConfigType = {
   AuditLogTable: string;
   ApiKeyTable: string;
   ConfigSecretName: string;
-  UinHashingSecret: string;
   UinExtendedAttributeName: string;
   UserInfoTable: string;
   SigInfoTableName: string;
@@ -105,7 +105,6 @@ const genericConfig: GenericConfigType = {
   AuditLogTable: "infra-core-api-audit-log",
   ApiKeyTable: "infra-core-api-keys",
   ConfigSecretName: "infra-core-api-config",
-  UinHashingSecret: "infra-core-api-uin-pepper",
   UinExtendedAttributeName: "extension_a70c2e1556954056a6a8edfb1f42f556_uiucEduUIN",
   UserInfoTable: "infra-core-api-user-info",
   SigInfoTableName: "infra-core-api-sigs",
@@ -125,7 +124,8 @@ const environmentConfig: EnvironmentConfigType = {
       /^https?:\/\/([a-zA-Z0-9-]+\.)*acmuiuc\.workers\.dev$/,
       /http:\/\/localhost:\d+$/,
     ],
-    ConfigurationSecretIds: [genericConfig.ConfigSecretName, genericConfig.UinHashingSecret],
+    ConfigurationSecretIds: [genericConfig.ConfigSecretName],
+    ConfigurationParameterIds: ['/infra-core-api/UIN_HASHING_SECRET_PEPPER'],
     AadValidClientId: "39c28870-94e4-47ee-b4fb-affe0bf96c9f",
     LinkryBaseUrl: "https://core.aws.qa.acmuiuc.org",
     PasskitIdentifier: "pass.org.acmuiuc.qa.membership",
@@ -149,7 +149,9 @@ const environmentConfig: EnvironmentConfigType = {
   prod: {
     UserFacingUrl: "https://core.acm.illinois.edu",
     AzureRoleMapping: { AutonomousWriters: [AppRoles.EVENTS_MANAGER] },
-    ConfigurationSecretIds: [genericConfig.ConfigSecretName, genericConfig.UinHashingSecret],
+    // TODO: once SSM permission obtained in Prod, also move pepper to SSM
+    ConfigurationSecretIds: [genericConfig.ConfigSecretName, 'infra-core-api-uin-pepper'],
+    ConfigurationParameterIds: [],
     ValidCorsOrigins: [
       /^https:\/\/(?:.*\.)?acmuiuc-academic-web\.pages\.dev$/,
       /^https:\/\/(?:.*\.)?acmuiuc-digital-signage\.pages\.dev$/,

terraform/modules/lambdas/main.tf

@@ -190,6 +190,22 @@ resource "aws_iam_policy" "shared_iam_policy" {
         Effect   = "Allow",
         Resource = ["${aws_cloudwatch_log_group.api_logs.arn}:*"]
       },
+      {
+        Action   = ["kms:Decrypt"],
+        Effect   = "Allow",
+        Resource = ["arn:aws:kms:${var.region}:${data.aws_caller_identity.current.account_id}:alias/aws/ssm"]
+      },
+      {
+        Action = [
+          "ssm:GetParameter",
+          "ssm:GetParameters",
+          "ssm:GetParametersByPath"
+        ],
+        Resource = [
+          "arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.account_id}:parameter/infra-core-api/*"
+        ],
+        Effect = "Allow"
+      },
       {
         Action = ["secretsmanager:GetSecretValue"],
         Effect = "Allow",

tests/unit/secret.testdata.ts

@@ -18,10 +18,6 @@ const secretObject = {
 
 const secretJson = JSON.stringify(secretObject);
 
-const uinSecretJson = JSON.stringify({
-  UIN_HASHING_SECRET_PEPPER: "dc1f1a24-fce5-480b-a342-e7bd34d8f8c5",
-});
-
 const jwtPayload = {
   aud: "custom_jwt",
   iss: "custom_jwt",
@@ -74,10 +70,4 @@ const jwtPayloadNoGroups = {
   ver: "1.0",
 };
 
-export {
-  secretJson,
-  secretObject,
-  jwtPayload,
-  jwtPayloadNoGroups,
-  uinSecretJson,
-};
+export { secretJson, secretObject, jwtPayload, jwtPayloadNoGroups };

tests/unit/vitest.setup.ts

@@ -8,14 +8,17 @@ import {
 import { mockClient } from "aws-sdk-client-mock";
 import { marshall } from "@aws-sdk/util-dynamodb";
 import { genericConfig } from "../../src/common/config.js";
-import { secretJson, uinSecretJson } from "./secret.testdata.js";
+import { secretJson } from "./secret.testdata.js";
 import {
   UnauthenticatedError,
   ValidationError,
 } from "../../src/common/errors/index.js";
+import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm";
 
 const ddbMock = mockClient(DynamoDBClient);
 const smMock = mockClient(SecretsManagerClient);
+const ssmMock = mockClient(SSMClient);
+
 vi.mock(
   import("../../src/api/functions/rateLimit.js"),
   async (importOriginal) => {
@@ -180,12 +183,21 @@ smMock.on(GetSecretValueCommand).callsFake((command) => {
   if (command.SecretId == genericConfig.ConfigSecretName) {
     return Promise.resolve({ SecretString: secretJson });
   }
-  if (command.SecretId == genericConfig.UinHashingSecret) {
-    return Promise.resolve({ SecretString: uinSecretJson });
-  }
   return Promise.reject(new Error(`Secret ID ${command.SecretID} not mocked`));
 });
 
+ssmMock.on(GetParameterCommand).callsFake((command) => {
+  const ssmParameters: Record<string, string> = {
+    "/infra-core-api/UIN_HASHING_SECRET_PEPPER":
+      "dc1f1a24-fce5-480b-a342-e7bd34d8f8c5",
+  };
+  const value = ssmParameters[command.Name];
+  if (value) {
+    return Promise.resolve({ Parameter: { Value: value } });
+  }
+  return Promise.reject(new Error(`Parameter ${command.Name} not mocked`));
+});
+
 vi.mock("ioredis", () => import("ioredis-mock"));
 
 let mockCacheStore = new Map();

utils/README.md

@@ -0,0 +1,7 @@
+# Utils
+
+Random useful scripts
+
+## Create Multiregion Parameter
+
+Create the same AWS SSM ParameterStore Secure string in all regions we need.

utils/setSsmParameter.py

@@ -0,0 +1,118 @@
+#!/usr/bin/env python3
+"""
+SSM Parameter Store Multi-Region Tool
+
+Creates or updates a SecureString parameter across multiple AWS regions.
+"""
+
+import boto3
+from botocore.exceptions import ClientError, NoCredentialsError
+import argparse
+import sys
+import getpass
+from concurrent.futures import ThreadPoolExecutor, as_completed
+
+REGIONS = [
+    "us-east-2",
+    "us-west-2",
+]
+
+
+def put_parameter_in_region(region: str, name: str, value: str) -> dict:
+    """Create or update an SSM SecureString parameter in a specific region."""
+    try:
+        ssm = boto3.client("ssm", region_name=region)
+
+        response = ssm.put_parameter(
+            Name=name,
+            Value=value,
+            Type="SecureString",
+            Overwrite=True,
+        )
+
+        return {
+            "region": region,
+            "success": True,
+            "version": response.get("Version"),
+        }
+
+    except ClientError as e:
+        return {
+            "region": region,
+            "success": False,
+            "error": e.response["Error"]["Message"],
+        }
+    except NoCredentialsError:
+        return {
+            "region": region,
+            "success": False,
+            "error": "AWS credentials not configured",
+        }
+    except Exception as e:
+        return {
+            "region": region,
+            "success": False,
+            "error": str(e),
+        }
+
+
+def put_parameter_multi_region(name: str, value: str, regions: list[str] = None) -> list[dict]:
+    """Create or update an SSM SecureString parameter across multiple regions."""
+    target_regions = regions or REGIONS
+    results = []
+
+    with ThreadPoolExecutor(max_workers=len(target_regions)) as executor:
+        futures = {
+            executor.submit(put_parameter_in_region, region, name, value): region
+            for region in target_regions
+        }
+
+        for future in as_completed(futures):
+            results.append(future.result())
+
+    return sorted(results, key=lambda x: x["region"])
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Create or update SSM SecureString parameter in multiple regions"
+    )
+    parser.add_argument("name", help="Parameter name (e.g., /app/database/password)")
+    parser.add_argument(
+        "--regions",
+        nargs="+",
+        help=f"Override default regions (default: {', '.join(REGIONS)})",
+    )
+
+    args = parser.parse_args()
+
+    # Prompt for value securely (not shown in terminal or bash history)
+    value = getpass.getpass("Enter parameter value: ")
+
+    if not value:
+        print("Error: Parameter value cannot be empty")
+        sys.exit(1)
+
+    target_regions = args.regions or REGIONS
+    print(f"\nSetting parameter '{args.name}' in {len(target_regions)} region(s)...\n")
+
+    results = put_parameter_multi_region(args.name, value, target_regions)
+
+    successes = 0
+    failures = 0
+
+    for result in results:
+        if result["success"]:
+            successes += 1
+            print(f"  ✓ {result['region']}: version {result['version']}")
+        else:
+            failures += 1
+            print(f"  ✗ {result['region']}: {result['error']}")
+
+    print(f"\nComplete: {successes} succeeded, {failures} failed")
+
+    sys.exit(0 if failures == 0 else 1)
+
+
+if __name__ == "__main__":
+    main()