Sanitize ssm paths (#874)

Author: edwardfoyle

.changeset/chatty-balloons-sing.md

@@ -0,0 +1,9 @@
+---
+'@aws-amplify/platform-core': minor
+---
+
+Sanitize invalid characters when constructing SSM parameter paths.
+Uses the same convention that is used for sanitizing stack names.
+
+**NOTE:** Any secrets created before this change will no longer be found.
+Recreate sandbox secrets using `npx amplify sandbox secret set` and recreate branch secrets in the Amplify console.

.changeset/early-maps-live.md

@@ -0,0 +1,7 @@
+---
+'@aws-amplify/backend-function': minor
+'@aws-amplify/backend-secret': minor
+'@aws-amplify/backend': minor
+---
+
+Consume parameter resolution changes from @aws-amplify/platform-core

packages/backend-function/src/factory.test.ts

@@ -280,7 +280,8 @@ void describe('AmplifyFunctionFactory', () => {
             TEST_VAR: 'testValue',
             TEST_SECRET: '<value will be resolved during runtime>',
             AMPLIFY_SECRET_PATHS: JSON.stringify({
-              TEST_SECRET: '/amplify/testBackendId/testBranchName/secretValue',
+              TEST_SECRET:
+                '/amplify/testBackendId/testBranchName-branch-e482a1c36f/secretValue',
             }),
           },
         },

packages/backend-secret/src/ssm_secret.test.ts

@@ -19,7 +19,7 @@ const testSecretName = 'testSecretName';
 const testSecretValue = 'testSecretValue';
 const testSecretLastUpdated = new Date(1234567);
 const testSecretVersion = 20;
-const testBranchPath = `/amplify/${testBackendId}/${testBranchName}`;
+const testBranchPath = `/amplify/${testBackendId}/${testBranchName}-branch-e482a1c36f`;
 const testSharedPath = `/amplify/${shared}/${testBackendId}`;
 const testBranchSecretFullNamePath = `${testBranchPath}/${testSecretName}`;
 const testSharedSecretFullNamePath = `${testSharedPath}/${testSecretName}`;

packages/backend/src/engine/backend-secret/backend_secret_fetcher_factory.ts

@@ -58,6 +58,7 @@ export class BackendSecretFetcherFactory {
     const customResourceProps: SecretResourceProps = {
       namespace: backendIdentifier.namespace,
       name: backendIdentifier.name,
+      type: backendIdentifier.type,
       secretName: secretName,
     };
 

packages/backend/src/engine/backend-secret/backend_secret_fetcher_provider_factory.ts

@@ -7,6 +7,7 @@ import { Runtime as LambdaRuntime } from 'aws-cdk-lib/aws-lambda';
 import { Provider } from 'aws-cdk-lib/custom-resources';
 import { fileURLToPath } from 'url';
 import { BackendIdentifier } from '@aws-amplify/plugin-types';
+import { ParameterPathConversions } from '@aws-amplify/platform-core';
 
 const filename = fileURLToPath(import.meta.url);
 const dirname = path.dirname(filename);
@@ -41,13 +42,19 @@ export class BackendSecretFetcherProviderFactory {
       handler: 'handler',
     });
 
+    const backendParameterPrefix =
+      ParameterPathConversions.toParameterPrefix(backendIdentifier);
+    const sharedParameterPrefix = ParameterPathConversions.toParameterPrefix(
+      backendIdentifier.namespace
+    );
+
     secretLambda.grantPrincipal.addToPrincipalPolicy(
       new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
         actions: ['ssm:GetParameter'],
         resources: [
-          `arn:aws:ssm:*:*:parameter/amplify/${backendIdentifier.namespace}/${backendIdentifier.name}/*`,
-          `arn:aws:ssm:*:*:parameter/amplify/shared/${backendIdentifier.namespace}/*`,
+          `arn:aws:ssm:*:*:parameter${backendParameterPrefix}/*`,
+          `arn:aws:ssm:*:*:parameter${sharedParameterPrefix}/*`,
         ],
       })
     );

packages/backend/src/engine/backend-secret/lambda/backend_secret_fetcher.test.ts

@@ -42,8 +42,7 @@ const customResourceEventCommon = {
   PhysicalResourceId: 'physicalId',
   ResourceType: 'AWS::CloudFormation::CustomResource',
   ResourceProperties: {
-    namespace: testBackendId,
-    name: testBranchName,
+    ...testBackendIdentifier,
     secretName: testSecretName,
     ServiceToken: 'token',
   },

packages/backend/src/engine/backend-secret/lambda/backend_secret_fetcher.ts

@@ -56,7 +56,7 @@ export const handleCreateUpdateEvent = async (
       {
         namespace: props.namespace,
         name: props.name,
-        type: 'branch',
+        type: props.type,
       },
       {
         name: props.secretName,
@@ -74,7 +74,7 @@ export const handleCreateUpdateEvent = async (
     }
   }
 
-  // if the secret is not available in branch path, retrieve it at app-level.
+  // if the secret is not available in branch path, try retrieving it at the app-level.
   if (!secret) {
     try {
       const resp = await secretClient.getSecret(props.namespace, {

packages/backend/src/engine/backend-secret/lambda/backend_secret_fetcher_types.ts

@@ -1,5 +1,5 @@
-export type SecretResourceProps = {
-  namespace: string;
-  name: string;
+import { BackendIdentifier } from '@aws-amplify/plugin-types';
+
+export type SecretResourceProps = Omit<BackendIdentifier, 'hash'> & {
   secretName: string;
 };

packages/platform-core/src/backend_identifier_conversions.test.ts

@@ -4,7 +4,7 @@ import assert from 'node:assert';
 import { BackendIdentifier } from '@aws-amplify/plugin-types';
 
 void describe('toStackName', () => {
-  void it('removes non-alphanumeric chars from namespace and instance', () => {
+  void it('removes non-alphanumeric chars from namespace and name', () => {
     const actual = BackendIdentifierConversions.toStackName({
       namespace: 't-_e.s,@ t--T@,,  !@#$%^&*(){}:":<>?/|\\[]   H/I. .S',
       name: 't-_h.i,@ ng1-&&%2@@3-   _',